diff options
| author | Julien "shaddai" Reveret | 2015-12-03 17:51:09 +0100 |
|---|---|---|
| committer | Julien "shaddai" Reveret | 2015-12-03 17:51:09 +0100 |
| commit | 3aea5b3b3e4da79420037e12e3884d0c30bd92f0 (patch) | |
| tree | 19276a7278831437d5e3ef12e837011c4b412005 | |
| parent | aa1f56a912194957918c37eef8c30e490267ee59 (diff) | |
added double base64 encoding detection
| -rw-r--r-- | php-malware-finder/malwares.yara | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 8fd5eb5..73195da 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -105,6 +105,7 @@ rule DodgyPhp | |||
| 105 | { | 105 | { |
| 106 | strings: | 106 | strings: |
| 107 | $vars = /\$__+/ // $__ is rarely used in legitimate scripts | 107 | $vars = /\$__+/ // $__ is rarely used in legitimate scripts |
| 108 | $double_encoding = /(base64_decode\s*\(\s*){2}/ | ||
| 108 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ | 109 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ |
| 109 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ | 110 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ |
| 110 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ | 111 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ |