Linux Yara Rules

global rule php_file

{

strings:

$php = /<\?[^x]/

condition:

$php

}

rule common_webshell_keywords {

meta:

description = "Common Web Shell Keywords"

author = "RET"

reference = "https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/"

date = "2021/11/19"

strings:

$s1 = /(passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile)/ nocase

condition:

$s1

}

Return to Orbital Yara Rules and System Configuration