/*
    PHP file(s) (spreader) that, using multiple remote
    servers, use file_get_contents() to get more PHP
    content that it writes in files with random name
    (echoers), file(s) which use file_get_contents()
    to get and echo the HTML (chinese blog/shop/???).
*/
rule chinese_spam_spreader : webshell
{
    meta:
        author      = "Vlad https://github.com/vlad-s"
        date        = "2016/07/18"
        description = "Catches chinese PHP spam files (autospreaders)"
    strings:
        $a = "User-Agent: aQ0O010O"
        $b = "<font color='red'><b>Connection Error!</b></font>"
        $c = /if ?\(\$_POST\[Submit\]\) ?{/
    condition:
        all of them
}

rule chinese_spam_echoer : webshell
{
    meta:
        author      = "Vlad https://github.com/vlad-s"
        date        = "2016/07/18"
        description = "Catches chinese PHP spam files (printers)"
    strings:
        $a = "set_time_limit(0)"
        $b = "date_default_timezone_set('PRC');"
        $c = "$Content_mb;"
        $d = "/index.php?host="
    condition:
        all of them
}