From 5a8f6f707721ab9ec4d9182186c90fbea1000df8 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 19 Aug 2017 12:11:58 +0200
Subject: [PATCH] added 4 new patterns

---
 malware4.pl | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/malware4.pl b/malware4.pl
index 50b00fd..80fa1e2 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -167,10 +167,11 @@ my @regexen = (
     qr/<\?php\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;.+?\}\s+\?>/is,
     qr/GIF89a\@\s+<\?php.+?MulCiShell.+?ob\_end\_flush\(\)\;\s+\?>/is,
-
-
-
-
+    qr/<\?php\s+echo\s+eval\(base64\_decode\(str\_replace\(\'\*\'\,\'a\'\,str\_replace\(\'\%\'\,\'B\'\,str\_replace\(\'\~\'\,\'F\'\,str\_replace\(\'\_\'\,\'z\'\,str\_replace\(\'\$\'\,\'x\'\,str\_replace\(\'\@\'\,\'d\'\,str\_replace\(\'\^\'\,\'3\'.+?\'\)\)\)\)\)\)\)\)\)\;/is,
+    qr/<\?php\s+\/\/\/\s+WebShell.+?echo\s+\"sent\_error\"\;\s+\}\s+\}\s+\?>/is,
+    qr/<\?php\s+error\_reporting\(0\)\;\s+define\(\'TMP\'\,\'\.\/tmp\/\'\)\;\s+define\(\'BUF\'\,65536\)\;\s+define\(\'ZLEVEL\'\,9\)\;.+?header\(\"STATUS\:\s+OK\"\)\;\s+\}/is,
+    qr/<\?php\s+\$cfg\=.+?\)\)\{echo\s+\$goto\_body\;\}\s+\?>/is,
+    
 );
 my @base64_decodes = (