3 files changed, 3 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index b47dce3..edb1ffb 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -188,6 +188,7 @@ rule DodgyStrings
 {
    strings:
        $ = ".bash_history"
+        $ = /AddType\s+application\/x-httpd-php\s+\.htaccess/
        $ = ".mysql_history"
        $ = ".ssh/authorized_keys"
        $ = "/(.*)/e"  // preg_replace code execution
diff --git a/php-malware-finder/samples/artificial/dodgy.php b/php-malware-finder/samples/artificial/dodgy.php
index 1c85f39..3aac254 100644
--- a/php-malware-finder/samples/artificial/dodgy.php
+++ b/php-malware-finder/samples/artificial/dodgy.php
@@ -15,4 +15,4 @@ $c = "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'";
 fsockopen (  'udp://');
 call_user_func('LOL');
 $d = "<!--#exec cmd=";
+$c = "AddType application/x-httpd-php .htaccess"
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 7566e89..fe9141a 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -73,6 +73,7 @@ run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};'
 run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
 run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'
 run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
+run_test artificial/dodgy.php '0x214:$: AddType application/x-httpd-php .htaccess'
 run_test artificial/bypasses.php 'DodgyPhp'
 run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index b47dce3..edb1ffb 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -188,6 +188,7 @@ rule DodgyStrings
188	{	188	{
189	strings:	189	strings:
190	$ = ".bash_history"	190	$ = ".bash_history"
		191	$ = /AddType\s+application\/x-httpd-php\s+\.htaccess/
191	$ = ".mysql_history"	192	$ = ".mysql_history"
192	$ = ".ssh/authorized_keys"	193	$ = ".ssh/authorized_keys"
193	$ = "/(.*)/e" // preg_replace code execution	194	$ = "/(.*)/e" // preg_replace code execution


diff --git a/php-malware-finder/samples/artificial/dodgy.php b/php-malware-finder/samples/artificial/dodgy.php index 1c85f39..3aac254 100644 --- a/php-malware-finder/samples/artificial/dodgy.php +++ b/php-malware-finder/samples/artificial/dodgy.php
@@ -15,4 +15,4 @@ $c = "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'";
15	fsockopen ( 'udp://');	15	fsockopen ( 'udp://');
16	call_user_func('LOL');	16	call_user_func('LOL');
17	$d = "<!--#exec cmd=";	17	$d = "<!--#exec cmd=";
18		18	$c = "AddType application/x-httpd-php .htaccess"


diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 7566e89..fe9141a 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh
@@ -73,6 +73,7 @@ run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};'
73	run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'	73	run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
74	run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'	74	run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'
75	run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='	75	run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
		76	run_test artificial/dodgy.php '0x214:$: AddType application/x-httpd-php .htaccess'
76		77
77	run_test artificial/bypasses.php 'DodgyPhp'	78	run_test artificial/bypasses.php 'DodgyPhp'
78	run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'	79	run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'