diff --git a/malware6.pl b/malware6.pl
index 3abcffd..aa021fc 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -39,6 +39,8 @@ my @regexen = (
     qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
     qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
     qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
+    qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
+    qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 6d0f935..0516346 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1023,6 +1023,8 @@ my @regexen = (
     qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
     qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
     qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
+    qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
+    qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
 );
 
 my @base64_decodes = (
diff --git a/scan.py b/scan.py
index cc10271..5bcbd78 100644
--- a/scan.py
+++ b/scan.py
@@ -440,7 +440,8 @@ def is_hacked(filename):
              or (line_num < 4 and "passthru($_POST[" in l) \
              or (line_num == 1 and '$stg="ba"."se"."64_d"."ecode";eval($stg(' in l) \
              or '(edoced_46esab(etalfnizg(lave' in l \
-             or "file_put_contents('1.txt', print_r" in l:
+             or "file_put_contents('1.txt', print_r" in l \
+             or 'function wp_cd(' in l:
             score.append(('PHP_SHELL', ''))
 
         if 'move_uploaded_file(' in l:
@@ -547,7 +548,8 @@ def is_hacked(filename):
             or 'Wells Fargo Home Page' in l \
             or 'Chase Online - Logon' in l:
             score.append(('PHISHING', ''))
-        if re.compile('User-Agent.*cpuminer').match(l):
+        if re.compile('User-Agent.*cpuminer').match(l) \
+            or 'stratum+tcp' in l:
             score.append(('CRYPTO', ''))
         previous_line = l