From 1d19a347be81a8b1d04792806bce23add1f35178 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 25 Jun 2018 12:08:47 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 5 ++++-
 malwaresh.pl | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index 02dd1da..eb0134e 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -242,7 +242,10 @@ my @regexen = (
     qr/<\?php \$([A-z0-9_]{1,20}) = \"a\"  \.   \"\\x73\"   \.  \"\"  \.  \"\\x73\"   \.   \"E\"   \.  \"\\x72\"   \.   \"t\";\@\$.+?\"\\x29\"  \.   \"\\x29\"  \.   \"\"   \.   \"\\x29\"  \.  \"\\x3b\"\);exit;/is,
     qr/<\?php if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\(\$([A-z0-9_]{1,20})= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\@eval\(base64_decode\(\$_POST\[([A-z0-9_]{1,20})\]\)\);\)\', \'add\'\);\}/is,
     qr/<\?php class Bx\{static private \$_alpha=\".+?break;\}return implode\(\"\",\$x\);\}\}\$Bx=new Bx\(\);\@eVaL\(\$Bx->d\(\'.+?\'\)\);/is,
-        
+    qr/<title>Vuln!! patch it Now!<\/title>\s+<\?php\s+echo \'<form action=\"\".+?Shell Uploaded ! :\)<b><br><br>\'; \}\s+else \{ echo \'<b>Not uploaded ! <\/b><br><br>\'; \}\s+\}\s+\?>/is,
+    qr/<\? eval\(gzinflate\(strrev\(unserialize\(str_rot13\(base64_decode\(.+?\)\)\)\)\)\); \?>/is,
+    qr/<\?php \$ip = getenv\(\"REMOTE_ADDR\"\);.+?Link Mailer.+?mail\(\$bilsnd,\$bilsub,\$bilsmg,\$bilhead,\$message\); \?>/is,
+            
 
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 7dce14e..aa328fd 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1230,6 +1230,9 @@ my @regexen = (
     qr/<\?php \$([A-z0-9_]{1,20}) = \"a\"  \.   \"\\x73\"   \.  \"\"  \.  \"\\x73\"   \.   \"E\"   \.  \"\\x72\"   \.   \"t\";\@\$.+?\"\\x29\"  \.   \"\\x29\"  \.   \"\"   \.   \"\\x29\"  \.  \"\\x3b\"\);exit;/is,
     qr/<\?php if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\(\$([A-z0-9_]{1,20})= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\@eval\(base64_decode\(\$_POST\[([A-z0-9_]{1,20})\]\)\);\)\', \'add\'\);\}/is,
     qr/<\?php class Bx\{static private \$_alpha=\".+?break;\}return implode\(\"\",\$x\);\}\}\$Bx=new Bx\(\);\@eVaL\(\$Bx->d\(\'.+?\'\)\);/is,
+    qr/<title>Vuln!! patch it Now!<\/title>\s+<\?php\s+echo \'<form action=\"\".+?Shell Uploaded ! :\)<b><br><br>\'; \}\s+else \{ echo \'<b>Not uploaded ! <\/b><br><br>\'; \}\s+\}\s+\?>/is,
+    qr/<\? eval\(gzinflate\(strrev\(unserialize\(str_rot13\(base64_decode\(.+?\)\)\)\)\)\); \?>/is,
+    qr/<\?php \$ip = getenv\(\"REMOTE_ADDR\"\);.+?Link Mailer.+?mail\(\$bilsnd,\$bilsub,\$bilsmg,\$bilhead,\$message\); \?>/is,