From 051ddcfe1588792f5bd880cc3955d97d8985c8ae Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 21 Apr 2018 12:25:42 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 3 +++
 malwaresh.pl | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index c4d9514..ee2ac88 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -248,6 +248,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
     qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/is,
     qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/is,
+    qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is,
+    qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is,
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index f86316b..87dc027 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -728,6 +728,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
     qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/is,
     qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/is,
+    qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is,
+    qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is,
     
 
 );