1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 45100c5..d07c057 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -102,7 +102,7 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
    strings:
-        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
+        $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 45100c5..d07c057 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -102,7 +102,7 @@ rule SuspiciousEncoding
102	rule DodgyPhp	102	rule DodgyPhp
103	{	103	{
104	strings:	104	strings:
105	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	105	$basedir_bypass = /curl_init\s\(\s["']file:\/\//
106	$disable_magic_quotes = /set_magic_quotes_runtime\(0\)/	106	$disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
107	$double_encoding = /(base64_decode\s\(\s){2}/	107	$double_encoding = /(base64_decode\s\(\s){2}/
108	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/	108	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/