From 3453f3b02f0de6c5be7cb6e297c8104bc03afa31 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 7 May 2018 06:48:11 +0200
Subject: [PATCH] new pattern

---
 malware5.pl  | 1 +
 malwaresh.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index cd88bb7..539ca2d 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -453,6 +453,7 @@ my @regexen = (
     qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
     qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
     qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
+    qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
 
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 816b931..92c2004 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -936,6 +936,7 @@ my @regexen = (
     qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is,
     qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
     qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
+    qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
 
 );