diff options
| author | Mathieu Deous | 2015-10-14 13:48:20 +0200 |
|---|---|---|
| committer | Mathieu Deous | 2015-10-29 14:55:04 +0100 |
| commit | 1f0f0b96241a40d59db5c949833be8e6e9bb748d (patch) | |
| tree | c6d3f6c49ede5ffbddefe0eca5bc68aab1cf7c24 | |
| parent | d5030794503901bc94121663d0a8d96ba6533f5f (diff) | |
signatures: eval can be prefixed by an open square bracket
| -rw-r--r-- | php-malware-finder/malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 27ba8bf..c5af397 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -57,7 +57,7 @@ private rule CloudFlareBypass | |||
| 57 | rule ObfuscatedPhp | 57 | rule ObfuscatedPhp |
| 58 | { | 58 | { |
| 59 | strings: | 59 | strings: |
| 60 | $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy | 60 | $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy |
| 61 | $b374k = /'ev'\.'al'/ | 61 | $b374k = /'ev'\.'al'/ |
| 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 63 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/ | 63 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/ |