1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index bde83c7..184e5ce 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -51,6 +51,7 @@ private rule hex
        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+        $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
    
    condition:
        any of them

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index bde83c7..184e5ce 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar
@@ -51,6 +51,7 @@ private rule hex
51	$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase	51	$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
52	$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase	52	$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
53	$http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase	53	$http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
		54	$base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
54		55
55	condition:	56	condition:
56	any of them	57	any of them