summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Voisin2015-04-02 18:47:24 +0200
committerJulien Voisin2015-04-02 18:47:24 +0200
commit05cb27e5b8c2966813d8407430018ed34c0444b5 (patch)
tree33641d434651a47b07f10b55196b1cba13553ac9
parentb77cf68530da684b45ac12ed3086e8425ea69871 (diff)
Improves detection of preg_replace-base payloads
Diffstat
-rw-r--r--malwares.yara2
1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index 3adc5f8..30d8e1c 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -102,7 +102,7 @@ rule DodgyPhp
102 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 102 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
103 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ 103 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
104 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec 104 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
105 $pr = /preg_replace\(['"]\/\.\*\/e['"],/ // http://php.net/manual/en/function.preg-replace.php 105 $pr = /preg_replace\(['"]\/[^\/]\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
106 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 106 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes
107 $htaccess = "SetHandler application/x-httpd-php" 107 $htaccess = "SetHandler application/x-httpd-php"
108 108