summaryrefslogtreecommitdiff
path: root/data/php.yar (unfollow)
AgeCommit message (Collapse)Author
2023-02-28Add a simple ruleJulien Voisin
2022-05-02Make application go-install-able and create a docker imageMathieu Deous
2020-10-01Add a keyword for a rulejvoisin
2020-07-01Fix a yara warningjvoisin
This shouldn't impact detection much, while fixing a scary warning
2020-04-03Fix php-malware-finder for yara > 4.0.0jvoisin
2019-10-22Remove a duplicate keyword in php.yarshaddai
This should fix issue #94
2018-06-26Detect things like '@include'jvoisin
This should close #71
2018-05-29Add detection for Nanojvoisin
[Nano]( https://github.com/UltimateHackers/nano ) is a family of PHP webshells which are code golfed to be extremely stealthy and efficient.
2018-02-21Add a detection for things like `eval/* …*/(`jvoisin
2018-02-21Some regexps are now matching on word boundariesjvoisin
This should close #51
2018-02-21Major cleanup of useless filesjvoisin
2017-11-21Add a new sample, and a way to detect itjvoisin
2017-07-26Add some detectionsjvoisin
2017-07-09Add ob_start as dodgy php (#56)Fariskhi Vidyan
Wonderful, thank you ♥
2017-04-26Add a detection for a smart webshelljvoisin
2016-12-30\x09-\x0d are no-rintable chars, but aren't malicious.jvoisin
This close #44, thanks to @DrTyrell for spotting this issue ♥
2016-12-09Add a detection for register_shutdown_functionjvoisin
Close #41
2016-12-08Add a '${${' rulejvoisin
2016-12-08@eval isn't legit at alljvoisin
2016-12-01Add a new detection wayjvoisin
Close #38 Some webshells are using non-printable characters, so we match on them (kudos to @blotus for the idea). The regexp `[^ -~]` is completely killing the performances, this is why we're using [atoms](https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7) to dramatically increase the scanning speed.
2016-11-04`SERVER['HTTP_*` is user-controllable.0.3.4Julien (jvoisin) Voisin
2016-10-31Improves the detection of concatenation-based obfuscationJulien (jvoisin) Voisin
2016-10-27It seems that `and` has a precedence over `or`, unsurprisinglyJulien (jvoisin) Voisin
2016-10-27Extend whitelisting supportJulien (jvoisin) Voisin
Some detection modules weren't aware of whiteliting
2016-08-30Add a rule to detect some obfuscated samplesJulien (jvoisin) Voisin
Thanks to @Doeurf for the sample
2016-07-16Remove an obsolete testjvoisin
2016-07-09Reduce "too_many_chr" false positivesjvoisin
2016-07-08Fix the previous commitjvoisin
It seems that a lot of jpeg files contain some <?php stuff :/
2016-07-07Add more images detectionJulien (jvoisin) Voisin
2016-07-07Factorize a bit the code, and add GIF-based backdoor detectionJulien (jvoisin) Voisin
2016-06-27Add detection for a callback-based malwaresJulien (jvoisin) Voisin
2016-06-17typo fix, sha1 hashes are 40 chars longJulien "shaddai" Reveret
2016-06-16Cloudflare rule is _public_, no need to put it in another ruleJulien (jvoisin) Voisin
2016-06-16s/win_shell_exec/shell_exec/gJulien (jvoisin) Voisin
2016-06-16Detect backdoor-looking authentication schemesJulien (jvoisin) Voisin
2016-06-16The cloudflare rule is a public oneJulien (jvoisin) Voisin
2016-06-13Improves a bit the detection of preg_replace stuffJulien (jvoisin) Voisin
2016-05-11Fix some false-positiveJulien (jvoisin) Voisin
2016-04-21Renaming .yara files to .yar (#24)xarkes
2016-04-11Whitelist UHTMLPufifierJulien (jvoisin) Voisin
2016-04-11Fixed debian package + readmexarkes
2016-03-31Add ASP webshell detectionxarkes
2016-03-23Make PMF work on yara-gitJulien (jvoisin) Voisin
2016-03-01Add detection for backdoored .htaccessJulien (jvoisin) Voisin
2016-03-01Detect backticksJulien (jvoisin) Voisin
2016-03-01Simplify the previous commitJulien (jvoisin) Voisin
2016-03-01Add a rule to catch fancy .htaccess tricksJulien (jvoisin) Voisin
2016-02-26Add yet another cool bypass, thanks to @badluck81Julien (jvoisin) Voisin
2016-02-26Fix a really cool bypassJulien (jvoisin) Voisin
2016-02-26Add some embedded perl-script detectionJulien (jvoisin) Voisin