From 51cc889e53689d1e389539fe704585057d4839d8 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 9 Dec 2016 15:39:05 +0100 Subject: Add a detection for register_shutdown_function Close #41 --- php-malware-finder/php.yar | 1 + php-malware-finder/samples/real/srt.php | 5 +++++ php-malware-finder/tests.sh | 1 + 3 files changed, 7 insertions(+) create mode 100644 php-malware-finder/samples/real/srt.php diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 8a08308..c3e115a 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar @@ -91,6 +91,7 @@ rule DodgyPhp $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php + $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/ $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase diff --git a/php-malware-finder/samples/real/srt.php b/php-malware-finder/samples/real/srt.php new file mode 100644 index 0000000..ef02af2 --- /dev/null +++ b/php-malware-finder/samples/real/srt.php @@ -0,0 +1,5 @@ + diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index d362a14..a261199 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh @@ -92,6 +92,7 @@ run_test real/sucuri_2014_04.php '0x67:$execution3:' run_test real/novahot.php 'DodgyStrings' run_test real/guidtz.php '0x12d8:$non_printables:' run_test real/ice.php 'double_var' +run_test real/srt.php '$register_function' # Asp files run_test_asp classic/cmdasp.asp 'DodgyStrings' -- cgit v1.3