summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--php-malware-finder/php.yar8
1 files changed, 5 insertions, 3 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 1238a95..2ac9027 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -78,9 +78,10 @@ condition:
78rule DodgyPhp 78rule DodgyPhp
79{ 79{
80 strings: 80 strings:
81 $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// 81 $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// nocase
82 $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 82 $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
83 $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ 83 $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase
84
84 $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // function that takes a callback as 1st parameter 85 $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // function that takes a callback as 1st parameter
85 $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // functions that takes a callback as 2nd parameter 86 $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // functions that takes a callback as 2nd parameter
86 $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter 87 $execution3 = /(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter
@@ -92,8 +93,9 @@ rule DodgyPhp
92 $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php 93 $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php
93 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 94 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
94 $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/ 95 $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
95 $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// 96 $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase
96 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec 97 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
98 $at_eval = /@eval\s*\(/ nocase
97 99
98 condition: 100 condition:
99 (any of them) and not IsWhitelisted 101 (any of them) and not IsWhitelisted