diff options
| -rw-r--r-- | php-malware-finder/php.yar | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 527615e..7ace9f0 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -56,7 +56,7 @@ rule PasswordProtection | |||
| 56 | rule ObfuscatedPhp | 56 | rule ObfuscatedPhp |
| 57 | { | 57 | { |
| 58 | strings: | 58 | strings: |
| 59 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy | 59 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_execute|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy |
| 60 | $b374k = "'ev'.'al'" | 60 | $b374k = "'ev'.'al'" |
| 61 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | 61 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k |
| 62 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | 62 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher |
| @@ -76,7 +76,7 @@ rule DodgyPhp | |||
| 76 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// | 76 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// |
| 77 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 | 77 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 |
| 78 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ | 78 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ |
| 79 | $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase | 79 | $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase |
| 80 | $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase // functions that takes a callback as 2nd parameter | 80 | $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase // functions that takes a callback as 2nd parameter |
| 81 | 81 | ||
| 82 | $htaccess = "SetHandler application/x-httpd-php" | 82 | $htaccess = "SetHandler application/x-httpd-php" |
| @@ -141,7 +141,6 @@ rule DangerousPhp | |||
| 141 | $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase | 141 | $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase |
| 142 | $ = "stream_socket_pair" nocase | 142 | $ = "stream_socket_pair" nocase |
| 143 | $ = "win32_create_service" fullword nocase | 143 | $ = "win32_create_service" fullword nocase |
| 144 | $ = "win_shell_execute" fullword nocase | ||
| 145 | $ = "xmlrpc_decode" fullword nocase nocase | 144 | $ = "xmlrpc_decode" fullword nocase nocase |
| 146 | $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush(); | 145 | $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush(); |
| 147 | 146 | ||