From 243c0e60f5a8321d3179c53b437721aa44f7005d Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 24 May 2018 20:58:02 +0200
Subject: [PATCH] new patterns

---
 cms-vss.php  | 1 +
 malware6.pl  | 5 ++++-
 malwaresh.pl | 3 +++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/cms-vss.php b/cms-vss.php
index 4371f1f..2523c23 100644
--- a/cms-vss.php
+++ b/cms-vss.php
@@ -178,6 +178,7 @@
         array("Invision Power Board", "/admin.php", "|   Invision Power Board v", "EOL"),
         array("Easy PHP Calendar", "/config.inc.php", "\$epcCheckVersion=", "EOL"),
         array("MediaWiki", "/includes/DefaultSettings.php", "\$wgVersion", "Maintained"),
+        array("YapGB", "/gbconfig.php", "\$cfgYapGBVersion", "EOL"),
 
 
 // still need to work on these
diff --git a/malware6.pl b/malware6.pl
index 49bbc68..017d981 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -75,7 +75,10 @@ my @regexen = (
     qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
     qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
     qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
-    
+    qr/<\?php \$firewall = true; \$stew = error_reporting\(\).+?if \(\$firewall\)\{header\(\"horrible:1\"\);\}  echo \"attack_queue\";\}   \}/is,
+    qr/<\?php.+?\|\| InboX Mass Mailer \|\|.+?<script>alert\(\'Mail sending complete.+?<\/html>/is,
+    qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
+        
 
 
 );
diff --git a/malwaresh.pl b/malwaresh.pl
index 6885c8f..8423b50 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1060,6 +1060,9 @@ my @regexen = (
     qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
     qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
     qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
+    qr/<\?php \$firewall = true; \$stew = error_reporting\(\).+?if \(\$firewall\)\{header\(\"horrible:1\"\);\}  echo \"attack_queue\";\}   \}/is,
+    qr/<\?php.+?\|\| InboX Mass Mailer \|\|.+?<script>alert\(\'Mail sending complete.+?<\/html>/is,
+    qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
     
 
 );