From 448e75c083ecf9005727764dbe3bcafad70d3c1b Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 11 May 2018 11:49:40 +0200
Subject: [PATCH] added working Eitest Regex

---
 scan.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/scan.py b/scan.py
index d719259..1ab92fc 100644
--- a/scan.py
+++ b/scan.py
@@ -231,7 +231,7 @@ scoring = {
   'PHISHING':                 (10, u'Phishing patterns'),
   'MD5':                      (20, u'md5 strings used in malware'),
   'SOCIALS':                  (50, u'Email addresses, links and social networking'),
-  'EITEST':                    (50, u'Eitest'),
+  'EITEST':                   (65, u'Eitest'),
 }
 
 
@@ -325,6 +325,8 @@ def is_hacked(filename):
             score.append(('ACCESS_DENIED', ''))
         if l.find('/bin/host') >= 0:
             score.append(('BIN_HOST', ''))
+        if re.compile('<\?php\s*\$([a-z]){1,10}\s*=\s*\'.*\$([a-z]){1,10}=explode\(chr\(\(([0-9]){1,4}[-+]([0-9]){1,4}\)\).*\$([a-z]){1,10}=\(([0-9]){1,4}[-+]([0-9]){1,10}\).*-1;\s*\?>').match(l):
+            score.append(('EITEST', ''))
         if ('if( !isset($gCms) ) exit;' in l or
            "if( !defined( '_VALID_MOS' )" in l or
             "if (!defined('IN_PHPBB')" in l or
@@ -530,8 +532,7 @@ def is_hacked(filename):
             or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
             or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
             score.append(('SOCIALS', ''))
-        if re.compile("<\?php \$([a-z]){1,10} = \'.*\$([a-z]){1,10}=explode\(chr\(\(([0-9]){1,4}[-+]([0-9]){1,4}\)\).*\$([a-z]){1,10}=\(([0-9]){1,4}[-+]([0-9]){1,10}\).*-1; \?>") in l:
-            score.append(('EITEST', ''))
+
         previous_line = l
 
     if line_num < 20: