From 4a9899a9c1b5d675599379ed42b08dd802713866 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 26 Jul 2017 20:47:31 +0200
Subject: Add some detections

---
 php-malware-finder/common.yar                   |  2 +-
 php-malware-finder/php.yar                      |  6 ++++--
 php-malware-finder/samples/artificial/dodgy.php |  4 ++--
 php-malware-finder/tests.sh                     | 14 +++++++-------
 4 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 3559b79..f9d4573 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -139,7 +139,7 @@ rule DodgyStrings
         $ = "ps -aux" fullword
         $ = "rootkit" fullword nocase
         $ = "slowloris" fullword nocase
-        $ = "suhosin.executor.func.blacklist"
+        $ = "suhosin" fullword
         $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
 		$ = /trojan (payload)?/
         $ = "uname -a" fullword
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 644419c..4af8116 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -89,11 +89,11 @@ rule DodgyPhp
         $htaccess = "SetHandler application/x-httpd-php"
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
+        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
         $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
         $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
-        $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
+        $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/
         $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
         $at_eval = /@eval\s*\(/ nocase
@@ -152,6 +152,8 @@ rule DangerousPhp
         $ = "show_source" fullword nocase
         $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
         $ = "stream_socket_pair" nocase
+		$ = "suhosin.executor.func.blacklist" nocase
+		$ = "unregister_tick_function" fullword nocase
         $ = "win32_create_service" fullword nocase
         $ = "xmlrpc_decode" fullword nocase nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
diff --git a/php-malware-finder/samples/artificial/dodgy.php b/php-malware-finder/samples/artificial/dodgy.php
index 3aac254..e127588 100644
--- a/php-malware-finder/samples/artificial/dodgy.php
+++ b/php-malware-finder/samples/artificial/dodgy.php
@@ -7,8 +7,8 @@ eval(base64_decode($_GET['lol']));
 $a= "SetHandler application/x-httpd-php";
 $b = "IIS://localhost/w3svc";
 include  ( 'lol.png');
-ini_get (  'disable_function');
-ini_set("disable_function", "");
+ini_get (  'disable_functions');
+ini_set("disable_functions", "");
 ini_restore("allow_url_include");
 preg_replace ("/*/e");
 $c = "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'";
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index 39ad3bd..b4bb91d 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -75,13 +75,13 @@ run_test artificial/dodgy.php '$execution: base64_decode($_GET'
 run_test artificial/dodgy.php '$htaccess:'
 run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc'
 run_test artificial/dodgy.php "0xef:\$include: include  ( 'lol.png"
-run_test artificial/dodgy.php "0x106:\$ini_get: ini_get (  'disable_function"
-run_test artificial/dodgy.php '0x126:$ini_get: ini_set("disable_function'
-run_test artificial/dodgy.php '0x147:$ini_get: ini_restore("allow_url_include'
-run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};'
-run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e'
-run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd='
-run_test artificial/dodgy.php '0x214:$: AddType application/x-httpd-php .htaccess'
+run_test artificial/dodgy.php "\$ini_get: ini_get (  'disable_functions"
+run_test artificial/dodgy.php '$ini_get: ini_set("disable_functions'
+run_test artificial/dodgy.php '$ini_get: ini_restore("allow_url_include'
+run_test artificial/dodgy.php '$shellshock: () { :;};'
+run_test artificial/dodgy.php '$pr: preg_replace ("/\*/e'
+run_test artificial/dodgy.php '$various: <!--#exec cmd='
+run_test artificial/dodgy.php '$: AddType application/x-httpd-php .htaccess'
 
 run_test artificial/bypasses.php 'DodgyPhp'
 run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST'
-- 
cgit v1.3