From 7a6d2195c8cfda2559a6e7a1234175eb909ae489 Mon Sep 17 00:00:00 2001 From: Julien "shaddai" Reveret Date: Tue, 12 Jan 2016 11:28:33 +0100 Subject: added register_globals to restore_bypass, new rules : ini_get and disable_magic_quotes --- php-malware-finder/README.md | 3 ++- php-malware-finder/malwares.yara | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/php-malware-finder/README.md b/php-malware-finder/README.md index 69d4e11..59187b1 100644 --- a/php-malware-finder/README.md +++ b/php-malware-finder/README.md @@ -30,7 +30,8 @@ The following list of encoders/obfuscators/webshells are also detected: * [cobra obfuscator]( http://obfuscator.uk/example/ ) * [phpencode]( http://phpencode.org ) * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ ) - +* [tennc]( http://tennc.github.io/webshell/ ) +* [web-malware-collection]( https://github.com/nikicat/web-malware-collection ) ## How does it work? diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 73195da..f733bc3 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara @@ -110,7 +110,10 @@ rule DodgyPhp $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ - $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/ + $ini_get = + /ini_get\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/ + $restore_bypass = + /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/ $various = "