diff options
| author | Julien (jvoisin) Voisin | 2016-05-11 13:08:47 +0200 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-05-11 13:08:47 +0200 |
| commit | a16357a56653edc2aa0dc769a3df0bb4268dab94 (patch) | |
| tree | 4b75628958c882503701dcf6ac5414b1cdff3683 | |
| parent | ae99e3ebd30b21cf3d6b514a17f069f8b9675726 (diff) | |
Fix some false-positive
| -rw-r--r-- | php-malware-finder/php.yar | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 06e1827..2dc20e1 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -47,7 +47,7 @@ private rule CloudFlareBypass | |||
| 47 | rule ObfuscatedPhp | 47 | rule ObfuscatedPhp |
| 48 | { | 48 | { |
| 49 | strings: | 49 | strings: |
| 50 | $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy | 50 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy |
| 51 | $b374k = "'ev'.'al'" | 51 | $b374k = "'ev'.'al'" |
| 52 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 52 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 53 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 53 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |