From 4b3af6d1f62700b1fae925440f12ca65e9353d91 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 28 Dec 2017 19:54:40 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index a6068fc..407b1e5 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -222,7 +222,8 @@ my @regexen = (
     qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+1\)\;.+?if\(\!function\_exists\(\'file\_put\_contents\'\)\)\s+\{.+?if\(isset\(\$\_GET\[\"rdir\"\]\)\&\&\s+\$\_GET\[\"url\"\]\)\{.+?function\s+curl\_get\_from\_webpage\_one\_time\(\$url\,\$proxy\=\'\'\,\$tms\=0\)\{.+?unlink\(\"\.\/wp\-content\/uploader\.php\"\)\;\s+\?>/is,
     qr/<\?php.+?Joomla\.Administrator.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{250,})\'\)\;\s+defined\(\'\_JEXEC\'\)\s+or\s+die\;.+?echo\s+\'<form\s+method\=\"post\"\s+action\=\"\">\s+<input\s+type\=\"input\"\s+name\=\s+\"j\_submenu\"\s+value\=\"\"\/><input\s+type\=\"submit\"value\=\"\&gt\;\"\/>\s+<\/form>\'\;\s+\?>/is,
     qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;.+?\$arr\_word\[0\]\[\].+?\$arrKeywz\[\].+?\$strRand\[0\].+?str\_ireplace\(str\_replace\(.+?\/\/file\s+end/is,
-
+    qr/<\?php\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\#\s+Xai\s+Syndicate\s+\#\s+\#NoName\s+Shell\s+Release\#\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\s+\$auth\_pass\s+\=.+?eval\(str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\(\$noname\)\)\)\)\)\)\;/is,
+    qr/<\?php\s+echo\s+\"Priv8\s+Home\s+Root\s+Uploader.+?echo\s+\"gagal\s+upload\"\;\s+\}\s+\}\s+\}\s+\?>/is,
 
 );
 my @base64_decodes = (