Remove yet another useless rule

author: Julien (jvoisin) Voisin 2016-02-23 17:57:37 +0100
committer: Julien (jvoisin) Voisin 2016-02-23 17:57:37 +0100
commit: efefe633e1d5e0b42f12e2c4bc0e15c186d9e6fb (patch)
tree: 78fac3b4152361348ba563f04afc4598f2fded07
parent: 153b5ad97afe623a558ccc061bb753fd88e2ee00 (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 7e2acc0..8fe7b15 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -105,7 +105,6 @@ rule DodgyPhp
        $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
        $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
        $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
        $htaccess = "SetHandler application/x-httpd-php"
        $iis_com = /IIS:\/\/localhost\/w3svc/
author	Julien (jvoisin) Voisin	2016-02-23 17:57:37 +0100
committer	Julien (jvoisin) Voisin	2016-02-23 17:57:37 +0100
commit	efefe633e1d5e0b42f12e2c4bc0e15c186d9e6fb (patch)
tree	78fac3b4152361348ba563f04afc4598f2fded07
parent	153b5ad97afe623a558ccc061bb753fd88e2ee00 (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 7e2acc0..8fe7b15 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -105,7 +105,6 @@ rule DodgyPhp
105	$basedir_bypass = /curl_init\s\(\s["']file:\/\//	105	$basedir_bypass = /curl_init\s\(\s["']file:\/\//
106	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719	106	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
107	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/	107	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/
108	$double_encoding = /(base64_decode\s\(\s){2}/
109	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/	108	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/
110	$htaccess = "SetHandler application/x-httpd-php"	109	$htaccess = "SetHandler application/x-httpd-php"
111	$iis_com = /IIS:\/\/localhost\/w3svc/	110	$iis_com = /IIS:\/\/localhost\/w3svc/