From 05cb27e5b8c2966813d8407430018ed34c0444b5 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Thu, 2 Apr 2015 18:47:24 +0200
Subject: Improves detection of preg_replace-base payloads

---
 malwares.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index 3adc5f8..30d8e1c 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -102,7 +102,7 @@ rule DodgyPhp
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
         $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /preg_replace\(['"]\/\.\*\/e['"],/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /preg_replace\(['"]\/[^\/]\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
 
-- 
cgit v1.3