From 59549767db5a66ee2db240a95e91fc51a9149e6d Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sat, 5 May 2018 14:06:49 +0200 Subject: [PATCH] new SEO Spam pattern --- malware5.pl | 2 +- malwaresh.pl | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/malware5.pl b/malware5.pl index 68c2ef0..e88729c 100644 --- a/malware5.pl +++ b/malware5.pl @@ -450,7 +450,7 @@ my @regexen = ( qr/\s+\s+<\?php\s+tr\(\'name\'\,false\)\;\s+\?>\s+<\?php\s+echo\s+VERSION\;\?><\/title>.+?function\s+pingoutservers\(\)\s+\{.+?function\s+StopSendMail\(\)\s+\{.+?<\/body>\s+<\/html>/is, qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is, - + qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index 38e29ca..a57103c 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -933,6 +933,7 @@ my @regexen = ( qr/<html>\s+<head>\s+<title><\?php\s+tr\(\'name\'\,false\)\;\s+\?>\s+<\?php\s+echo\s+VERSION\;\?><\/title>.+?function\s+pingoutservers\(\)\s+\{.+?function\s+StopSendMail\(\)\s+\{.+?<\/body>\s+<\/html>/is, qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is, + qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is, );