Add some more dodgy functions

author: jvoisin 2015-07-29 11:58:22 +0200
committer: Mathieu Deous 2015-10-29 14:54:45 +0100
commit: 07532c1fb1b36baaee81985e3e6d22ad2bb718c3 (patch)
tree: ddfe2dab89c850f07f109ca34044eec0d6bae9ac
parent: 159caaf4c8d84adc103a51ba1be320811b68d550 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index 0f4a95f..02d7127 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -108,7 +108,7 @@ rule DodgyPhp
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /preg_replace\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
        $htaccess = "SetHandler application/x-httpd-php"
        $udp_dos = /sockopen\s*\(['"]udp:\/\//
@@ -148,6 +148,12 @@ rule DangerousPhp
        $ = "show_source" fullword
        $ = "pcntl_exec" fullword
        $ = "array_filter" fullword
+        $ = "call_user_func" fullword
+        $ = "register_shutdown_function" fullword
+        $ = "register_tick_function" fullword
+        $ = /ob_start\s*\(\s*['"]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
+        $ = "mb_ereg_replace_callback" fullword
+        $ = "preg_replace_callback" fullword
        $whitelist = /escapeshellcmd|escapeshellarg/
author	jvoisin	2015-07-29 11:58:22 +0200
committer	Mathieu Deous	2015-10-29 14:54:45 +0100
commit	07532c1fb1b36baaee81985e3e6d22ad2bb718c3 (patch)
tree	ddfe2dab89c850f07f109ca34044eec0d6bae9ac
parent	159caaf4c8d84adc103a51ba1be320811b68d550 (diff)