From 0e176c851afe11fef7444e9ad1ab47a64d71c7e4 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 26 May 2018 09:45:17 +0200
Subject: [PATCH] new patterns

---
 cms-ver.php  | 1 +
 cms-vss.php  | 1 +
 malware6.pl  | 3 ++-
 malwaresh.pl | 1 +
 4 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/cms-ver.php b/cms-ver.php
index 1da0764..b91143d 100644
--- a/cms-ver.php
+++ b/cms-ver.php
@@ -173,6 +173,7 @@
         array("MediaWiki", "/includes/DefaultSettings.php", "\$wgVersion", "Maintained"),
         array("YapGB", "/gbconfig.php", "\$cfgYapGBVersion", "EOL"),
         array("PowerPhlogger", "/main.php", "\$curr_ver", "EOL"),
+        array("Invision Power Board", "/index.php", " * IP.Board v", "EOL"),
 
 // still need to work on these
     array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review
diff --git a/cms-vss.php b/cms-vss.php
index 1e692f3..79cb34c 100644
--- a/cms-vss.php
+++ b/cms-vss.php
@@ -180,6 +180,7 @@
         array("MediaWiki", "/includes/DefaultSettings.php", "\$wgVersion", "Maintained"),
         array("YapGB", "/gbconfig.php", "\$cfgYapGBVersion", "EOL"),
         array("PowerPhlogger", "/main.php", "\$curr_ver", "EOL"),
+        array("Invision Power Board", "/index.php", " * IP.Board v", "EOL"),
 
 
 // still need to work on these
diff --git a/malware6.pl b/malware6.pl
index 034632d..097f855 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -89,7 +89,8 @@ my @regexen = (
     qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
     qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
-    
+    qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
+
     
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index e3b6f04..71132db 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1074,6 +1074,7 @@ my @regexen = (
     qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
     qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
     
 
 );