From f4d53e89d8142e9ff0065a24d640db18bb4df85c Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Thu, 27 May 2021 06:38:53 +0200
Subject: [PATCH] Pattern updates from new infections

---
 definitions/patterns_raw.txt |  9 +++++++++
 definitions/patterns_re.txt  | 11 ++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index d154916..15afce5 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -180,6 +180,7 @@ kZWZpbm
 
 # Obfuscation related code
 eval("?>
+eval('?>
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
@@ -202,6 +203,8 @@ gz'.'inf'.'late
 # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
 http://www.fopo.com.ar/
 @eval("\
+";eval(
+eval(eval(
 
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -374,3 +377,9 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
+
+# php://input encoded in base64
+cGhwOi8vaW5wdXQ=
+
+# backdoor script
+<font color="red">Upload Gagal..</font><br />
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index fa5f1fe..ff85b01 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -116,4 +116,13 @@ function\s+_[0-9]{8,}\(
 create_function\s*\(\s*['"]{2}
 
 # control concated from cookie at the call
-(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
\ No newline at end of file
+(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
+
+# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
+(\$[A-Z]+\{\d+\}\.){3,}
+
+# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
+\$_REQUEST\s*\/\*[A-Za-z]+\*\/\[
+
+# cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
+\(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)
\ No newline at end of file