diff options
| author | Julien (jvoisin) Voisin | 2016-02-23 17:47:05 +0100 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-02-23 17:47:05 +0100 |
| commit | 313d489694d4330a31d0f03c699e09b46b63bca0 (patch) | |
| tree | 7a16fb7aacdf52a7a0e01990ea60b54df73aa216 | |
| parent | a9b400eff99e13a271b62d7c68fceee044a777da (diff) | |
Refactor the basedir_bypass function
| -rw-r--r-- | php-malware-finder/malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 45100c5..d07c057 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -102,7 +102,7 @@ rule SuspiciousEncoding | |||
| 102 | rule DodgyPhp | 102 | rule DodgyPhp |
| 103 | { | 103 | { |
| 104 | strings: | 104 | strings: |
| 105 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ | 105 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// |
| 106 | $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/ | 106 | $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/ |
| 107 | $double_encoding = /(base64_decode\s*\(\s*){2}/ | 107 | $double_encoding = /(base64_decode\s*\(\s*){2}/ |
| 108 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ | 108 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ |