reverting change since it triggers too many false positives

author: Julien "shaddai" Reveret 2015-10-19 11:25:57 +0200
committer: Julien "shaddai" Reveret 2015-10-19 11:26:08 +0200
commit: 93bfb72efd7ff0a4f5f9f56ccbe8bf8bf2f11f83 (patch)
tree: eb779fb848353b2ab8b95339c8828496a78b4bcd
parent: b456ace96e2bfea050d6991082773a183e476d5f (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 866aa66..1826a5a 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -103,7 +103,7 @@ rule DodgyPhp
 {
    strings:
        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)*?\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
author	Julien "shaddai" Reveret	2015-10-19 11:25:57 +0200
committer	Julien "shaddai" Reveret	2015-10-19 11:26:08 +0200
commit	93bfb72efd7ff0a4f5f9f56ccbe8bf8bf2f11f83 (patch)
tree	eb779fb848353b2ab8b95339c8828496a78b4bcd
parent	b456ace96e2bfea050d6991082773a183e476d5f (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 866aa66..1826a5a 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -103,7 +103,7 @@ rule DodgyPhp
103	{	103	{
104	strings:	104	strings:
105	$vars = /\$__+/ // $__ is rarely used in legitimate scripts	105	$vars = /\$__+/ // $__ is rarely used in legitimate scripts
106	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)?\s\(\s*(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/	106	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/
107	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	107	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
108	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	108	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
109	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/	109	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/