1 files changed, 6 insertions, 6 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 536d880..309af01 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -36,8 +36,8 @@ global private rule IsPhp
 rule PasswordProtection
 {
    strings:
-        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
-        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
+        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
    condition:
        (any of them) and not IsWhitelisted
 }
@@ -54,7 +54,7 @@ rule ObfuscatedPhp
        $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
        $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
        $concat_with_spaces = /(\$[^\n\r]+\. ){5}/  // concatenation of more than 5 words, with spaces
-        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
+        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST|SERVER)\s*\[[^\]]+\]\s*\(/
        $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/  // eval /* comment */ (php_code)
 condition:
        (any of them) and not IsWhitelisted
@@ -66,9 +66,9 @@ rule DodgyPhp
        $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
        $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
        $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase  // function that takes a callback as 1st parameter
+        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
-        $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase  // functions that takes a callback as 2nd parameter
+        $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // functions that takes a callback as 2nd parameter
-        $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
+        $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
        $htaccess = "SetHandler application/x-httpd-php"
        $iis_com = /IIS:\/\/localhost\/w3svc/

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 536d880..309af01 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -36,8 +36,8 @@ global private rule IsPhp
36	rule PasswordProtection	36	rule PasswordProtection
37	{	37	{
38	strings:	38	strings:
39	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase	39	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
40	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{40}['"]/ nocase	40	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER)[^)]+\)\s===?\s['"][0-9a-f]{40}['"]/ nocase
41	condition:	41	condition:
42	(any of them) and not IsWhitelisted	42	(any of them) and not IsWhitelisted
43	}	43	}
@@ -54,7 +54,7 @@ rule ObfuscatedPhp
54	$too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()`	54	$too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()`
55	$concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words	55	$concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words
56	$concat_with_spaces = /(\$[^\n\r]+\. ){5}/ // concatenation of more than 5 words, with spaces	56	$concat_with_spaces = /(\$[^\n\r]+\. ){5}/ // concatenation of more than 5 words, with spaces
57	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST)\s\[[^\]]+\]\s\(/	57	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST\|SERVER)\s\[[^\]]+\]\s\(/
58	$comment = /\/\([^]\|\[^\/])\\/\s\(/ // eval /* comment */ (php_code)	58	$comment = /\/\([^]\|\[^\/])\\/\s\(/ // eval /* comment */ (php_code)
59	condition:	59	condition:
60	(any of them) and not IsWhitelisted	60	(any of them) and not IsWhitelisted
@@ -66,9 +66,9 @@ rule DodgyPhp
66	$basedir_bypass = /curl_init\s\(\s["']file:\/\//	66	$basedir_bypass = /curl_init\s\(\s["']file:\/\//
67	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719	67	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
68	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/	68	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/
69	$execution = /(eval\|assert\|passthru\|exec\|include\|system\|pcntl_exec\|shell_execute\|base64_decode\|`\|array_map\|call_user_func(_array)?)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/ nocase // function that takes a callback as 1st parameter	69	$execution = /(eval\|assert\|passthru\|exec\|include\|system\|pcntl_exec\|shell_execute\|base64_decode\|`\|array_map\|call_user_func(_array)?)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // function that takes a callback as 1st parameter
70	$execution2 = /(array_filter\|array_reduce\|array_walk(_recursive)?\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|iterator_apply)\s\(\s[^,]+,\s*(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/ nocase // functions that takes a callback as 2nd parameter	70	$execution2 = /(array_filter\|array_reduce\|array_walk(_recursive)?\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|iterator_apply)\s\(\s[^,]+,\s*(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // functions that takes a callback as 2nd parameter
71	$execution3 = /(array_(diff\|intersect)_u(key\|assoc)\|array_udiff)\s\(\s([^,]+\s,?)+\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))\s\[[^]]+\]\s\)+\s*;/ nocase // functions that takes a callback as 2nd parameter	71	$execution3 = /(array_(diff\|intersect)_u(key\|assoc)\|array_udiff)\s\(\s([^,]+\s,?)+\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))\s\[[^]]+\]\s\)+\s*;/ nocase // functions that takes a callback as 2nd parameter
72		72
73	$htaccess = "SetHandler application/x-httpd-php"	73	$htaccess = "SetHandler application/x-httpd-php"
74	$iis_com = /IIS:\/\/localhost\/w3svc/	74	$iis_com = /IIS:\/\/localhost\/w3svc/