1 files changed, 1 insertions, 1 deletions
diff --git a/malwares.yara b/malwares.yara
index d56ce7d..c421956 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -98,7 +98,7 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
    strings:
-        $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/

diff --git a/malwares.yara b/malwares.yara index d56ce7d..c421956 100644 --- a/malwares.yara +++ b/malwares.yara
@@ -98,7 +98,7 @@ rule SuspiciousEncoding
98	rule DodgyPhp	98	rule DodgyPhp
99	{	99	{
100	strings:	100	strings:
101	$execution = /(eval\|passthru\|exec\|system\|win_shell_execute)\((base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|\\?\$_(GET\|REQUEST\|POST))/	101	$execution = /(eval\|passthru\|exec\|system\|win_shell_execute) *\((base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|\\?\$_(GET\|REQUEST\|POST))/
102	$double_encoding = /(base64_decode\s\(\s){2}/	102	$double_encoding = /(base64_decode\s\(\s){2}/
103	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/	103	$basedir_bypass = /(curl_init\([\"']file:[\"']\|file:file:\/\/)/
104	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	104	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/