diff options
| author | Julien (jvoisin) Voisin | 2016-03-01 13:45:30 +0100 |
|---|---|---|
| committer | Julien (jvoisin) Voisin | 2016-03-01 13:45:30 +0100 |
| commit | 7e47407a8988aa73627dfa482abced236b0ca963 (patch) | |
| tree | b802e2d88ca0697db1d7c3cc239aec2968767fba | |
| parent | 3c19560adfe33f7fb8a6be5dc7f3a30158ae44fd (diff) | |
Detect backticks
| -rw-r--r-- | php-malware-finder/malwares.yara | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 9ba8ff2..287ebd3 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -57,7 +57,7 @@ private rule CloudFlareBypass | |||
| 57 | rule ObfuscatedPhp | 57 | rule ObfuscatedPhp |
| 58 | { | 58 | { |
| 59 | strings: | 59 | strings: |
| 60 | $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy | 60 | $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy |
| 61 | $b374k = "'ev'.'al'" | 61 | $b374k = "'ev'.'al'" |
| 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 62 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 63 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| @@ -110,7 +110,7 @@ rule DodgyPhp | |||
| 110 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// | 110 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// |
| 111 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 | 111 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 |
| 112 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ | 112 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ |
| 113 | $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase | 113 | $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase |
| 114 | $htaccess = "SetHandler application/x-httpd-php" | 114 | $htaccess = "SetHandler application/x-httpd-php" |
| 115 | $iis_com = /IIS:\/\/localhost\/w3svc/ | 115 | $iis_com = /IIS:\/\/localhost\/w3svc/ |
| 116 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes | 116 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes |
| @@ -144,8 +144,7 @@ rule DangerousPhp | |||
| 144 | $ = "shmop_open" fullword nocase | 144 | $ = "shmop_open" fullword nocase |
| 145 | $ = "mb_ereg_replace_callback" fullword nocase | 145 | $ = "mb_ereg_replace_callback" fullword nocase |
| 146 | $ = "passthru" fullword nocase | 146 | $ = "passthru" fullword nocase |
| 147 | $ = "pcntl_exec" fullword nocase | 147 | $ = /pcntl_(exec|fork)/ fullword nocase |
| 148 | $ = "pcntl_fork" fullword nocase | ||
| 149 | $ = "php_uname" fullword nocase | 148 | $ = "php_uname" fullword nocase |
| 150 | $ = "phpinfo" fullword nocase | 149 | $ = "phpinfo" fullword nocase |
| 151 | $ = "posix_geteuid" fullword nocase | 150 | $ = "posix_geteuid" fullword nocase |