search

jvoisin / php-malware-finder

Detect potentially malicious PHP files
GNU Lesser General Public License v3.0
1.47k stars 285 forks source link

whitelist.yara(10): error: undefined identifier "hash" #19

Closed blade1989 closed 8 years ago

blade1989 commented 8 years ago

While running yara -r ./phpmalwarefinder /home/USER/public_html/site/, I got the following error:

./phpmalwarefinder /home/USER/public_html/site/ TooShort /home/USER/public_html/site/something/index.php ./malwares.yara(1): error: syntax error, unexpected IDENTIFIER, expecting $end or RULE or PRIVATE or GLOBAL whitelist.yara(10): error: undefined identifier "hash" whitelist.yara(27): error: undefined identifier "hash" whitelist.yara(63): error: undefined identifier "hash" whitelist.yara(72): error: undefined identifier "hash" whitelist.yara(92): error: undefined identifier "hash" whitelist.yara(116): error: undefined identifier "hash" whitelist.yara(129): error: undefined identifier "hash" whitelist.yara(138): error: undefined identifier "hash" whitelist.yara(152): error: undefined identifier "hash" whitelist.yara(163): error: undefined identifier "hash" whitelist.yara(170): error: undefined identifier "Symfony" ./malwares.yara(71): error: invalid regular expression "$too_many_chr": syntax error, unexpected '?', expecting $end ./malwares.yara(129): error: undefined identifier "IsWhitelisted" ./malwares.yara(188): error: undefined identifier "IsWhitelisted" ./malwares.yara(251): error: undefined identifier "IsWhitelisted" ./malwares.yara(283): error: undefined identifier "IsWhitelisted"

I have complete rights to scan in it, if thats the problem:

sudo chown -R USER:USER /home/USER/public_html
sudo chmod -R 775 /home/USER/public_html

I also submitted this error on the yara github page:

https://github.com/plusvic/yara/issues/426

shaddai commented 8 years ago

which yara version do you use ?

blade1989 commented 8 years ago

@shaddai Here is the output of apt-cache policy yara:

sudo apt-cache policy yara
[sudo] password for USER: 
yara:
  Installed: 2.0.0-2
  Candidate: 2.0.0-2
  Version table:
 *** 2.0.0-2 0
        500 http://nl.archive.ubuntu.com/ubuntu/ trusty/universe i386 Packages
        100 /var/lib/dpkg/status

So, its version 2.0.0-2

shaddai commented 8 years ago

As stated in the README file, you need yara 3.4.0 : "Please keep in mind that you should use at least YARA 3.4 because we're using hashes for the whitelist system, and greedy regexps."