1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index ba1130e..cdb91c2 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -54,6 +54,7 @@ rule ObfuscatedPhp
        $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
        $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
+        $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/  // eval /* comment */ (php_code)
 condition:
        any of them and not IsWhitelisted
 }

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index ba1130e..cdb91c2 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -54,6 +54,7 @@ rule ObfuscatedPhp
54	$too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()`	54	$too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()`
55	$concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words	55	$concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words
56	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST)\s\[[^\]]+\]\s\(/	56	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST)\s\[[^\]]+\]\s\(/
		57	$comment = /\/\([^]\|\[^\/])\\/\s\(/ // eval /* comment */ (php_code)
57	condition:	58	condition:
58	any of them and not IsWhitelisted	59	any of them and not IsWhitelisted
59	}	60	}