summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--php-malware-finder/php.yara2
-rwxr-xr-xphp-malware-finder/tests.sh1
-rw-r--r--php-malware-finder/whitelist.yara10
3 files changed, 10 insertions, 3 deletions
diff --git a/php-malware-finder/php.yara b/php-malware-finder/php.yara
index 416215f..1370543 100644
--- a/php-malware-finder/php.yara
+++ b/php-malware-finder/php.yara
@@ -53,7 +53,7 @@ rule ObfuscatedPhp
53 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 53 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
54 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 54 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
55 $variable_variable = /\${\$[0-9a-zA-z]+}/ 55 $variable_variable = /\${\$[0-9a-zA-z]+}/
56 $too_many_chr = /(chr\([\d]+\)\.){2}/ // concatenation of more than two `chr()` 56 $too_many_chr = /(chr\([\d]+\)\.){5}/ // concatenation of more than two `chr()`
57 $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words 57 $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words
58 $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ 58 $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
59 $gif = /^GIF89/ 59 $gif = /^GIF89/
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 2dee339..3aaceea 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -81,7 +81,6 @@ run_test artificial/dodgy.php '0x126:$ini_get: ini_set("disable_function'
81run_test artificial/dodgy.php '0x147:$ini_get: ini_restore("allow_url_include' 81run_test artificial/dodgy.php '0x147:$ini_get: ini_restore("allow_url_include'
82run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};' 82run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};'
83run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e' 83run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
84run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func'
85run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd=' 84run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
86run_test artificial/dodgy.php '0x214:$: AddType application/x-httpd-php .htaccess' 85run_test artificial/dodgy.php '0x214:$: AddType application/x-httpd-php .htaccess'
87 86
diff --git a/php-malware-finder/whitelist.yara b/php-malware-finder/whitelist.yara
index e9bb883..3aab9c5 100644
--- a/php-malware-finder/whitelist.yara
+++ b/php-malware-finder/whitelist.yara
@@ -164,6 +164,13 @@ private rule Phpmyadmin
164 hash.sha1(0, filesize) == "398507962b9dd89b0352f2ea9c648152fe932475" // libraries/DBQbe.class.php 164 hash.sha1(0, filesize) == "398507962b9dd89b0352f2ea9c648152fe932475" // libraries/DBQbe.class.php
165} 165}
166 166
167private rule Misc
168{
169 condition:
170 /* HTMLPurifier standalone 4.6.0 */
171 hash.sha1(0, filesize) == "9452a5f1183cbef0487b922cc1ba904ea21ad39a"
172}
173
167private rule IsWhitelisted 174private rule IsWhitelisted
168{ 175{
169 condition: 176 condition:
@@ -176,5 +183,6 @@ private rule IsWhitelisted
176 Concrete5 or 183 Concrete5 or
177 Dotclear or 184 Dotclear or
178 Owncloud or 185 Owncloud or
179 Phpmyadmin 186 Phpmyadmin or
187 Misc
180} 188}