Yara rulset based on php shells and other webserver malware.
I will be moving to a new role soon which will take me away from front line server investigations. If you would like to keep this dataset up to date report back new malware using my scanner:
https://github.com/Hestat/blazescan
Using the following will allow you to report new malware so I can add signatures:
blazescan -R
git clone https://github.com/Hestat/lw-yara.git
clamscan -ir -l /root/scanresults.txt -d /root/lw-yara/lw-rules_index.yar -d /root/lw-yara/lw.hdb /path/to/scan/
In clamscan
-ir flag will only report infected files and will scan recursively
-d flag allows you to specify a custom database, here we have 2 a hash database and a yara ruleset
-l creates a log of the scan
need to have clamav 98 or newer to parse Yara signatures
More info here:
https://github.com/Hestat/blazescan