new patterns

malware.pl

@@ -1393,7 +1393,18 @@ my @regexen = (
     qr/<\?php\s+\@include_once\(\"tetete\.php\"\);\s+\?>/is,
     qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
     qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
-
+    qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{.+?class KF\{public \$url=\"\\x68.+?init\(\$uri,\$ua\);\}/is,
+    qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\).+?#rogerbot\|exabot\|mj12bot\|dotbot.+?\$ratel=new KF;\$ratel->init\(\$uri,\$ua\);\}/is,
+    qr/<script type=\'text\/javascript\' async src=\'https\:\/\/setforspecialdomain\.com\/.+?\'><\/script>/is,
+    qr/<\?php\s+ignore_user_abort\(true\);set_time_limit\(0\);error_reporting\(0\);define\(.+?\[0x00000e\]\(\$.+?CURLOPT_RETURNTRANSFER,0x001\);\$.+?\[0x0002a\]\)\);\}\?>/is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}).+?return \$([A-z0-9_]{1,20}); \}\s+\/\*([A-z0-9_]{50,})\*\/\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'o\'\.\'i\'\.\'t\'.+?\(\);\s+\/\*([A-z0-9_]{50,})\*\//is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\';\s+\$([A-z0-9_]{1,20})=\'wp-content\';\s+\$([A-z0-9_]{1,20})=base64_decode\(\".+?\[\"\\x4f\\x4f\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x5f\\x5f\"\]\(\);\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=\"\\150\\145\\x61d\\x65\\x72\".+?<html>\s+<head><meta http-equiv=\"Content-Type\" content=\"text\/html; charset=utf-8\">.+?echo \$([A-z0-9_]{1,20}); \} \} \} \?>/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20}) = \"\\x63\\x68\\x72\"; \$([A-z0-9_]{1,20}) = \"\\x69\\x6e\\x74\\x76\\x61\\x6c\";.+?\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\); include_once\(\$([A-z0-9_]{1,20})\); \?><\?php \@include_once\(\"index\.php\"\); \?>/is,
+    qr/<\?php error_reporting\(0\);.+?ini_set\(\"error_log\", "\/dev\/null\"\);.+?\$contents = \@file_get_contents\(\$url, false, \$context\); \} \} return \$contents; \} \?>/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{32})\";\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,\$([A-z0-9_]{1,20})\)\{\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\);\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\).+?\);__halt_compiler\(\);
([A-z0-9_]{1,20})/is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\, \$([A-z0-9_]{1,20}) = \"\\61\\x32\\63\"\) .+?\(\"n\"\.\"o\"\.\"i\"\.\"t\"\..+?\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
+        
 );
 
 my @base64_decodes = (