summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--malwares.yara3
1 files changed, 1 insertions, 2 deletions
diff --git a/malwares.yara b/malwares.yara
index 25ba196..d56ce7d 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -105,10 +105,9 @@ rule DodgyPhp
105 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 105 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
106 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ 106 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
107 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec 107 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
108 $pr = /preg_replace\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php 108 $pr = /preg_replace\s*\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
109 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 109 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes
110 $htaccess = "SetHandler application/x-httpd-php" 110 $htaccess = "SetHandler application/x-httpd-php"
111 $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious
112 $udp_dos = /sockopen\s*\(['"]udp:\/\// 111 $udp_dos = /sockopen\s*\(['"]udp:\/\//
113 112
114 condition: 113 condition: