Better detection of obvious preg_replace-powered execution

author: Julien Voisin 2015-04-17 11:13:00 +0200
committer: Julien Voisin 2015-04-17 11:13:00 +0200
commit: 946c70b200f76aec8fed0a9e0bd475a9dcc6a3ca (patch)
tree: eef6cedd9ea534807024a5a71ceda793bee4a744
parent: 1eec91dbcf6959fa3bd92bb21582c75f58f4be8c (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/malwares.yara b/malwares.yara
index 0cf4948..63e9376 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -107,6 +107,7 @@ rule DodgyPhp
        $pr = /preg_replace\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
        $htaccess = "SetHandler application/x-httpd-php"
+        $obvious_preg = /['"]\/\.\*\/e["']/ fullword  // "/.*/e" <- this is suspicious
    condition:
        IsPhp and (any of them or CloudFlareBypass)
author	Julien Voisin	2015-04-17 11:13:00 +0200
committer	Julien Voisin	2015-04-17 11:13:00 +0200
commit	946c70b200f76aec8fed0a9e0bd475a9dcc6a3ca (patch)
tree	eef6cedd9ea534807024a5a71ceda793bee4a744
parent	1eec91dbcf6959fa3bd92bb21582c75f58f4be8c (diff)

diff --git a/malwares.yara b/malwares.yara index 0cf4948..63e9376 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -107,6 +107,7 @@ rule DodgyPhp
107	$pr = /preg_replace\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php	107	$pr = /preg_replace\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
108	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes	108	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
109	$htaccess = "SetHandler application/x-httpd-php"	109	$htaccess = "SetHandler application/x-httpd-php"
		110	$obvious_preg = /['"]\/\.\\/e["']/ fullword // "/./e" <- this is suspicious
110		111
111	condition:	112	condition:
112	IsPhp and (any of them or CloudFlareBypass)	113	IsPhp and (any of them or CloudFlareBypass)