1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index d4a77c1..fce5ea3 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -51,7 +51,7 @@ rule ObfuscatedPhp
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $variable_variable = /\${\$[0-9a-zA-z]+}/
-        $too_many_chr = /(chr\([\d]+\)\.){5}/  // concatenation of more than two `chr()`
+        $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
        $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST)\s*\[[^\]]+\]\s*\(/
        $gif = /^GIF89/

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index d4a77c1..fce5ea3 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -51,7 +51,7 @@ rule ObfuscatedPhp
51	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher	51	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
52	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html	52	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
53	$variable_variable = /\${\$[0-9a-zA-z]+}/	53	$variable_variable = /\${\$[0-9a-zA-z]+}/
54	$too_many_chr = /(chr\([\d]+\)\.){5}/ // concatenation of more than two `chr()`	54	$too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()`
55	$concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words	55	$concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words
56	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST)\s\[[^\]]+\]\s\(/	56	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST)\s\[[^\]]+\]\s\(/
57	$gif = /^GIF89/	57	$gif = /^GIF89/