Backdoored PHP Zlib

2024-11-06 10:05:18 +00:00 · 2021-03-29 10:57:01 +02:00 · 2021-03-29 10:57:01 +02:00 · 29ee22a895
commit 29ee22a895
parent 7c5bd51a17
1 changed files with 14 additions and 0 deletions
--- a/yara/vul_php_zlib_backdoor.yar
+++ b/yara/vul_php_zlib_backdoor.yar
@ -0,0 +1,14 @@
+
+rule VULN_PHP_Hack_Backdoored_Zlib_Zerodium_Mar21_1 {
+   meta:
+      description = "Detects backdoored PHP zlib version"
+      author = "Florian Roth"
+      reference = "https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/"
+      date = "2021-03-29"
+   strings:
+      $x1 = "REMOVETHIS: sold to zerodium, mid 2017" fullword ascii
+      $x2 = "HTTP_USER_AGENTT" ascii fullword
+   condition:
+      filesize < 3000KB and
+      all of them
+}