From 616e2fa4b3cbef3844cac45b554150bb4548f7d8 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 16 Jun 2018 13:05:01 +0200
Subject: [PATCH] new pattern

---
 malware6.pl  | 12 ++++++++++++
 malwaresh.pl | 18 +++++++++++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index 2385494..ef6744a 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -193,6 +193,18 @@ my @regexen = (
     qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
     qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
+    qr/<\?php\s+echo \'<img src=.+?\$xSoftware = trim\(getenv\(\"SERVER_SOFTWARE\"\)\);.+?if \(function_exists\(\"posix_getpwuid\"\) && function_exists\(\"posix_getgrgid\"\)\).+?\?> ;-\) <\/div>\s+<\/div>\s+<\/body>\s+<\/html>>/is,
+    qr/<\? eval\(base64_decode\(\'([A-z0-9_]{1,20}).+?([A-z0-9_=]{1,20})\'\)\); \?>/is,
+    qr/<\?php \$([A-z]{1,3})=base64_decode\(\'([A-z0-9=]{1,20})\'\)\.\$_GET\[\'([A-z]{1,3})\'\]\.\'([A-z]{1,3})\';\@\$([A-z]{1,3})\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>([A-z0-9_]{1,20})/is,
+    qr/<\?php\s+\/\*\s+\* hostname\.php\s+\*\/\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\); \/\/Get User Hostname\s+\$blocked_words = array\(.+?foreach\(\$blocked_words as \$word\) \{.+?\}\s+\?>/is,
+    qr/<\?php\s+require_once \'hostname\.php\';\s+\$praga=rand\(\);\s+\$praga=md5\(\$praga\);\s+header\(\"location: login\.php.+?\$praga\$praga\"\);\s+\?>/is,
+    qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?new MaskedPassword\(document\.getElementById\(.+?<\/body>\s+<\/html>/is,
+    qr/<\?php\s+if\(\$_POST\[.+?Apple Info.+?header \(\"Location: index\.php\"\);\s+\}\s+\?>/is,
+    qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/sbmit\.png\"><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
+    qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
+    qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\"  -  \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
+    qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,
+    
 
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index c7fd808..cc908fc 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -26,8 +26,9 @@ print "Content-type: text/html\n\n";
 my $user = $ARGV[0];
 
 my @regexen = (
+    qr/<\?php\s+\/\/header\(.+?\$([A-z0_]{1,20})=urldecode\(.+?\]\(\);\?>/is,
     qr/<\?php\s+if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?\?>\s+([A-z0-9_]{50,})\Z/is,
-    qr/<\?php\s+\$([Oo0_]{1,10})=.+?\$([Oo0_]{1,10})=\'\|hateyou\|\';.+?\$([Oo0_]{1,10})=urldecode\(\"\%.+?\$([Oo0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
+    qr/<\?php\s+\$([A-z0_]{1,10})=.+?\$([A-z0_]{1,10})=\'\|hateyou\|\';.+?\$([A-z0_]{1,10})=urldecode\(\"\%.+?\$([A-z0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
     qr/\/\/\s+([A-z0-9]{31})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{31})/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
@@ -1179,6 +1180,21 @@ my @regexen = (
     qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
     qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
+    qr/<\?php\s+echo \'<img src=.+?\$xSoftware = trim\(getenv\(\"SERVER_SOFTWARE\"\)\);.+?if \(function_exists\(\"posix_getpwuid\"\) && function_exists\(\"posix_getgrgid\"\)\).+?\?> ;-\) <\/div>\s+<\/div>\s+<\/body>\s+<\/html>>/is,
+    qr/<\? eval\(base64_decode\(\'([A-z0-9_]{1,20}).+?([A-z0-9_=]{1,20})\'\)\); \?>/is,
+    qr/<\?php \$([A-z]{1,3})=base64_decode\(\'([A-z0-9=]{1,20})\'\)\.\$_GET\[\'([A-z]{1,3})\'\]\.\'([A-z]{1,3})\';\@\$([A-z]{1,3})\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>([A-z0-9_]{1,20})/is,
+    qr/<\?php\s+\/\*\s+\* hostname\.php\s+\*\/\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\); \/\/Get User Hostname\s+\$blocked_words = array\(.+?foreach\(\$blocked_words as \$word\) \{.+?\}\s+\?>/is,
+    qr/<\?php\s+require_once \'hostname\.php\';\s+\$praga=rand\(\);\s+\$praga=md5\(\$praga\);\s+header\(\"location: login\.php.+?\$praga\$praga\"\);\s+\?>/is,
+    qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?new MaskedPassword\(document\.getElementById\(.+?<\/body>\s+<\/html>/is,
+    qr/<\?php\s+if\(\$_POST\[.+?Apple Info.+?header \(\"Location: index\.php\"\);\s+\}\s+\?>/is,
+    qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/sbmit\.png\"><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
+    qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
+    qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\"  -  \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
+    qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,
+    
+
+
+
 
 );