This is my own rule for detecting web attacks, planted on web servers. My environment goes around PHP, cPanel, therefore, the detection focus on files related to this environment.
It did detect
- js redirect
- a few webshell
- small uploader
- a few php mailer
- generic small obfuscated code
git clone https://github.com/farhanfaisal/yararule_web.git
General scan
yara -r -w ./index.yar <path to scan>
Broad scan (more false positive. looking for generic obfuscated code)
yara -r -w ./index.broad.yar <path to scan>
Some detections are important, such as shellcode detction, but most of them are string search. So, there will be a lot of false positive. However, the rule will be name with "GENERIC".
Those files need further investigation.
yara -r -w ./detect_generic_maliciousness_BROAD_SCAN.yar <path>