diff --git a/malware6.pl b/malware6.pl index 55b5104..e38b983 100644 --- a/malware6.pl +++ b/malware6.pl @@ -1371,7 +1371,9 @@ my @regexen = ( qr/<\?php \$([A-z0-9_]{1,20})=.+?\/index\.help\';\$([A-z0-9_]{1,20})=.+?\$([A-z0-9_]{1,20})=\'\';\@eval\(base64_decode\(.+?\)\);\/\*,\*\/\?>/is, qr/<\?php\s+error_reporting\(E_ERROR\).+?\$a =base64_decode\(strtr\(\$_POST\[.+?\@eval\(base64_decode\(strtr\(\$_POST\[.+?\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is, qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\@touch\(\$index,strtotime\(\"-400 days\"\)\);echo \'ok\';\s+\}\s+\?>/is, - + qr/<\?php if \(isset\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) and md5\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) ==\"([A-z0-9_]{1,32})\"\) \{unlink\(__FILE__\); die\(md5\(([A-z0-9_]{1,10})\)\);\}/is, + qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?4.+?6.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is, + diff --git a/malwaresh.pl b/malwaresh.pl index a7d0220..2b62e4e 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1381,7 +1381,9 @@ my @regexen = ( qr/<\?php \$([A-z0-9_]{1,20})=.+?\/index\.help\';\$([A-z0-9_]{1,20})=.+?\$([A-z0-9_]{1,20})=\'\';\@eval\(base64_decode\(.+?\)\);\/\*,\*\/\?>/is, qr/<\?php\s+error_reporting\(E_ERROR\).+?\$a =base64_decode\(strtr\(\$_POST\[.+?\@eval\(base64_decode\(strtr\(\$_POST\[.+?\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is, qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\@touch\(\$index,strtotime\(\"-400 days\"\)\);echo \'ok\';\s+\}\s+\?>/is, - + qr/<\?php if \(isset\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) and md5\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) ==\"([A-z0-9_]{1,32})\"\) \{unlink\(__FILE__\); die\(md5\(([A-z0-9_]{1,10})\)\);\}/is, + qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?4.+?6.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is, + ); my @base64_decodes = (