new patterns

malware4.pl

@@ -243,6 +243,7 @@ foreach my $file (sort @files) {
         next if $file eq 'wp-super-cache.php';
         next if $file eq 'user-edit.php';
         next if $file eq 'youtube.php';
+        next if $file eq 'FMModelForm_maker_fmc.php';
         print "Scanning $start_dir/$file... ";
 
         unless (-r "$start_dir/$file") {

scan.php

@@ -457,7 +457,21 @@ error_reporting(E_ALL);
     "JspWebshell",
     "StAkeR ~ Shell",
     "SnIpEr_SA",
-    "<style name=\"Mr.HiTman\""
+    "<style name=\"Mr.HiTman\"",
+    "(?P<hex>\\\\x(?:{){0,1}\d{1,3}(?:}){0,1})",
+	"(?P<varfunc>\$\w+\(.*\))",
+	"(?P<god_mode_on><\?php\s*\/\*god_mode_on\*\/eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);\s*\/\*god_mode_off\*\/\s*\?>)",
+	"(?P<htaccess>RewriteCond %{HTTP_REFERER}\s*\^\.\*\s*\([^\)]*[google|yahoo|bing|ask|wikipedia|youtube][^\)]*)",
+	"(?P<JSCRIPT>^<script>.*<\/script>)",
+	"(?P<GRMalware>^<\?php\s*if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}\s*)",
+	"(?P<c99>(<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>)*)",
+	"(?P<evl>eval\s*\([^\)]+)",
+	"(?P<ltx>[a-zA-Z0-9\+\-\/]{50,})",
+	"(?P<ifm><iframe[^>]*)",
+	"(?P<mbd><embed[^>]*)",
+	"(?P<tim>[T|t]imthumb)",
+	"(?P<cfn>create_function[^\)]*)",
+	"(?P<c64>base64_decode[^\)]*)",
 
 );