new patterns & ViArt Shop added

cms-ver.php

@@ -196,6 +196,10 @@
         array("phpGedView", "/config.php", "\$CONFIG_VERSION =", "EOL"),
         array("Dolphin", "/inc/header.inc.php", "\$site['ver']", "Maintained"),
         array("SQLBuddy", "/functions.php", "define(\"VERSION_NUMBER\"", "EOL"),
+        array("Dolibarr", "/filefunc.inc.php", "define('DOL_VERSION',", "EOL"), // needs to be checked
+        array("Mambo", "/version.php", "DEFINE( '_RELEASE',", "EOL"),
+        array("ViArt Shop", "/index.php", "***      ViArt Shop", "EOL"),
+
 
 // still need to work on these
     array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review

cms-vss.php

@@ -210,6 +210,9 @@
         array("phpGedView", "/config.php", "\$CONFIG_VERSION =", "EOL"),
         array("Dolphin", "/inc/header.inc.php", "\$site['ver']", "Maintained"),
         array("SQLBuddy", "/functions.php", "define(\"VERSION_NUMBER\"", "EOL"),
+        array("Dolibarr", "/filefunc.inc.php", "if (! defined('DOL_VERSION')) define('DOL_VERSION',", "EOL"),
+        array("Mambo", "/version.php", "DEFINE( '_RELEASE',", "EOL"),
+        array("ViArt Shop", "/index.php", "***      ViArt Shop", "EOL"),
 
 
 // still need to work on these

malware6.pl

@@ -1377,7 +1377,8 @@ my @regexen = (
     qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
     qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is,
     qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is,
-       
+    qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,   
     
    
     

malwaresh.pl

@@ -1387,7 +1387,9 @@ my @regexen = (
     qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
     qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is,
     qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is,
-    
+    qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,   
+    qr/<\?php\s+\$([A-z0-9_]{1,20})=\"\\x61\"\.\"\\x75\"\.chr\(116\)\.\"h\"\.\"\\x5f\"\.\"p\"\.\"a\"\.\"\\x73\"\.\"\\x73\";.+?\)\)\);\s+#############################################################################/is,
 
 );