added register_globals to restore_bypass, new rules : ini_get and disable_magic_quotes

author: Julien "shaddai" Reveret 2016-01-12 11:28:33 +0100
committer: Julien "shaddai" Reveret 2016-01-12 11:28:33 +0100
commit: 7a6d2195c8cfda2559a6e7a1234175eb909ae489 (patch)
tree: c22f2e095a71d4d5de3a72705e276cf77281ea8d
parent: 7faaeda8002962d293974057aa535dc02f98f872 (diff)
2 files changed, 7 insertions, 2 deletions
diff --git a/php-malware-finder/README.md b/php-malware-finder/README.md
index 69d4e11..59187b1 100644
--- a/php-malware-finder/README.md
+++ b/php-malware-finder/README.md
@@ -30,7 +30,8 @@ The following list of encoders/obfuscators/webshells are also detected:
 * [cobra obfuscator]( http://obfuscator.uk/example/ )
 * [phpencode]( http://phpencode.org )
 * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
+* [tennc]( http://tennc.github.io/webshell/ )
+* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
 ## How does it work?
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 73195da..f733bc3 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -110,7 +110,10 @@ rule DodgyPhp
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/
+        $ini_get =
+        /ini_get\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+        $restore_bypass =
+        /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
@@ -118,6 +121,7 @@ rule DodgyPhp
        $udp_dos = /sockopen\s*\(['"]udp:\/\//
        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
        $iis_com = /IIS:\/\/localhost\/w3svc/
+        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
    condition:
        (any of them or CloudFlareBypass) and not IsWhitelisted
author	Julien "shaddai" Reveret	2016-01-12 11:28:33 +0100
committer	Julien "shaddai" Reveret	2016-01-12 11:28:33 +0100
commit	7a6d2195c8cfda2559a6e7a1234175eb909ae489 (patch)
tree	c22f2e095a71d4d5de3a72705e276cf77281ea8d
parent	7faaeda8002962d293974057aa535dc02f98f872 (diff)

diff --git a/php-malware-finder/README.md b/php-malware-finder/README.md index 69d4e11..59187b1 100644 --- a/php-malware-finder/README.md +++ b/php-malware-finder/README.md
@@ -30,7 +30,8 @@ The following list of encoders/obfuscators/webshells are also detected:
30	* [cobra obfuscator]( http://obfuscator.uk/example/ )	30	* [cobra obfuscator]( http://obfuscator.uk/example/ )
31	* [phpencode]( http://phpencode.org )	31	* [phpencode]( http://phpencode.org )
32	* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )	32	* [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
33		33	* [tennc]( http://tennc.github.io/webshell/ )
		34	* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
34		35
35	## How does it work?	36	## How does it work?
36		37


diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 73195da..f733bc3 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -110,7 +110,10 @@ rule DodgyPhp
110	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	110	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
111	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	111	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
112	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/	112	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
113	$restore_bypass = /ini_restore\(['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir)['"]\)/	113	$ini_get =
		114	/ini_get\(['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals)['"]\)/
		115	$restore_bypass =
		116	/ini_restore\(['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals)['"]\)/
114	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec	117	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
115	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\(['"]\/[^\/]\/e['"]/ // http://php.net/manual/en/function.preg-replace.php	118	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\(['"]\/[^\/]\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
116	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes	119	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
@@ -118,6 +121,7 @@ rule DodgyPhp
118	$udp_dos = /sockopen\s*\(['"]udp:\/\//	121	$udp_dos = /sockopen\s*\(['"]udp:\/\//
119	$iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/	122	$iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
120	$iis_com = /IIS:\/\/localhost\/w3svc/	123	$iis_com = /IIS:\/\/localhost\/w3svc/
		124	$disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
121		125
122	condition:	126	condition:
123	(any of them or CloudFlareBypass) and not IsWhitelisted	127	(any of them or CloudFlareBypass) and not IsWhitelisted