diff options
| author | Mathieu Deous | 2015-10-14 13:48:20 +0200 |
|---|---|---|
| committer | Mathieu Deous | 2015-10-14 13:48:20 +0200 |
| commit | b456ace96e2bfea050d6991082773a183e476d5f (patch) | |
| tree | 60bcfd33b6c2def77d1cf8617cc00e3cef44c873 | |
| parent | 2a023bb2862d9df4987e241d95e8d646001bd7ba (diff) | |
signatures: eval can be prefixed by an open square bracket
| -rw-r--r-- | php-malware-finder/malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 3bc15c2..866aa66 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -57,7 +57,7 @@ private rule CloudFlareBypass | |||
| 57 | rule ObfuscatedPhp | 57 | rule ObfuscatedPhp |
| 58 | { | 58 | { |
| 59 | strings: | 59 | strings: |
| 60 | $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy | 60 | $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy |
| 61 | $b374k = /'ev'\.'al'/ | 61 | $b374k = /'ev'\.'al'/ |
| 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 63 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/ | 63 | $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/ |