new patterns

malware6.pl

@@ -369,7 +369,12 @@ my @regexen = (
     qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
     qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
     qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
-       
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?><\?php \/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
+    qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
+    
+      
 
 
    

malwaresh.pl

@@ -1356,6 +1356,10 @@ my @regexen = (
     qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
     qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
     qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?><\?php \/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
+    qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
     
 
 );