From 28bdd2d2c8b66c69e0ddb60d694f87fe741916dd Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sun, 17 Jun 2018 12:53:49 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  |  4 ++++
 malwaresh.pl | 17 +++++------------
 2 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/malware6.pl b/malware6.pl
index 740755b..c32fcae 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -222,6 +222,10 @@ my @regexen = (
     qr/<\?php \/\* WARNING: This file is protected by copyright law\. To reverse engineer or decode this file is strictly prohibited\. \*\/\s+\$\w=\"([A-z0-9]{20,}).+?\";eval\(base64_decode\(\".+?\"\)\);return;\?>/is,
     qr/<\?php error_reporting\(0\);\$\w=\"eval\(base64_decode\(.+?\"\)\); \?>/is,
     qr/<\?php if\(isset\(\$_POST\[([A-z0-9_]{1,20})\]\)\)\{passthru\(\$_POST\[([A-z0-9_]{1,20})\]\); die\(\);\}  include\(\"\.\.\/includes\/configure\.php\"\); passthru\(\"mysqldump -u\"\.DB_SERVER_USERNAME\s+\. \" --password=\" \. DB_SERVER_PASSWORD \. \" --all-databases\"\); \?>/is,
+    qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
+    qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
+    qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,
 
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 176b624..c01a15d 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1209,10 +1209,11 @@ my @regexen = (
     qr/<\?php \/\* WARNING: This file is protected by copyright law\. To reverse engineer or decode this file is strictly prohibited\. \*\/\s+\$\w=\"([A-z0-9]{20,}).+?\";eval\(base64_decode\(\".+?\"\)\);return;\?>/is,
     qr/<\?php error_reporting\(0\);\$\w=\"eval\(base64_decode\(.+?\"\)\); \?>/is,
     qr/<\?php if\(isset\(\$_POST\[([A-z0-9_]{1,20})\]\)\)\{passthru\(\$_POST\[([A-z0-9_]{1,20})\]\); die\(\);\}  include\(\"\.\.\/includes\/configure\.php\"\); passthru\(\"mysqldump -u\"\.DB_SERVER_USERNAME\s+\. \" --password=\" \. DB_SERVER_PASSWORD \. \" --all-databases\"\); \?>/is,
-    
-
-
-
+    qr/<\?php \$([A-z0-9_]{1,20})=\"b\"\.\"ase\"\.\"64_de\"\.\"code\";eval\(\$([A-z0-9_]{1,20})\(\".+?\)\);/is,
+    qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
+    qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
+    qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,
 );
 
 my @base64_decodes = (
@@ -1257,14 +1258,6 @@ sub dir {
 
 foreach my $file (sort @files) {
         next if $file eq 'error_log';
-        next if $file eq 'tcpdf.php';
-        next if $file eq 'charmap.php';
-        next if $file eq 'main-modules.php';
-        next if $file eq 'wp-super-cache.php';
-        next if $file eq 'user-edit.php';
-        next if $file eq 'youtube.php';
-        next if $file eq 'FMModelForm_maker_fmc.php';
-        next if $file eq 'menu_scan.php';
         print "Scanning $start_dir/$file... ";
 
         unless (-r "$start_dir/$file") {