Fix #16

Yeah, PMF needs a testsuite.
author: Julien Voisin 2016-02-22 14:57:31 +0100
committer: Julien Voisin 2016-02-22 14:57:31 +0100
commit: eb2945d111559269198fdd38840db972318967bf (patch)
tree: 34b48fe50353396d47d6115e54467b11a64831cd
parent: 1cd54c4f41ccea0c48b3c79d1edc9024fd2f011e (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 1fa5c22..0d8ca4e 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[[:space:]]*\(/  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/  // ;eval( <- this is dodgy
        $b374k = "'ev'.'al'"
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
author	Julien Voisin	2016-02-22 14:57:31 +0100
committer	Julien Voisin	2016-02-22 14:57:31 +0100
commit	eb2945d111559269198fdd38840db972318967bf (patch)
tree	34b48fe50353396d47d6115e54467b11a64831cd
parent	1cd54c4f41ccea0c48b3c79d1edc9024fd2f011e (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 1fa5c22..0d8ca4e 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
57	rule ObfuscatedPhp	57	rule ObfuscatedPhp
58	{	58	{
59	strings:	59	strings:
60	$eval = /(<\?php[[:space:]]\|[;{}])\s@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)[[:space:]]\(/ // ;eval( <- this is dodgy	60	$eval = /(<\?php\|[;{}])\s@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)\s\(/ // ;eval( <- this is dodgy
61	$b374k = "'ev'.'al'"	61	$b374k = "'ev'.'al'"
62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
63	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher	63	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher