From 3520d78eee42121fb35d965f15034be96f2a1565 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 2 Jun 2018 08:04:21 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 3 +++
 malwaresh.pl | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/malware6.pl b/malware6.pl
index b3c4aef..075cbe4 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -138,6 +138,9 @@ my @regexen = (
     qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\} \@eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
     qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
     qr/<\?= \"\";.+?Berandal Shell.+?<form method=\"post\">\s+<input type=\"password\" name=\"pass\">\s+<\/form><\/center>/is,
+    qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/is,
+    qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/.+?\" \/>\';\s+\?>/is,
+    qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/is,
 
 
     
diff --git a/malwaresh.pl b/malwaresh.pl
index 448090e..aa8ee7c 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1123,6 +1123,10 @@ my @regexen = (
     qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\} \@eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
     qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\} if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
     qr/<\?= \"\";.+?Berandal Shell.+?<form method=\"post\">\s+<input type=\"password\" name=\"pass\">\s+<\/form><\/center>/is,
+    qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/is,
+    qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/.+?\" \/>\';\s+\?>/is,
+    qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/is,
+
 
 )
 ;