diff options
| -rw-r--r-- | php-malware-finder/php.yar | 1 | ||||
| -rwxr-xr-x | php-malware-finder/tests.sh | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 2ac9027..8a08308 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -96,6 +96,7 @@ rule DodgyPhp | |||
| 96 | $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase | 96 | $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase |
| 97 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | 97 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec |
| 98 | $at_eval = /@eval\s*\(/ nocase | 98 | $at_eval = /@eval\s*\(/ nocase |
| 99 | $double_var = /\${\s*\${/ | ||
| 99 | 100 | ||
| 100 | condition: | 101 | condition: |
| 101 | (any of them) and not IsWhitelisted | 102 | (any of them) and not IsWhitelisted |
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 4f1c765..d362a14 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh | |||
| @@ -91,6 +91,7 @@ run_test artificial/bypasses.php "0x132:\$var_as_func: \$_POST\['funct'\](" | |||
| 91 | run_test real/sucuri_2014_04.php '0x67:$execution3:' | 91 | run_test real/sucuri_2014_04.php '0x67:$execution3:' |
| 92 | run_test real/novahot.php 'DodgyStrings' | 92 | run_test real/novahot.php 'DodgyStrings' |
| 93 | run_test real/guidtz.php '0x12d8:$non_printables:' | 93 | run_test real/guidtz.php '0x12d8:$non_printables:' |
| 94 | run_test real/ice.php 'double_var' | ||
| 94 | 95 | ||
| 95 | # Asp files | 96 | # Asp files |
| 96 | run_test_asp classic/cmdasp.asp 'DodgyStrings' | 97 | run_test_asp classic/cmdasp.asp 'DodgyStrings' |