From 37733348aa10da11d46aa892257a1a33942ffba2 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 23 Apr 2018 10:17:46 +0200
Subject: [PATCH] new pattern

---
 malware5.pl  | 2 +-
 malwaresh.pl | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index bfd7371..3b7eed0 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -283,7 +283,7 @@ my @regexen = (
     qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
     qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
-    
+    qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,    
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 8f33e7e..93f39d9 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -763,6 +763,8 @@ my @regexen = (
     qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
     qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
+    qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,    
+
 
 );