From 3e3c87155c242a774cfbef782d062fed5d8499d6 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 9 May 2018 20:06:21 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 1 +
 malwaresh.pl | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index e30e4a4..f323263 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -483,6 +483,7 @@ my @regexen = (
     qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
     qr/<\?php\s+extract\(\$\_COOKIE\)\;\s+if\s+\(\$\w\)\s+\{\s+\@\$\w\(\$\w\,\$\w\)\;\s+\@\$\w\(\$\w\(\$\w\,\$\w\)\)\;\s+\}/is,
     qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
+    qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
         
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index aabac61..0a90ca1 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -966,7 +966,9 @@ my @regexen = (
     qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
     qr/<\?php\s+extract\(\$\_COOKIE\)\;\s+if\s+\(\$\w\)\s+\{\s+\@\$\w\(\$\w\,\$\w\)\;\s+\@\$\w\(\$\w\(\$\w\,\$\w\)\)\;\s+\}/is,
     qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
+    qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
     
+
 );
 
 my @base64_decodes = (