1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index c901d06..0f4a95f 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -101,7 +101,7 @@ rule DodgyPhp
 {
    strings:
        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\( *(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/

diff --git a/malwares.yara b/malwares.yara index c901d06..0f4a95f 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -101,7 +101,7 @@ rule DodgyPhp
101	{	101	{
102	strings:	102	strings:
103	$vars = /\$___+/ // $__ is rarely used in legitimate scripts	103	$vars = /\$___+/ // $__ is rarely used in legitimate scripts
104	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute) *\((base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|\\?\$_(GET\|REQUEST\|POST))/	104	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute) \( (base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/
105	$double_encoding = /(base64_decode\s\(\s){2}/	105	$double_encoding = /(base64_decode\s\(\s){2}/
106	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	106	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
107	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	107	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/