Linux Yara Rules

The following topic lists the Yara rules for Linux.

global rule php_file
{
    strings:
        $php = /<\?[^x]/

    condition:
        $php
}

rule common_webshell_keywords {
  meta:
    description = "Common Web Shell Keywords"
    author = "RET"
    reference = "https://www.acunetix.com/blog/articles/detection-prevention-introduction-web-shells-part-5/"
    date = "2021/11/19"
  strings:
    $s1 = /(passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile)/ nocase
  condition:
    $s1
}

Return to Orbital Yara Rules and System Configuration

Return to Table of Contents