From 6e2ebb67e3d9f46275cd4e58e01a640b29a9d97a Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 26 Dec 2018 12:17:17 +0100
Subject: [PATCH] new patterns

---
 malware6.pl  | 2 +-
 malwaresh.pl | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index 03006dd..a18acb0 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -379,7 +379,7 @@ my @regexen = (
     qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
     qr/<\?php\s+if \(isset \(\$_GET\[\'check\'\]\)\) \{\s+echo \"checked\";.+?<h1>File<\/h1>.+?echo\(\"FILE\"\);\s+\}\s+\?>\s+<\/body>\s+<\/html>/is,
     qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"\w\*\"\);return \$a\[\$i\];\} \?>/is,
-    qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\],\'-_,\',\'+\/=\'\)\);\s+\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+\@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
+    qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+ \@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
     
    
     
diff --git a/malwaresh.pl b/malwaresh.pl
index c8faf10..175048d 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1367,6 +1367,7 @@ my @regexen = (
     qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"\w\*\"\);return \$a\[\$i\];\} \?>/is,
     qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\],\'-_,\',\'+\/=\'\)\);\s+\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+\@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
     qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
+    qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+ \@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
 
 
 );