Add some more dodgy functions

author: jvoisin 2015-07-29 11:58:22 +0200
committer: jvoisin 2015-07-29 11:58:22 +0200
commit: d44eb84ad1492f70555c20c49a7f39d8e5b9409f (patch)
tree: 73b95564a97a2c93fae3664c8b5fbf558cfc3e0f
parent: 4b5c3a018259afa8f1700e29a08119367385e15b (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index b376307..d2b8362 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -107,7 +107,7 @@ rule DodgyPhp
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /preg_replace\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
        $htaccess = "SetHandler application/x-httpd-php"
        $udp_dos = /sockopen\s*\(['"]udp:\/\//
@@ -147,6 +147,12 @@ rule DangerousPhp
        $ = "show_source" fullword
        $ = "pcntl_exec" fullword
        $ = "array_filter" fullword
+        $ = "call_user_func" fullword
+        $ = "register_shutdown_function" fullword
+        $ = "register_tick_function" fullword
+        $ = /ob_start\s*\(\s*['"]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
+        $ = "mb_ereg_replace_callback" fullword
+        $ = "preg_replace_callback" fullword
        $whitelist = /escapeshellcmd|escapeshellarg/
author	jvoisin	2015-07-29 11:58:22 +0200
committer	jvoisin	2015-07-29 11:58:22 +0200
commit	d44eb84ad1492f70555c20c49a7f39d8e5b9409f (patch)
tree	73b95564a97a2c93fae3664c8b5fbf558cfc3e0f
parent	4b5c3a018259afa8f1700e29a08119367385e15b (diff)