1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index 3adc5f8..30d8e1c 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -102,7 +102,7 @@ rule DodgyPhp
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /preg_replace\(['"]\/\.\*\/e['"],/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /preg_replace\(['"]\/[^\/]\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
        $htaccess = "SetHandler application/x-httpd-php"

diff --git a/malwares.yara b/malwares.yara index 3adc5f8..30d8e1c 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -102,7 +102,7 @@ rule DodgyPhp
102	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/	102	$shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
103	$restore_bypass = /ini_restore\(['"](safe_mode\|open_basedir)['"]\)/	103	$restore_bypass = /ini_restore\(['"](safe_mode\|open_basedir)['"]\)/
104	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec	104	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
105	$pr = /preg_replace\(['"]\/\.\*\/e['"],/ // http://php.net/manual/en/function.preg-replace.php	105	$pr = /preg_replace\(['"]\/[^\/]\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
106	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes	106	$include = /include\([^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
107	$htaccess = "SetHandler application/x-httpd-php"	107	$htaccess = "SetHandler application/x-httpd-php"
108		108