From 7e47407a8988aa73627dfa482abced236b0ca963 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Tue, 1 Mar 2016 13:45:30 +0100
Subject: Detect backticks

---
 php-malware-finder/malwares.yara | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 9ba8ff2..287ebd3 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
@@ -110,7 +110,7 @@ rule DodgyPhp
         $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
         $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
         $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
+        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
         $htaccess = "SetHandler application/x-httpd-php"
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
@@ -144,8 +144,7 @@ rule DangerousPhp
         $ = "shmop_open" fullword nocase
         $ = "mb_ereg_replace_callback" fullword nocase
         $ = "passthru" fullword nocase
-        $ = "pcntl_exec" fullword nocase
-        $ = "pcntl_fork" fullword nocase
+        $ = /pcntl_(exec|fork)/ fullword nocase
         $ = "php_uname" fullword nocase
         $ = "phpinfo" fullword nocase
         $ = "posix_geteuid" fullword nocase
-- 
cgit v1.3