From 66e210ab0cfb510820b4fdf6b92cde74ff197f5a Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 10 May 2018 09:38:14 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 1 +
 malwaresh.pl | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 44d259d..f5e706d 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -492,6 +492,7 @@ my @regexen = (
     qr/<\?php\s+\/\*.+?\*\/\s+\@error\_reporting\(0\)\;\s+\@eval\(base64\_decode\(\".+?\)\)\;\s+\/\*.+?\*\/\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,   
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(\d\d\d\-\d\d\d\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 72de73d..eaac065 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -975,7 +975,8 @@ my @regexen = (
     qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,.+?function\s+wp\_cd\(\$.+?\$npDcheckClassBgp.+?\}\s+\?>/is,
     qr/<\?php\s+\$login\=\"\"\;\s+\$md5\_pass\=\"\".+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+\/\*.+?\*\/\s+\@error\_reporting\(0\)\;\s+\@eval\(base64\_decode\(\".+?\)\)\;\s+\/\*.+?\*\/\s+\?>/is,
-
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\$([A-z0-9]{1,20})\(\"\"\)\;\s+\$([A-z0-9]{1,20})\=\(\d\d\d\-\d\d\d\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
+    
 );
 
 my @base64_decodes = (