From 2626e61dff7aee0f306dfd900f0e298e16085711 Mon Sep 17 00:00:00 2001
From: Julien "shaddai" Reveret
Date: Thu, 3 Dec 2015 17:59:59 +0100
Subject: files with no end of line or less than 3 lines and huge (more than
 300) amonts of characters are detected as suspicious

---
 php-malware-finder/phpmalwarefinder | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/php-malware-finder/phpmalwarefinder b/php-malware-finder/phpmalwarefinder
index 3870367..20d3cee 100755
--- a/php-malware-finder/phpmalwarefinder
+++ b/php-malware-finder/phpmalwarefinder
@@ -27,6 +27,23 @@ else
     fi
 fi
 
+# before starting yara, check if the file
+one_line_trick() {
+
+  for file in $(find $@ -type f); do
+    line_num=$(wc -l $file | cut -d' ' -f1)
+    char_num=$(wc -c $file | cut -d' ' -f1)
+
+    if [ "$line_num" -le "2" ]; then
+        # humm, 2 lines long file ?
+        if [ "$char_num" -ge "300" ]; then
+            echo TooShort $file
+        fi;
+    fi;
+  done;
+
+}
+
 show_help() {
     cat << EOF
 Usage ${0##*/} [-cfhw] <file|folder> ...
@@ -87,4 +104,6 @@ fi
 
 OPTS="${OPTS} -r ${CONFIG_PATH}"
 
+one_line_trick $@
+
 ${NICE} ${NICE_OPTS} $YARA $OPTS $@
-- 
cgit v1.3