new pattern

malware4.pl

@@ -271,7 +271,7 @@ my @regexen = (
     qr/<\?php\s+\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admins\'\]\)\;\?>No\.1\s+<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'sss\'\]\,\"Access\s+Denied\"\)\;\?>/is,
     qr/<\?php\s+\/\*\s+WSO\s+\[2\.6\]\s+\*\/\$OOO000000\=urldecode\(.+?\=\_\_FILE\_\_\;\$.+?([A-z0-9]{1,20})\Z/is,
     qr/<\?php\+\$c\=base64\_decode\(\'([A-z0-9]{1,20})\=\'\)\.\$\_GET\[\'n\'\]\.\'t\'\;\@\$c\(\$\_POST\[\'x\'\]\)\;\?>abcabcabc/is,
-
+    qr/<\?php\s+ if\s+\(\$\_REQUEST\[\'action\'\]\s+\=\=\s+\'([A-z0-9]{1,10})\'\)\s+\{\s+\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;\s+\$fr\s+\=\s+explode\(\'\|\'\,\s+\$in\_data\)\;\s+if\s+\(mail\(stripslashes\(base64\_decode\(\$fr\[0\]\)\)\,\s+stripslashes\(base64\_decode\(\$fr\[1\]\)\)\,\s+base64\_decode\(\$fr\[2\]\)\,\s+stripslashes\(base64\_decode\(\$fr\[3\]\)\)\)\)\s+\{echo\s+\'query\'\;\}\s+else\s+\{echo\s+\'bad\s+request\'\;\}\s+\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
 );
 
 my @base64_decodes = (