From ba466dc1ff644320452ee5a6c51affb2389f2946 Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Tue, 24 Feb 2026 06:58:29 +0100
Subject: [PATCH] Sample update from #94 and some found in servers

---
 definitions/patterns_raw.txt | 25 ++++++++++++++++++++-----
 definitions/patterns_re.txt  |  7 ++++++-
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index 0de47b2..e5dfcdb 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -25,6 +25,7 @@ ShellBOT
 ".\x00..\x20"
 FM_SESSION_ID
 HACKED BY
+_Mybb
 
 #Remote Code
 curl_get_from_webpage
@@ -35,6 +36,9 @@ leafmailer.pw
 
 #Base64 String Samples.  Each plain text string should have 3 base64 equivalents
 
+# https://
+aHR0cHM6Ly
+
 # "shell" in base64
 c2hlbG
 NoZWxs
@@ -184,6 +188,12 @@ RlZmluZ
 kZWZpbm
 
 # Obfuscation related code
+'.'6'.'4'.'_'.'
+bas'.'e64_dec
+file'.'_put_co
+fil'.'e_ex
+Pz4=
+L3gvaQ==
 eval("?>
 eval('?>
 @eval(
@@ -191,9 +201,10 @@ eval('?>
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
 WSOstripslashes
-\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
-\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
-\x65\x78\x65\x63' /* dec/hex issue? */, // exec
+\x5f\x43\x4f\x4f\x4b\x49\x45
+\x73\x79\x73\x74\x65\x6d
+\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65
+\x65\x78\x65\x63
 ev\x61l
 \x65\166\x61\154\x28' /* dec/hex issue? */,
 \x65\x76\x61\x6C' /* case, dec/hex issue? */,
@@ -206,12 +217,12 @@ base=base64_encode
 'b'.'ase6'.'4_e'.'ncode'
 cr"."eat"."e_fun"."cti"."on
 gz'.'inf'.'late
-# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
-http://www.fopo.com.ar/
 @eval("\
 ";eval(
 eval(eval(
 @eval(`
+eVaL('?>
+eval($_REQUEST
 convert_uudecode(convert_uuencode
 "64_decode"
 'f' . 'il' . 'e' . '_'
@@ -219,6 +230,9 @@ convert_uudecode(convert_uuencode
 'h' . 'tm' . 'l' . 'sp'
 'ha' . 'r' . 's'
 
+# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
+http://www.fopo.com.ar/
+
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
 //rasta//
@@ -398,6 +412,7 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
+[#*#*#]
 
 # php://input encoded in base64
 cGhwOi8vaW5wdXQ=
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index 3bb30b2..ab43d51 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -146,6 +146,8 @@ eval\([A-Za-z0-9]{5,}\(\) \. '
 # eval function return, parameter is a hex string
 eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
 
+eval\(\s+'\?>'
+
 # gzip payload called by variable named function
 \$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
 
@@ -159,4 +161,7 @@ return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
 
 # JS - escaped command
 \.fromCharCode\([0-9,]{4,}\)
-\+-parseInt\(\w\('0x[0-9a-z]+'\)\)\/
\ No newline at end of file
+\+-parseInt\(\w\('0x[0-9a-z]+'\)\)\/
+
+# concated hash value
+('[a-z0-9]{2,}'\.){4,}