From 0cb3ce552ff6ee1595a60e808350d55bd49b5482 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 27 Dec 2017 13:36:41 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index c94125f..a796936 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -215,6 +215,8 @@ my @regexen = (
     qr/<\?php\s+error\_reporting\(E\_ALL\s+\&\s+\~E\_NOTICE\)\;\s+\$m\s+\=\s+get\_magic\_quotes\_gpc\(\)\;\s+\$uploadfloder.+?\}\s+else\s+\{\s+echo\s+\"ok\"\;\s+\}\s+\?>/is,
     qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$s\s+\=\s+dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
     qr/<\?php\s+function\s+result\(\$data\).+?srand\(seed\(\)\)\;.+?echo\(result\(array\(.+?\?>/is,
+    qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*.+?\]\)\;\}exit\(\)\;\}/is,
+    qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$O\_OO\_\_000O\=\'1044\'\;\s+\$O0O00OO\_\_\_\=urldecode\(.+?\]\(\)\;\?>/is,
 );
 my @base64_decodes = (