From 93bfb72efd7ff0a4f5f9f56ccbe8bf8bf2f11f83 Mon Sep 17 00:00:00 2001
From: Julien "shaddai" Reveret
Date: Mon, 19 Oct 2015 11:25:57 +0200
Subject: reverting change since it triggers too many false positives

---
 php-malware-finder/malwares.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 866aa66..1826a5a 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -103,7 +103,7 @@ rule DodgyPhp
 {
     strings:
         $vars = /\$__+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)*?\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-- 
cgit v1.3