From 4f87bac1aac4a327aa41d2dca45fdea08f7b7855 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 28 May 2018 06:38:08 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  |  9 +++++++++
 malwaresh.pl | 11 +++++++++++
 2 files changed, 20 insertions(+)

diff --git a/malware6.pl b/malware6.pl
index fc1312d..c7d4b04 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -97,6 +97,15 @@ my @regexen = (
     qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
     qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
     qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,
+    qr/<\?php \@include\(\"http:\/\/.+?\/r57\.v?\"\); \?>/is,
+    qr/<\?php \@include\(\$_GET\[\"([A-z0-9_]{1,20})\"\]\); echo \"<b>\" \. md5\(\"([A-z0-9_]{1,20})\"\) \. \"<\/b><br>Love Hack WORLD :\]\"; \?>/is,
+    qr/<\?php passthru\(\"wget http:\/\/.+?\?>/is,
+    qr/<\? \@shell_exec\(\"wget http:\/\/.+?\?>/is,
+    qr/<\?php \$to = \"misterxgoofy\@hotmail\.com\";\s+\$subject = \"Exploited\";.+?echo\(\"<p>Message delivery failed\.\.\.<\/p>\"\);\s+\}; \?>/is,
+    qr/<\?php\s+\$filecontents=\'<\?php if\(stristr\(\$_SERVER\[\\\'HTTP_USER_AGENT\\\'\],\\\'google\\\'\)\)\{.+?\$filecontents",FILE_APPEND\);.+?\?>/is,
+    qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
+    qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
+    qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
 
 
     
diff --git a/malwaresh.pl b/malwaresh.pl
index be22b7e..4681378 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1082,6 +1082,17 @@ my @regexen = (
     qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
     qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
     qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,
+    qr/<\?php \@include\(\"http:\/\/.+?\/r57\.v?\"\); \?>/is,
+    qr/<\?php \@include\(\$_GET\[\"([A-z0-9_]{1,20})\"\]\); echo \"<b>\" \. md5\(\"([A-z0-9_]{1,20})\"\) \. \"<\/b><br>Love Hack WORLD :\]\"; \?>/is,
+    qr/<\?php passthru\(\"wget http:\/\/.+?\?>/is,
+    qr/<\? \@shell_exec\(\"wget http:\/\/.+?\?>/is,
+    qr/<\?php \$to = \"misterxgoofy\@hotmail\.com\";\s+\$subject = \"Exploited\";.+?echo\(\"<p>Message delivery failed\.\.\.<\/p>\"\);\s+\}; \?>/is,
+    qr/<\?php\s+\$filecontents=\'<\?php if\(stristr\(\$_SERVER\[\\\'HTTP_USER_AGENT\\\'\],\\\'google\\\'\)\)\{.+?\$filecontents",FILE_APPEND\);.+?\?>/is,
+    qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
+    qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
+    qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
+
+