From dac09770e449526b799254bd19c710c664bfe2bd Mon Sep 17 00:00:00 2001 From: Julien (jvoisin) Voisin Date: Mon, 11 Apr 2016 17:00:04 +0200 Subject: Whitelist UHTMLPufifier --- php-malware-finder/php.yara | 2 +- php-malware-finder/tests.sh | 1 - php-malware-finder/whitelist.yara | 10 +++++++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/php-malware-finder/php.yara b/php-malware-finder/php.yara index 416215f..1370543 100644 --- a/php-malware-finder/php.yara +++ b/php-malware-finder/php.yara @@ -53,7 +53,7 @@ rule ObfuscatedPhp $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html $variable_variable = /\${\$[0-9a-zA-z]+}/ - $too_many_chr = /(chr\([\d]+\)\.){2}/ // concatenation of more than two `chr()` + $too_many_chr = /(chr\([\d]+\)\.){5}/ // concatenation of more than two `chr()` $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/ $gif = /^GIF89/ diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 2dee339..3aaceea 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh @@ -81,7 +81,6 @@ run_test artificial/dodgy.php '0x126:$ini_get: ini_set("disable_function' run_test artificial/dodgy.php '0x147:$ini_get: ini_restore("allow_url_include' run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};' run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e' -run_test artificial/dodgy.php '0x1e0:$user_function: call_user_func' run_test artificial/dodgy.php '0x1fd:$various: