From 24104dccedf07760fccf717819edb20db803c65a Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 5 Jan 2018 13:38:46 +0100
Subject: [PATCH] new patterns

---
 malware4.pl |  3 ++-
 sc.php      | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index 88a5b4b..a0662a3 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -246,7 +246,8 @@ my @regexen = (
     qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
     qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{10,})\+([A-z0-9]{20,})\'\..+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
     qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\".+?\)\)\)\;\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\;\Z/is,
-
+    qr/<\?php\s+if\s+\(\!isset\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\s+\|\|\s+ltrim\(\$\_SERVER\[\'REQUEST\_URI\'\]\,\'\/\'\)\s+\=\=\=\s+\'\'\)\s+\{\s+print\s+\'<div\s+class\=\"([A-z0-9]{1,20})\"\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-9999px\;\">\s+\<a\s+href=\"http\:\/\/.+?casino.+?<\/a><\/div>\'\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\"\,([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\s+\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(([0-9]{1,10})\-([0-9]{1,10})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
 
 );
 my @base64_decodes = (
diff --git a/sc.php b/sc.php
index e9b65ed..7c121f8 100644
--- a/sc.php
+++ b/sc.php
@@ -152,6 +152,16 @@ system ("w | grep load");
         system('find '.$GLOBALS["webroot"].' -type f -name "error_log" -print -exec rm -rfv {} \;'); // clear the error logs
         
     }
+
+    function passgen(){
+        $caracteres = '0123456789abcdefghijklmnpqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ$#@!?=%-+*.[]{}_,;:<>|';
+            $caractereslong = strlen($caracteres);
+            $clave = '';
+            for($i = 0; $i < 24; $i++) {
+              $clave .= $caracteres[rand(0, $caractereslong - 1)];
+            }
+            echo $clave;
+    }
     
  /*   function removezero(){
         system("find ./ -type f -empty -print -exec rm -f {} \;");