From 4e70a9d8fa67ae7607dd0f4b008d404edd4b3f94 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 21 Apr 2018 08:55:16 +0200
Subject: [PATCH] new scan changes

---
 patterns/base64.txt  | 11 +++++++++++
 patterns/mailing.txt |  3 +++
 patterns/misc.txt    |  0
 patterns/shells.txt  |  2 ++
 scan.sh              | 10 ++++++----
 5 files changed, 22 insertions(+), 4 deletions(-)
 create mode 100644 patterns/misc.txt
 create mode 100644 patterns/shells.txt

diff --git a/patterns/base64.txt b/patterns/base64.txt
index e69de29..e676657 100644
--- a/patterns/base64.txt
+++ b/patterns/base64.txt
@@ -0,0 +1,11 @@
+PCT4BA6ODSE_
+_GET[base64_decode(
+eval(gzinflate(base64_decode(
+eval(gzinflate(str_rot13(
+=Array(base64_decode(
+eval(gzinflate(str_rot13(base64_decode(
+eval(gzuncompress(base64_decode(
+eval(gzuncompress(str_rot13(base64_decode(
+eval(gzuncompress(base64_decode(str_rot13(
+eval(str_rot13(gzinflate(base64_decode(
+    
\ No newline at end of file
diff --git a/patterns/mailing.txt b/patterns/mailing.txt
index e69de29..c83b6cc 100644
--- a/patterns/mailing.txt
+++ b/patterns/mailing.txt
@@ -0,0 +1,3 @@
+@base64_decode($email);
+X-Mailer: Microsoft Office Outlook
+Da Slake PHP MAILER
diff --git a/patterns/misc.txt b/patterns/misc.txt
new file mode 100644
index 0000000..e69de29
diff --git a/patterns/shells.txt b/patterns/shells.txt
new file mode 100644
index 0000000..c7dbe9b
--- /dev/null
+++ b/patterns/shells.txt
@@ -0,0 +1,2 @@
+r57Shell Edited By Margu
+ONBOOMSHELL V 0.2
diff --git a/scan.sh b/scan.sh
index efbd8cd..a38c9f4 100644
--- a/scan.sh
+++ b/scan.sh
@@ -16,28 +16,30 @@ base64 = "patterns/base64.txt"
 mailing = "patterns/mailing.txt"
 polymorphic = "patterns/polymorphic.txt"
 crypto = "patterns/crypto.txt"
+shells = "patterns/shells.txt"
+misc = "patterns/misc.txt"
 
 # Scanning for Phishing
 for i in $(cat $phishing) 
 	do
-		grep -Rl -e $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
+		grep -Rle $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
 	done
 
 
 # Scanning for base64
 for i in $(cat $base64) 
 	do
-		grep -Rl -e $i /home/$user/public_html
+		grep -Rle $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
 	done
 
 # Scanning for Mailing Scripts
 for i in $(cat $mailing) 
 	do
-		grep -Rl -e $i /home/$user/public_html
+		grep -Rle $i --include=*.{php,phtml}* /home/$user/public_html
 	done
 
 # Scanning for CryptoCurrency Miners
 for i in $(cat $crypto) 
 	do
-		grep -Rl -e $i /home/$user/public_html
+		grep -Rle $i /home/$user/public_html
 	done
\ No newline at end of file