From 743c931fe6a9b36ca9e6ca76394a426f91bbd537 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 14 May 2018 06:58:23 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  |  7 +++++++
 malwaresh.pl | 10 +++++++++-
 scan.py      |  1 +
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 77f67bf..a69d59c 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -516,6 +516,13 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
     qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
     qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
+    qr/<\?php\s+\/\/3Turr\~C0nfig\s+public\s+edition.+?\@symlink\(\'\/\'\,\s+\'Turr\/root\'\)\;.+?<\/html>\'\;\s+\}\s+\?>/is,
+    qr/<font\s+id=\"([A-z0-9]{1,10})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is,
+    qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is,
+    qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is,
+    qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
+    qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
+    
     
 
 );
diff --git a/malwaresh.pl b/malwaresh.pl
index 4fcc754..4b30e23 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -999,7 +999,15 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
     qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
     qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
-        
+    qr/<\?php\s+\/\/3Turr\~C0nfig\s+public\s+edition.+?\@symlink\(\'\/\'\,\s+\'Turr\/root\'\)\;.+?<\/html>\'\;\s+\}\s+\?>/is,
+    qr/<font\s+id=\"([A-z0-9]{1,10})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is,
+    qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is,
+    qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is,
+    qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
+    qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
+    
+
+
 );
 
 my @base64_decodes = (
diff --git a/scan.py b/scan.py
index 43c5e36..8d373d4 100644
--- a/scan.py
+++ b/scan.py
@@ -516,6 +516,7 @@ def is_hacked(filename):
             or 'b071e67503e9dcefecafd62e81704ef0' in l \
             or 'c7a628cba22e28eb17b5f5c6ae2a266a' in l \
             or 'a13756bf1e2bd46921c135232774fc5f' in l \
+            or '27e546f1590f71e94c4fb258282fb4a8' in l \
             or '78b45bf662bafae9ac6b66097762c7d5' in l:
             score.append(('MD5', ''))