1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index 1263b39..b376307 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -100,7 +100,7 @@ rule DodgyPhp
 {
    strings:
        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\( *(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/

diff --git a/malwares.yara b/malwares.yara index 1263b39..b376307 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -100,7 +100,7 @@ rule DodgyPhp
100	{	100	{
101	strings:	101	strings:
102	$vars = /\$___+/ // $__ is rarely used in legitimate scripts	102	$vars = /\$___+/ // $__ is rarely used in legitimate scripts
103	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute) *\((base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|\\?\$_(GET\|REQUEST\|POST))/	103	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute) \( (base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST))/
104	$double_encoding = /(base64_decode\s\(\s){2}/	104	$double_encoding = /(base64_decode\s\(\s){2}/
105	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	105	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
106	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	106	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/