From 8d69958dcd705107f512f6bba55d18ff516fb81a Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Thu, 2 Aug 2018 08:20:49 +0200
Subject: [PATCH] Signature update reported in #19

---
 definitions/patterns_raw.txt | 6 +++++-
 definitions/patterns_re.txt  | 3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index 1ec377b..caf1598 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -340,4 +340,8 @@ $f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
 # split escaped
 \x73\x70\x6C\x69\x74
 # >tpircs/< aka </script>
-\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C
\ No newline at end of file
+\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C
+# comment spoof function call
+/*;*/
+# web shells host type extraction
+php_uname()
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index c589d46..6466b2d 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -93,3 +93,6 @@ eval\(\$[a-z0-9_]+\(\$_POST
 
 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x
+
+# web shells host type extraction RE
+php_uname\(["'asrvm]+\)