summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--malwares.yara3
1 files changed, 2 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index 98e11cb..de735a7 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
57rule ObfuscatedPhp 57rule ObfuscatedPhp
58{ 58{
59 strings: 59 strings:
60 $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ // ;eval( <- this is dodgy 60 $eval = /[;{}]*[\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ // ;eval( <- this is dodgy
61 $b374k = "'ev'.'al'" 61 $b374k = "'ev'.'al'"
62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
63 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/ 63 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
@@ -188,6 +188,7 @@ rule DodgyStrings
188 $ = "webshell" fullword nocase 188 $ = "webshell" fullword nocase
189 $ = "exploit" fullword nocase 189 $ = "exploit" fullword nocase
190 $ = "hacking" fullword nocase 190 $ = "hacking" fullword nocase
191 $ = "hacker" fullword nocase
191 $ = "/proc/cpuinfo" fullword 192 $ = "/proc/cpuinfo" fullword
192 $ = "/bin/sh" fullword 193 $ = "/bin/sh" fullword
193 $ = "/bin/bash" fullword 194 $ = "/bin/bash" fullword