From 3854653c8686cf9ff9bbab13f09d1566682efb5e Mon Sep 17 00:00:00 2001 From: xarkes Date: Mon, 11 Apr 2016 11:22:01 +0200 Subject: Fixed debian package + readme --- .travis.yml | 6 ++++++ Makefile | 10 ++++++---- README.md | 5 +++-- debian/nbs-phpmalwarefinder.install | 4 +++- php-malware-finder/php.yara | 1 - 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/.travis.yml b/.travis.yml index 9fb27eb..6a89685 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,10 @@ language: c +addons: + apt: + packages: + - devscripts + install: - git clone --depth 1 https://github.com/plusvic/yara.git yara3 - cd yara3 @@ -11,3 +16,4 @@ install: script: - make tests + - make package diff --git a/Makefile b/Makefile index c57ef4d..ddf79b7 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ VERSION=1.0 -DEBVER := $(shell cut -d'.' -f1 < /etc/debian_version) +DEBVER := $(shell sed 's,[/\.].*,,' < /etc/debian_version) tests: @cd ./php-malware-finder && bash ./tests.sh @@ -10,14 +10,16 @@ clean: extract: cp -r debian php-malware-finder - git checkout php-malware-finder/malwares.yara + git checkout php-malware-finder/common.yara + git checkout php-malware-finder/php.yara + git checkout php-malware-finder/asp.yara set_distribution: - sed -e "s/##version/`cut -d'.' -f1 < /etc/debian_version`/" -i php-malware-finder/debian/control php-malware-finder/debian/changelog + sed -e "s/##version/${DEBVER}/" -i php-malware-finder/debian/control php-malware-finder/debian/changelog check_distribution: ifeq ($(DEBVER),6) - sed -e '/too_many_chr/d' -e '/b64_concat/d' -e 's/^import.*//g' -e 's/^include.*//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/malwares.yara + sed -e '/too_many_chr/d' -e '/b64_concat/d' -e 's/^import.*//g' -e 's/^include.*//g' -e 's/and\ not\ IsWhitelisted//g' -i php-malware-finder/common.yara endif package: clean extract set_distribution check_distribution diff --git a/README.md b/README.md index 5778d06..7ed97d3 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ both) category, and should re-read the previous sentence. ## How does it work? Detection is performed by crawling the filesystem and testing files against a -[set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara ) +[set]( https://github.com/nbs-system/php-malware-finder/blob/master/php.yara ) of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple! @@ -67,7 +67,8 @@ Usage phpmalwarefinder [-cfhtv] [-l (php|asp)] ... Or if you prefer to use `yara`: ``` -$ yara -r ./malwares.yara /var/www +$ yara -r ./php.yara /var/www +$ yara -r ./asp.yara /var/www ``` Please keep in mind that you should use at least YARA 3.4 because we're using diff --git a/debian/nbs-phpmalwarefinder.install b/debian/nbs-phpmalwarefinder.install index 9727f63..676b4aa 100644 --- a/debian/nbs-phpmalwarefinder.install +++ b/debian/nbs-phpmalwarefinder.install @@ -1,4 +1,6 @@ -malwares.yara etc/phpmalwarefinder +common.yara etc/phpmalwarefinder +php.yara etc/phpmalwarefinder +asp.yara etc/phpmalwarefinder whitelist.yara etc/phpmalwarefinder phpmalwarefinder usr/bin/ docroot-check.sh usr/bin/ diff --git a/php-malware-finder/php.yara b/php-malware-finder/php.yara index 0f46025..416215f 100644 --- a/php-malware-finder/php.yara +++ b/php-malware-finder/php.yara @@ -78,7 +78,6 @@ rule DodgyPhp $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/ $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// - $user_function = /(call_user_func|create_function)/ nocase $various = "