Signature update reported in #20

2026-06-16 12:30:35 +00:00 · 2018-08-14 07:44:16 +02:00
parent 8d69958dcd
commit 07b9cb6e80
2 changed files with 7 additions and 0 deletions
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -345,3 +345,7 @@ $f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
 /*;*/
 # web shells host type extraction
 php_uname()
+# decode content with basic rot13
+str_split(rawurldecode(str_rot13(
+# generating PHP file name to put content
+substr(md5(time()), 0, 8) . ".php"
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -96,3 +96,6 @@ eval\(\$[a-z0-9_]+\(\$_POST

 # web shells host type extraction RE
 php_uname\(["'asrvm]+\)
+
+# XOR decode POST-ed payload
+(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}