diff options
| author | jvoisin | 2015-05-22 10:28:16 +0200 |
|---|---|---|
| committer | jvoisin | 2015-05-22 10:28:16 +0200 |
| commit | 0f19dae455efce37c28e7a5aac8d96bcbb86e7ca (patch) | |
| tree | 4951bfafc99964987559a914e9c51e17a3cbd10f | |
| parent | d8ad70a5c5bc621289d6d38c64525bb2b8dca9c0 (diff) | |
Remove a duplicate rule, and make another more generic
| -rw-r--r-- | malwares.yara | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/malwares.yara b/malwares.yara index 25ba196..d56ce7d 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -105,10 +105,9 @@ rule DodgyPhp | |||
| 105 | $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ | 105 | $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ |
| 106 | $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ | 106 | $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ |
| 107 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | 107 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec |
| 108 | $pr = /preg_replace\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php | 108 | $pr = /preg_replace\s*\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php |
| 109 | $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes | 109 | $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes |
| 110 | $htaccess = "SetHandler application/x-httpd-php" | 110 | $htaccess = "SetHandler application/x-httpd-php" |
| 111 | $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious | ||
| 112 | $udp_dos = /sockopen\s*\(['"]udp:\/\// | 111 | $udp_dos = /sockopen\s*\(['"]udp:\/\// |
| 113 | 112 | ||
| 114 | condition: | 113 | condition: |