diff options
| -rw-r--r-- | php-malware-finder/malwares.yara | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 866aa66..1826a5a 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -103,7 +103,7 @@ rule DodgyPhp | |||
| 103 | { | 103 | { |
| 104 | strings: | 104 | strings: |
| 105 | $vars = /\$__+/ // $__ is rarely used in legitimate scripts | 105 | $vars = /\$__+/ // $__ is rarely used in legitimate scripts |
| 106 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)*?\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ | 106 | $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ |
| 107 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ | 107 | $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ |
| 108 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ | 108 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ |
| 109 | $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ | 109 | $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ |