From 0d48bcd60d6a27523986e6f80da02a93c1a80ee3 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 19 Feb 2018 07:48:34 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index bb8f7fa..ef46d70 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -330,7 +330,9 @@ my @regexen = (
     qr/<\?php\s+extract\(\$\_COOKIE\)\;\@\$F\&\&\(\@\$F\(\$A\,\$B\)\|\|\@\$W\(\$X\(\$Y\,\$Z\)\)\)\;/is,
     qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;\s+\$a\s+\=.+?\$a\s+\=\s+str\_replace\(\$([A-z0-9]{1,20})\,\s+\"E\"\,\s+\$a\)\;\s+eval\s+\(gzinflate\(base64\_decode\(\$a\)\)\)\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?function\s+([A-z0-9]{1,20})\(\$\w\)\{return\s+chr\(ord\(\$\w\)\-1\)\;\}\s+\@error.+?\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_map.+?\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
-    
+    qr/<\?php\s+if\(md5\(\$\_COOKIE\[\'\_wp\_debugger\'\]\)\=\=\"([A-z0-9]{32})\"\)\{\s+eval\(base64\_decode\(\$\_POST\[\'file\'\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
+    qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?fwrite\(\$fp\,\s+\$\_POST\[\'uploadfile\'\]\)\;.+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
+    qr/<\?php\s+if\s+\(\(isset\(\$\_POST\[\'to\'\]\)\)\s+AND.+?\$\_POST\[\'headers\'\]\)\)\s+\{echo\s+\'ok\'\;\}.+?else\s+\{\s+header\(\'Location\:\s+\/\'\)\;\s+\}\s+\?>/is,
 
 );