From 48a31d239b103051fd36252a30000671f021b2db Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 30 Apr 2018 12:24:23 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 16 +++++++++++++++-
 malwaresh.pl | 17 ++++++++++++++++-
 scan.php     |  2 +-
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index 61769df..f0bc86d 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -356,7 +356,21 @@ my @regexen = (
     qr/<\?php\s+\$urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\)\;\s+\$URL\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\s+\-\s+1\)\]\;\s+header\s+\(\"Location\:\s+\$URL\"\)\;\s+\?>/is,
     qr/<\?php\s+if\s+\(md5\(\$\_POST\[.+?\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;.+?array\_walk\(.+?\)\;\}\}\s+\?>/is,
     qr/<\?php.+?move\_uploaded\_file\(\$file\,\s+\$name\)\;\s+\}else\{\s+\?>.+?action\=\"<\?\$\_SERVER\[\'PHP\_SELF\'\]\?>\">.+?require\_once\(dirname\(\_\_FILE\_\_\)\.DS\.\'index\.php\'\)\;\s+\?>/is,
-
+    qr/Goog1e\_analist\_up<\?php\s+\$.+?\)\{eval\(\$.+?\)\{system\(\$.+?\)\{move\_uploaded\_file\(\$\_FILES\[.+?\]\[\'name\'\]\)\;\}\?>/is,
+    qr/<\?php\s+function\s+d\(\$.+?\$d\.\=chr\(hexdec\(substr\(\$.+?\}\}eval\(d\(\".+?\)\)\;\s+\?>/is,
+    qr/<style\s+type\=\"text\/css\">.+?Lampungcarding.+?\$currentCMD.+?exit\;\s+\?>.+?<\/title>/is,
+    qr/<\!\-\-<\?php\s+if\(\@\$\_REQUEST\[.+?Goog1e\_analist\_certs.+?\{eval\(base64\_decode\(\$.+?\)\{move\_uploaded\_file\(\$.+?\?>\-\->/is,
+    qr/<\?php\s+if\(isset\(\$\_GET\[\'.+?Goog1e\_analist\_certs.+?\]\)\)\{eval\(base64\_decode\(\$\_POST\[.+?\]\)\;\}\}\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\{\s+break\;\s+\}\s+\}\s+return\;\s+\}\s+if\s+\(isset\(\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\(([A-z0-9]{1,20})\)\;\s+\}\s+\}\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php.+?\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+\$.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\?><\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\$.+?eval\(\$.+?\/([A-z0-9]{1,20})\=([A-z0-9]{1,20})\Z/is,
+    qr/<\?php\s+\$f\s+\=\s+fopen\(.+?echo\s+\"HACKED\s+BY.+?\?>/is,
+    qr/<\?php\s+\/\*.+?\$homedir\s+\=\s+\'\.\/\'\;.+?case\s+\'upload\'\:\s+\$dest\s+\=\s+relative2absolute\(\$file\[\'name\'\]\,\s+\$directory\)\;.+?\.php\_uname\(\)\.\'<br><\/b>\'\;\s+\?>/is,
+    qr/<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 562daeb..b48d63f 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -839,7 +839,22 @@ my @regexen = (
     qr/<\?php\s+\$urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\)\;\s+\$URL\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\s+\-\s+1\)\]\;\s+header\s+\(\"Location\:\s+\$URL\"\)\;\s+\?>/is,
     qr/<\?php\s+if\s+\(md5\(\$\_POST\[.+?\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;.+?array\_walk\(.+?\)\;\}\}\s+\?>/is,
     qr/<\?php.+?move\_uploaded\_file\(\$file\,\s+\$name\)\;\s+\}else\{\s+\?>.+?action\=\"<\?\$\_SERVER\[\'PHP\_SELF\'\]\?>\">.+?require\_once\(dirname\(\_\_FILE\_\_\)\.DS\.\'index\.php\'\)\;\s+\?>/is,
-
+    qr/Goog1e\_analist\_up<\?php\s+\$.+?\)\{eval\(\$.+?\)\{system\(\$.+?\)\{move\_uploaded\_file\(\$\_FILES\[.+?\]\[\'name\'\]\)\;\}\?>/is,
+    qr/<\?php\s+function\s+d\(\$.+?\$d\.\=chr\(hexdec\(substr\(\$.+?\}\}eval\(d\(\".+?\)\)\;\s+\?>/is,
+    qr/<style\s+type\=\"text\/css\">.+?Lampungcarding.+?\$currentCMD.+?exit\;\s+\?>.+?<\/title>/is,
+    qr/<\!\-\-<\?php\s+if\(\@\$\_REQUEST\[.+?Goog1e\_analist\_certs.+?\{eval\(base64\_decode\(\$.+?\)\{move\_uploaded\_file\(\$.+?\?>\-\->/is,
+    qr/<\?php\s+if\(isset\(\$\_GET\[\'.+?Goog1e\_analist\_certs.+?\]\)\)\{eval\(base64\_decode\(\$\_POST\[.+?\]\)\;\}\}\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\{\s+break\;\s+\}\s+\}\s+return\;\s+\}\s+if\s+\(isset\(\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\(([A-z0-9]{1,20})\)\;\s+\}\s+\}\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
+    qr/<\?php.+?\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+\$.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\?><\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\$.+?eval\(\$.+?\/([A-z0-9]{1,20})\=([A-z0-9]{1,20})\Z/is,
+    qr/<\?php\s+\$f\s+\=\s+fopen\(.+?echo\s+\"HACKED\s+BY.+?\?>/is,
+    qr/<\?php\s+\/\*.+?\$homedir\s+\=\s+\'\.\/\'\;.+?case\s+\'upload\'\:\s+\$dest\s+\=\s+relative2absolute\(\$file\[\'name\'\]\,\s+\$directory\)\;.+?\.php\_uname\(\)\.\'<br><\/b>\'\;\s+\?>/is,
+    qr/<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
+    
 );
 
 my @base64_decodes = (
diff --git a/scan.php b/scan.php
index c143074..f483ebf 100644
--- a/scan.php
+++ b/scan.php
@@ -31,7 +31,7 @@ $counter_warning = 0;
 
 // just in case
 set_time_limit(0);
-error_reporting(E_ALL);
+error_reporting(0);
 
     $pattern = array(
     "if\(isset\(\$_REQUEST\[(.*)\{eval\((.*)\$_REQUEST\[(.*)exit",