From 4a0cb1e06603de51d5c62ec8d0a714278eb47836 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 24 May 2018 13:24:51 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 3 +++
 malwaresh.pl | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/malware6.pl b/malware6.pl
index d7ce2e5..49bbc68 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -72,6 +72,9 @@ my @regexen = (
     qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
     qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
     qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
+    qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
+    qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
+    qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
     
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 81688f5..6885c8f 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1057,6 +1057,9 @@ my @regexen = (
     qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
     qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
     qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
+    qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
+    qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
+    qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
     
 
 );