From 07b9cb6e80cc20610e92c01aa6cb98c49c7bdbcf Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Tue, 14 Aug 2018 07:44:16 +0200
Subject: [PATCH] Signature update reported in #20

---
 definitions/patterns_raw.txt | 4 ++++
 definitions/patterns_re.txt  | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index caf1598..3905abe 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -345,3 +345,7 @@ $f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
 /*;*/
 # web shells host type extraction
 php_uname()
+# decode content with basic rot13
+str_split(rawurldecode(str_rot13(
+# generating PHP file name to put content
+substr(md5(time()), 0, 8) . ".php"
\ No newline at end of file
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index 6466b2d..7c0a792 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -96,3 +96,6 @@ eval\(\$[a-z0-9_]+\(\$_POST
 
 # web shells host type extraction RE
 php_uname\(["'asrvm]+\)
+
+# XOR decode POST-ed payload
+(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}
\ No newline at end of file