1 files changed, 1 insertions, 1 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 06e1827..2dc20e1 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -47,7 +47,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|win_shell_execute|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
        $b374k = "'ev'.'al'"
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 06e1827..2dc20e1 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -47,7 +47,7 @@ private rule CloudFlareBypass
47	rule ObfuscatedPhp	47	rule ObfuscatedPhp
48	{	48	{
49	strings:	49	strings:
50	$eval = /(<\?php\|[;{}])\s@?(eval\|preg_replace\|system\|assert\|passthru\|(pcntl_)?exec\|win_shell_execute\|call_user_func(_array)?)\s\(/ nocase // ;eval( <- this is dodgy	50	$eval = /(<\?php\|[;{}])[ \t]@?(eval\|preg_replace\|system\|assert\|passthru\|(pcntl_)?exec\|win_shell_execute\|call_user_func(_array)?)\s\(/ nocase // ;eval( <- this is dodgy
51	$b374k = "'ev'.'al'"	51	$b374k = "'ev'.'al'"
52	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	52	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
53	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher	53	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher