From 217cbd931c62fb1560a4180f21f72c09398a4785 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 27 Apr 2018 19:19:36 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 5 +++++
 malwaresh.pl | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index 54ab6d9..cdff53c 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -304,6 +304,11 @@ my @regexen = (
     qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?b374k.+?\,\$s\_pass\)\;\?>/is,
     qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
     qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
+    qr/\/\/eAccelerate\s+Caching\s+System.+?\!preg\_match\(\"\/\(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer\)\/i\".+?base64\_decode\(.+?\)\:\(\'\'\)\)\.\$output\;\}/is,
+    qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(.+?array\_unshift\(\$data.+?\$words\_idx\=array\_rand\(\$words\,rand\(\$min\,\$max\)\)\;.+?\"h\"\.\"tac\"\.\"c\"\.\"es\"\.\"s\"\;\$.+?header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;echo\(html\(array\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+for\(\$o\=0\,\$e\=\'.+?\'\,\$d\=\'\'\;\@ord\(\$e\[\$o\]\)\;\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]\=\$o\;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\)\;\}\}eval\(\$d\)\;\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
+    qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index f8bef80..0961f91 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -785,6 +785,11 @@ my @regexen = (
     qr/<\?php\s+error\_reporting\(0\)\;\s+\$ver\s+\=\s+\'6\.6\.6\'\;.+?exit\(\'Access\s+Denied\'\)\;.+?if\s+\(\$cracktrack\s+\!\=\s+\$checkworm\)\s+die\(\"\"\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
     qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
+    qr/\/\/eAccelerate\s+Caching\s+System.+?\!preg\_match\(\"\/\(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer\)\/i\".+?base64\_decode\(.+?\)\:\(\'\'\)\)\.\$output\;\}/is,
+    qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(.+?array\_unshift\(\$data.+?\$words\_idx\=array\_rand\(\$words\,rand\(\$min\,\$max\)\)\;.+?\"h\"\.\"tac\"\.\"c\"\.\"es\"\.\"s\"\;\$.+?header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;echo\(html\(array\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+for\(\$o\=0\,\$e\=\'.+?\'\,\$d\=\'\'\;\@ord\(\$e\[\$o\]\)\;\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]\=\$o\;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\)\;\}\}eval\(\$d\)\;\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
+    qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
     
 
 );