From 45a9e7fc254bbfa06d0b5b69f4f446d0f4ebec02 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 19 May 2018 14:11:30 +0200
Subject: [PATCH] corrected regex

---
 malware6.pl  | 2 +-
 malwaresh.pl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/malware6.pl b/malware6.pl
index 35fa7f7..a233ee0 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -54,7 +54,7 @@ my @regexen = (
     qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is,
     qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
     qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
-    qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode\(\'.+?\'\)\]\)\)\{\$([A-z0-9]{1,20})=\$_GET\[base64_decode\(\'([A-z0-9]{1,20})\'\)\];curl_setopt\(([A-z0-9]{1,20}),CURLOPT_URL,\$([A-z0-9]{1,20})\);curl_setopt\(\$([A-z0-9]{1,20}),CURLOPT_RETURNTRANSFER,true\);eval\(curl_exec\(\$([A-z0-9]{1,20})\)\);curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
+    qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode\(\'.+?\'\)\]\)\)\{\$([A-z0-9]{1,20})=\$_GET\[base64_decode\(\'.+?\'\)\];curl_setopt\(([A-z0-9]{1,20}),CURLOPT_URL,\$([A-z0-9]{1,20})\);curl_setopt\(\$([A-z0-9]{1,20}),CURLOPT_RETURNTRANSFER,true\);eval\(curl_exec\(\$([A-z0-9]{1,20})\)\);curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 87d343a..371b8e8 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1039,7 +1039,7 @@ my @regexen = (
     qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is,
     qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
     qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
-    qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode\(\'.+?\'\)\]\)\)\{\$([A-z0-9]{1,20})=\$_GET\[base64_decode\(\'([A-z0-9]{1,20})\'\)\];curl_setopt\(([A-z0-9]{1,20}),CURLOPT_URL,\$([A-z0-9]{1,20})\);curl_setopt\(\$([A-z0-9]{1,20}),CURLOPT_RETURNTRANSFER,true\);eval\(curl_exec\(\$([A-z0-9]{1,20})\)\);curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
+    qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode\(\'.+?\'\)\]\)\)\{\$([A-z0-9]{1,20})=\$_GET\[base64_decode\(\'.+?\'\)\];curl_setopt\(([A-z0-9]{1,20}),CURLOPT_URL,\$([A-z0-9]{1,20})\);curl_setopt\(\$([A-z0-9]{1,20}),CURLOPT_RETURNTRANSFER,true\);eval\(curl_exec\(\$([A-z0-9]{1,20})\)\);curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
 );
 
 my @base64_decodes = (