diff options
| author | jvoisin | 2016-01-04 17:34:48 +0100 |
|---|---|---|
| committer | jvoisin | 2016-01-04 17:35:07 +0100 |
| commit | 6b46436de856e51c68eb68999185a6d41a9ef07a (patch) | |
| tree | 2750f864b4e3e86f5f4b392897692cbbe3d4aabe | |
| parent | 9d0858ea4d31eaf670c44a338b7068bd836b03c5 (diff) | |
Add some rules
| -rw-r--r-- | malwares.yara | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/malwares.yara b/malwares.yara index de735a7..7167708 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -117,6 +117,7 @@ rule DodgyPhp | |||
| 117 | $udp_dos = /sockopen\s*\(['"]udp:\/\// | 117 | $udp_dos = /sockopen\s*\(['"]udp:\/\// |
| 118 | $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/ | 118 | $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/ |
| 119 | $iis_com = /IIS:\/\/localhost\/w3svc/ | 119 | $iis_com = /IIS:\/\/localhost\/w3svc/ |
| 120 | $user_function = /(call_user_func|create_function)/ | ||
| 120 | 121 | ||
| 121 | condition: | 122 | condition: |
| 122 | (any of them or CloudFlareBypass) and not IsWhitelisted | 123 | (any of them or CloudFlareBypass) and not IsWhitelisted |
| @@ -174,6 +175,8 @@ rule DodgyStrings | |||
| 174 | $ = "/etc/resolv.conf" | 175 | $ = "/etc/resolv.conf" |
| 175 | $ = "/etc/syslog.conf" | 176 | $ = "/etc/syslog.conf" |
| 176 | $ = "/etc/proftpd.conf" | 177 | $ = "/etc/proftpd.conf" |
| 178 | $ = "/windows/system32/" | ||
| 179 | $ = "WScript.Shell" | ||
| 177 | $ = "WinExec" | 180 | $ = "WinExec" |
| 178 | $ = "uname -a" fullword | 181 | $ = "uname -a" fullword |
| 179 | $ = "nc -l" fullword | 182 | $ = "nc -l" fullword |