diff --git a/malware5.pl b/malware5.pl
index 67fcd0c..2fc7e07 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -290,7 +290,9 @@ my @regexen = (
     qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
     qr/<\?php\s+\$zend\_framework\=\"\\x\d\d.+?\"\;\s+\@error\_reporting\(0\)\;\s+\$zend\_framework\(\"\"\,.+?\\x\d\w\"\)\;\s+\?>/is,
     qr/\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x23.+?x3b\"\)\;/is,
-    
+    qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}exit\;\?>/is,
+    qr/<\?php.+?\=\_\_FILE\_\_\;\$.+?\_\_LINE\_\_\;\$.+?eval\(\(base64\_decode\(.+?\)\)\)\;return\;\?>.+?\/([A-z0-9]{1,20})\=/is,
+
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 84a51cf..d1696fe 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -770,7 +770,9 @@ my @regexen = (
     qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
     qr/<\?php\s+\$zend\_framework\=\"\\x\d\d.+?\"\;\s+\@error\_reporting\(0\)\;\s+\$zend\_framework\(\"\"\,.+?\\x\d\w\"\)\;\s+\?>/is,
     qr/\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x23.+?x3b\"\)\;/is,
-    
+    qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}exit\;\?>/is,
+    qr/<\?php.+?\=\_\_FILE\_\_\;\$.+?\_\_LINE\_\_\;\$.+?eval\(\(base64\_decode\(.+?\)\)\)\;return\;\?>.+?\/([A-z0-9]{1,20})\=/is,
+