From fde93ed05adc8d84bda4a3e6d46047b41b89c9a4 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Wed, 3 Feb 2016 15:01:26 +0100
Subject: Makes a rule more generic

---
 php-malware-finder/malwares.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 285ee77..5652b0a 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[\t ]*\(/  // ;eval( <- this is dodgy
+        $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[[:space:]]*\(/  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
-- 
cgit v1.3