Signature update reported in #25

2026-06-16 12:30:35 +00:00 · 2018-09-22 18:30:02 +02:00
parent 7d8854ae8e
commit d7fe8589b0
2 changed files with 9 additions and 2 deletions
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -352,4 +352,8 @@ substr(md5(time()), 0, 8) . ".php"

 # webshell
 0byt3m1n1
-ZeroByte
+ZeroByte
+
+# obfuscated function name
+'str_' .'rot13'
+'st' .'rrev'
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -98,4 +98,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 php_uname\(["'asrvm]+\)

 # XOR decode POST-ed payload
-(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
+(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
+
+# uncommon function name underscore with many numbers
+function\s+_[0-9]{8,}\(