diff options
| author | Julien Voisin | 2016-02-03 15:01:26 +0100 |
|---|---|---|
| committer | Julien Voisin | 2016-02-12 15:05:05 +0100 |
| commit | fde93ed05adc8d84bda4a3e6d46047b41b89c9a4 (patch) | |
| tree | d8ad67d4c0d36798f0c50953fc09cdbb3088a96e | |
| parent | 84102414fc295c9a37f15985e93fc2cc02ebb446 (diff) | |
Makes a rule more generic
| -rw-r--r-- | php-malware-finder/malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 285ee77..5652b0a 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -57,7 +57,7 @@ private rule CloudFlareBypass | |||
| 57 | rule ObfuscatedPhp | 57 | rule ObfuscatedPhp |
| 58 | { | 58 | { |
| 59 | strings: | 59 | strings: |
| 60 | $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[\t ]*\(/ // ;eval( <- this is dodgy | 60 | $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[[:space:]]*\(/ // ;eval( <- this is dodgy |
| 61 | $b374k = "'ev'.'al'" | 61 | $b374k = "'ev'.'al'" |
| 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |