From ebdbd50916d692cce7c2420e54f32ea00c700b5d Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 2 Jan 2024 09:41:00 -0700 Subject: [PATCH] Fix a typo The condition header needed to be on a new line. --- yara/cn_pentestset_webshells.yar | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/yara/cn_pentestset_webshells.yar b/yara/cn_pentestset_webshells.yar index b2fb21dc..40a7bd90 100644 --- a/yara/cn_pentestset_webshells.yar +++ b/yara/cn_pentestset_webshells.yar @@ -741,7 +741,8 @@ rule CN_Honker_Webshell_Tuoku_script_mysql { hash = "8e242c40aabba48687cfb135b51848af4f2d389d" strings: $s1 = "txtpassword.Attributes.Add(\"onkeydown\", \"SubmitKeyClick('btnLogin');\");" fullword ascii /* PEStudio Blacklist: strings */ - $s2 = "connString = string.Format(\"Host = {0}; UserName = {1}; Password = {2}; Databas" ascii /* PEStudio Blacklist: strings */condition: + $s2 = "connString = string.Format(\"Host = {0}; UserName = {1}; Password = {2}; Databas" ascii /* PEStudio Blacklist: strings */ + condition: filesize < 202KB and all of them }