1 files changed, 1 insertions, 0 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 8fd5eb5..73195da 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -105,6 +105,7 @@ rule DodgyPhp
 {
    strings:
        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
+        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 8fd5eb5..73195da 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -105,6 +105,7 @@ rule DodgyPhp
105	{	105	{
106	strings:	106	strings:
107	$vars = /\$__+/ // $__ is rarely used in legitimate scripts	107	$vars = /\$__+/ // $__ is rarely used in legitimate scripts
		108	$double_encoding = /(base64_decode\s\(\s){2}/
108	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/	109	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/
109	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	110	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
110	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	111	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/