From 42f6db0bdf542886367eb4e5c30fce774a6e029c Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 13 Jul 2017 12:50:55 +0200
Subject: [PATCH] new pattern

---
 malware4.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware4.pl b/malware4.pl
index 2e35dca..c101550 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -109,6 +109,7 @@ my @regexen = (
     qr/<\?php\s+function\s+result\(\$data\)\s+\{\s+\$result\=implode\(.+?\$result\=preg\_replace\(.+?if\(isset\(\$\_COOKIE\[\'google\'\]\)\).+?echo\(result\(array\(.+?\?>/is,
     qr/<\?php.+?\$e19\s+\=.+?include\_once\(\$H26\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
+    qr/<\?php\s+eval\(eval\(\".+?\;\}\s+else\s+\{.+?\}\"\)\)\;\s+\?>/is,
 
 
 );