{"id":283278,"date":"2016-12-30T01:15:04","date_gmt":"2016-12-29T22:15:04","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=283278"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=283278","title":{"rendered":"\u0424\u0411\u0420, \u0426\u0420\u0423 \u0438 \u041e\u0431\u0430\u043c\u0430 \u043f\u0440\u043e\u0442\u0438\u0432 \u0441\u043a\u0440\u0438\u043f\u0442\u0430 \u043d\u0430 PHP"},"content":{"rendered":"<p>\u0411\u044b\u043b \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d <a href=\"https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/JAR_16-20296.pdf\">\u043e\u0442\u0447\u0435\u0442<\/a> \u043e \u0432\u0438\u0440\u0443\u0441\u0435, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u00ab\u0440\u0443\u0441\u0441\u043a\u0438\u0435 \u0445\u0430\u043a\u0435\u0440\u044b\u00bb, \u043f\u043e \u043c\u043d\u0435\u043d\u0438\u044e \u0441\u043f\u0435\u0446\u0441\u043b\u0443\u0436\u0431 \u0421\u0428\u0410, \u0432\u0437\u043b\u043e\u043c\u0430\u043b\u0438 \u0430\u043c\u0435\u0440\u0438\u043a\u0430\u043d\u0441\u043a\u0438\u0435 \u0432\u044b\u0431\u043e\u0440\u044b. \u0412\u0438\u0440\u0443\u0441 (\u0442\u043e\u0447\u043d\u0435\u0435, \u0435\u0433\u043e \u0443\u043d\u0438\u043a\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u0430) \u0432\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u0442\u0430\u043a:<\/p>\n<p>  <code>rule PAS_TOOL_PHP_WEB_KIT<br \/>  {<br \/>  meta:<br \/>  description = &quot;PAS TOOL PHP WEB KIT FOUND&quot;<br \/>  strings:<br \/>  $php = &quot;&lt;?php&quot;<br \/>  $base64decode = \/\\='base'\\.\\(\\d+\\*\\d+\\)\\.'_de'\\.'code'\/<br \/>  $strreplace = &quot;(str_replace(&quot;<br \/>  $md5 = &quot;.substr(md5(strrev(&quot;<br \/>  $gzinflate = &quot;gzinflate&quot;<br \/>  $cookie = &quot;_COOKIE&quot;<br \/>  $isset = &quot;isset&quot;<br \/>  condition:<br \/>  (filesize &gt; 20KB and filesize &lt; 22KB) and<br \/>  #cookie == 2 and<br \/>  #isset == 3 and<br \/>  all of them<br \/>  }<\/code><\/p>\n<p>  \u042f \u0434\u0430\u0436\u0435 \u043d\u0435 \u0437\u043d\u0430\u044e, \u043a\u0430\u043a \u043f\u0440\u043e\u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u043e\u0442, \u0431\u0435\u0437\u0443\u0441\u043b\u043e\u0432\u043d\u043e, \u0443\u043d\u0438\u043a\u0430\u043b\u044c\u043d\u044b\u0439 \u0438 \u043e\u0434\u043d\u043e\u0437\u043d\u0430\u0447\u043d\u043e \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u043a\u0430\u043a \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0439 \u043a\u043e\u0434.<br \/> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"https:\/\/habrahabr.ru\/post\/318792\/\"> https:\/\/habrahabr.ru\/post\/318792\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u0411\u044b\u043b \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d <a href=\"https:\/\/www.us-cert.gov\/sites\/default\/files\/publications\/JAR_16-20296.pdf\">\u043e\u0442\u0447\u0435\u0442<\/a> \u043e \u0432\u0438\u0440\u0443\u0441\u0435, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u00ab\u0440\u0443\u0441\u0441\u043a\u0438\u0435 \u0445\u0430\u043a\u0435\u0440\u044b\u00bb, \u043f\u043e \u043c\u043d\u0435\u043d\u0438\u044e \u0441\u043f\u0435\u0446\u0441\u043b\u0443\u0436\u0431 \u0421\u0428\u0410, \u0432\u0437\u043b\u043e\u043c\u0430\u043b\u0438 \u0430\u043c\u0435\u0440\u0438\u043a\u0430\u043d\u0441\u043a\u0438\u0435 \u0432\u044b\u0431\u043e\u0440\u044b. \u0412\u0438\u0440\u0443\u0441 (\u0442\u043e\u0447\u043d\u0435\u0435, \u0435\u0433\u043e \u0443\u043d\u0438\u043a\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u0438\u0433\u043d\u0430\u0442\u0443\u0440\u0430) \u0432\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u0442\u0430\u043a:<\/p>\n<p>  <code>rule PAS_TOOL_PHP_WEB_KIT<br \/>  {<br \/>  meta:<br \/>  description = &quot;PAS TOOL PHP WEB KIT FOUND&quot;<br \/>  strings:<br \/>  $php = &quot;&lt;?php&quot;<br \/>  $base64decode = \/\\='base'\\.\\(\\d+\\*\\d+\\)\\.'_de'\\.'code'\/<br \/>  $strreplace = &quot;(str_replace(&quot;<br \/>  $md5 = &quot;.substr(md5(strrev(&quot;<br \/>  $gzinflate = &quot;gzinflate&quot;<br \/>  $cookie = &quot;_COOKIE&quot;<br \/>  $isset = &quot;isset&quot;<br \/>  condition:<br \/>  (filesize &gt; 20KB and filesize &lt; 22KB) and<br \/>  #cookie == 2 and<br \/>  #isset == 3 and<br \/>  all of them<br \/>  }<\/code><\/p>\n<p>  \u042f \u0434\u0430\u0436\u0435 \u043d\u0435 \u0437\u043d\u0430\u044e, \u043a\u0430\u043a \u043f\u0440\u043e\u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u043e\u0442, \u0431\u0435\u0437\u0443\u0441\u043b\u043e\u0432\u043d\u043e, \u0443\u043d\u0438\u043a\u0430\u043b\u044c\u043d\u044b\u0439 \u0438 \u043e\u0434\u043d\u043e\u0437\u043d\u0430\u0447\u043d\u043e \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u043a\u0430\u043a \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0439 \u043a\u043e\u0434.<br \/> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"https:\/\/habrahabr.ru\/post\/318792\/\"> https:\/\/habrahabr.ru\/post\/318792\/<\/a><br \/><\/br><\/br><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-283278","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/283278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=283278"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/283278\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=283278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=283278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=283278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}