Signature update reported in #20

definitions/patterns_raw.txt

@@ -345,3 +345,7 @@ $f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
 /*;*/
 # web shells host type extraction
 php_uname()
+# decode content with basic rot13
+str_split(rawurldecode(str_rot13(
+# generating PHP file name to put content
+substr(md5(time()), 0, 8) . ".php"

definitions/patterns_re.txt

@@ -96,3 +96,6 @@ eval\(\$[a-z0-9_]+\(\$_POST
 
 # web shells host type extraction RE
 php_uname\(["'asrvm]+\)
+
+# XOR decode POST-ed payload
+(\^\s*\$\w+\[\$\w+\s*%\s*strlen\(\$\w+\)\]\s*){2,}