From 62dc10d7654cea8aa4f8aaf7725a1053e899bac2 Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Sat, 1 Oct 2016 11:10:45 +0200
Subject: [PATCH] Update 'malware3.pl'

---
 malware3.pl | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/malware3.pl b/malware3.pl
index 7f2dc70..aebfa9b 100644
--- a/malware3.pl
+++ b/malware3.pl
@@ -28,6 +28,16 @@ my @regexen = (
     qr/<\?php\s+eval\(eval\(.+?\)\;\s+eval\(.+?\)\;\"\)\)\;\s+\?>/is,
     qr/<\?php.+?\@array\_diff\_ukey.+?\@array\s+\(\(string\)stripslashes\s+\(base64\_decode\s+\(\$\_REQUEST.+?return\s+\$included\s+\=\=\=\s+\$count\;\s+\}\s+\}\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
+    qr/<\?php.+?\$wp\_object\_cache\=\'\'\.\'\'\.\'\'\.\'b\'\.\'\'\.\'\'\.\'ase\'\.\'\'\.\(448\/7\)\.\'\'\.\'\'\.\'\_de\'\.\'\'\.\'c\'\.\'\'\.\'\'\.\'od\'\.\'\'\.\'e\'\;\s+\$object\_cache\s+\=\s+\"as\"\;\s+\$object\_cache\s+\.\=\s+\"sert\"\;\s+\@\$object\_cache\(\$wp\_object\_cache\(.+?\$this\->cache\_misses\s+\=\&\s+\$this\->stats\[\'add\'\]\;\s+\}\s+\}\*\/\s+\?>/is,
+    qr/<\?php\s+\session_start\(\)\;\s+ob\_start\(\"ob\_gzhandler\"\)\;\s+set\_time\_limit\(0\)\;\s+if\(isset\(\$\_GET\[\"x\"\]\)\)\{echo\"\<font\s+color\=\#000000\>\[uname\]\"\.php\_uname\(\)\..+?Go\s+Xsender\'\s+name\=\'go\'\s+style\=\'color\:\#FFF\;background\:\#333\;\'\/>\s+<\/div>\s+<p>\&nbsp\;<\/p>\s+<\/form>\s+<\/div>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+\/\/\s+Preventing\s+a\s+directory\s+listing\s+if\(\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\"\/\"\s+\.\s+implode\(\"\|\"\,\s+\$userAgents\)\s+\.\s+\"\/i\"\,\s+\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;exit\;\s+}\s+\}\s+if\s+\(isset\(\$\_GET\[str\_rot13\(pack\(\"H\*\"\,\s+\"([A-z0-9]{1,20})\"\)\)\]\)\)\s+\{\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?\)\)\;\}/is,
+    qr/<\?php\s+extract\(\$\_POST\,\s+1\)\;\s+strripos\(\@sha1\(\$shall\)\,\s+\"([A-z0-9]{1,10})\"\)\s+\=\=\s+32\s+\&\&\s+\@\$not\(stripslashes\(\$pass\)\)\;/is,
+    qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+ini\_set\(\"display\_errors\"\,\s+0\)\;\s+if\s+\(\!isset\(\$\_POST\[\'url\'\]\)\s+\&\&\s+\!isset\(\$\_POST\[\'timeout\']\)\)\s+\{header\(\'HTTP\/1\.1\s+404\s+Not\s+Found\'\)\;echo\s+\'<title>404\s+\-\s+File\s+Not\s+Found<\/title><h1>404\s+\-\s+File\s+Not\s+Found<\/h1>\'\;exit\;\}.+?\}else\{\s+\$curl\_loops\=0\;\s+return\s+\$data\;\s+\}\s+\}\s+\?>/is,
+    qr/<\?php\s+\$mf\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\'\/wp\-includes\/images\/media\/null\.jpg\'\;if\s+\(file\_exists\(\$mf\)\)\{include\(\$mf\)\;\}\?>/is,
+    qr/<title>Hacked\s+by\s+1337\s+h\@x0r\s+&\s+Xyb3r\s+D3vil<\/title>.+?<br><span>\.\/logout\.<\/span><\/br>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\)\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
+    qr/<html>\s+<head>.+?print\s+\'<h1>\#p\@\$c\@\#<\/h1>\'\;\s+echo\s+\"Your\s+IP\:\s+\"\;\s+\/\*\_\*\/.+?\/\*\_\*\/\s+\$var1\s+\=\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\s+touch\(\s+\$var1\s+\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+\/\*\s+PHP\s+Encode\s+by\s+http\:\/\/Www\.PHPJiaMi\.Com\/\s+\*\/.+?\{define\(\'([A-z0-9]{1,10})\'\,\_\_FILE\_\_\)\;if\s+\(function\_exists\(.+?\;/is,
     
     qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(\s+\'\#Ask.+?if\(\s+FALSE\s+\!\=\=\s+strpos\(\s+gethostbyaddr\(\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\,\s+\'google\'\)\)\s+\{\s+\$isbot\s+\=\s+1\;\s+\}\s+if\(\@\$isbot\)\{.+?curl\_close\s+\(\$ch\)\;\s+echo\s+\$result\;\s+\}\s+\?>/is,
     qr/<\?php\s+\@error\_reporting\(0\)\;set\_time\_limit\(150\)\;ignore\_user\_abort\(true\)\;.+?print\s+\'\*send\:ok\*\'\;\s+exit\;.+?imagedestroy\(\$image\_p\)\;return\s+\$out\;\}\s+?>/is,