summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--malwares.yara2
1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index 1263b39..b376307 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -100,7 +100,7 @@ rule DodgyPhp
100{ 100{
101 strings: 101 strings:
102 $vars = /\$___+/ // $__ is rarely used in legitimate scripts 102 $vars = /\$___+/ // $__ is rarely used in legitimate scripts
103 $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/ 103 $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\( *(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
104 $double_encoding = /(base64_decode\s*\(\s*){2}/ 104 $double_encoding = /(base64_decode\s*\(\s*){2}/
105 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ 105 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
106 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 106 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/