Built off the open source project Osquery
Description: Attempts to find PHP webshell type malware in the system
What The Data Shows: report if the system has PHP webshell scripts in the system
SQL: SELECT *
FROM yara
WHERE PATH LIKE 'c:\windows\temp\%%'
AND sigrule = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/webshells/WShell_THOR_Webshells.yar
{
meta:
description = "Web Shell - file PHP Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
strings:
$s4 = " <?php echo buildUrl(\"<font color=\\\"navy\\\">["
$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
$s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
condition:
2 of them
}';
> Requirement: Please test all submissions using Live Query or Osquery before posting.
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.