From 763508533e802f2c45b9f8eb29aec09499d7e3be Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Thu, 16 Jun 2016 13:15:34 +0200
Subject: s/win_shell_exec/shell_exec/g

---
 php-malware-finder/php.yar | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 527615e..7ace9f0 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -56,7 +56,7 @@ rule PasswordProtection
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
@@ -76,7 +76,7 @@ rule DodgyPhp
         $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
         $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
         $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
+        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
         $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase  // functions that takes a callback as 2nd parameter
 
         $htaccess = "SetHandler application/x-httpd-php"
@@ -141,7 +141,6 @@ rule DangerousPhp
         $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
         $ = "stream_socket_pair" nocase
         $ = "win32_create_service" fullword nocase
-        $ = "win_shell_execute" fullword nocase
         $ = "xmlrpc_decode" fullword nocase nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
 
-- 
cgit v1.3