diff options
| -rw-r--r-- | php-malware-finder/php.yar | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 7ace9f0..dad427b 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -90,7 +90,7 @@ rule DodgyPhp | |||
| 90 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | 90 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec |
| 91 | 91 | ||
| 92 | condition: | 92 | condition: |
| 93 | (any of them or CloudFlareBypass) and not IsWhitelisted | 93 | any of them and not IsWhitelisted |
| 94 | } | 94 | } |
| 95 | 95 | ||
| 96 | rule DangerousPhp | 96 | rule DangerousPhp |
| @@ -132,6 +132,7 @@ rule DangerousPhp | |||
| 132 | $ = "posix_setuid" fullword nocase | 132 | $ = "posix_setuid" fullword nocase |
| 133 | $ = "preg_replace_callback" fullword | 133 | $ = "preg_replace_callback" fullword |
| 134 | $ = "proc_open" fullword nocase | 134 | $ = "proc_open" fullword nocase |
| 135 | $ = "proc_close" fullword nocase | ||
| 135 | $ = "popen" fullword nocase | 136 | $ = "popen" fullword nocase |
| 136 | $ = "register_shutdown_function" fullword nocase | 137 | $ = "register_shutdown_function" fullword nocase |
| 137 | $ = "register_tick_function" fullword nocase | 138 | $ = "register_tick_function" fullword nocase |