From 5a4d5a29eccc698c235d2c235f313674686ae7fe Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 17 Nov 2018 13:16:39 +0100
Subject: [PATCH] new patterns

---
 malware6.pl  | 7 ++++++-
 malwaresh.pl | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index 34eb640..88f8d7e 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -369,7 +369,12 @@ my @regexen = (
     qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
     qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
     qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
-       
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?><\?php \/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
+    qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
+    
+      
 
 
    
diff --git a/malwaresh.pl b/malwaresh.pl
index 458b03c..a54d007 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1356,6 +1356,10 @@ my @regexen = (
     qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
     qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
     qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?><\?php \/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
+    qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
+    qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
     
 
 );