From 20b21ff795d1d4c90aa95d770ac146a421673aba Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 3 Dec 2018 10:32:30 +0100
Subject: [PATCH] new patterns

---
 malware6.pl  | 3 ++-
 malwaresh.pl | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/malware6.pl b/malware6.pl
index 08d40a1..2ac9ce0 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -376,7 +376,8 @@ my @regexen = (
     qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\$b=base64_decode\(\$html\);\s+\}\s+if\(strlen\(\$b\)<300\)\{echo \'indexcode not ok\';exit;\};\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$b\);echo \'ok\';\s+\}\s+\?>/is,
     qr/<\?php\s+\@session_start\(\);.+?\$default_use_ajax = true;\s+\$_F=__FILE__;\$_X=.+?eval\(base64_decode\(.+?\)\);\?>/is,
     qr/<\?php eval\(gzinflate\(gzinflate\(base64_decode\(\".+?\"\)\)\)\); \?>/is,
-    
+    qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
+
    
     
 );
diff --git a/malwaresh.pl b/malwaresh.pl
index cd99d01..e111c57 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1363,7 +1363,8 @@ my @regexen = (
     qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\$b=base64_decode\(\$html\);\s+\}\s+if\(strlen\(\$b\)<300\)\{echo \'indexcode not ok\';exit;\};\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$b\);echo \'ok\';\s+\}\s+\?>/is,
     qr/<\?php\s+\@session_start\(\);.+?\$default_use_ajax = true;\s+\$_F=__FILE__;\$_X=.+?eval\(base64_decode\(.+?\)\);\?>/is,
     qr/<\?php eval\(gzinflate\(gzinflate\(base64_decode\(\".+?\"\)\)\)\); \?>/is,
-    
+    qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
+
 );
 
 my @base64_decodes = (