From 088c0761b3c45a2696100b1a7633bec136d17495 Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Thu, 14 Jul 2022 19:59:23 +0200
Subject: [PATCH] Pattern update about new infections found

---
 definitions/patterns_raw.txt |  8 +++++++-
 definitions/patterns_re.txt  | 11 ++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index 45b29ce..fde3486 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -386,4 +386,10 @@ cGhwOi8vaW5wdXQ=
 explode('?>',$shell
 
 # common mobile agent check in SEO poison scripts
-Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
\ No newline at end of file
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+
+# eval url decoded string
+eval(rawurldecode('
+
+# simple obfuscated gzuncompress
+'gz'.'unc'.'ompress'
\ No newline at end of file
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index aa3b70d..a0a482c 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -138,4 +138,13 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
 @\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
 
 # reported #77
-\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
\ No newline at end of file
+\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
+
+# eval function return and concat
+eval\([A-Za-z]{5,}\(\) \. '
+
+# eval function return, parameter is a hex string
+eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
+
+# gzip payload called by variable named function
+\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
\ No newline at end of file