From 7957fa033fead1559309c2dc5cb2188572fdbdfa Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 3 May 2018 11:21:51 +0200
Subject: [PATCH] new patterns

---
 cms-ver.php  | 3 +++
 malware5.pl  | 4 +++-
 malwaresh.pl | 3 ++-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/cms-ver.php b/cms-ver.php
index 02d261a..53adb77 100644
--- a/cms-ver.php
+++ b/cms-ver.php
@@ -135,6 +135,9 @@ $versions = array(
     array("ZenPhoto", "/zp-core/functions.php", "define('ZENPHOTO_VERSION',"),
     array("ZenPhoto", "/zp-core/version.php","define('ZENPHOTO_VERSION',"),
     array("Eventum Issue Tracker", "/init.php", "define('APP_VERSION',"),
+    array("PHPDevShell", "/includes/PHPDS.inc.php", "define('phpdevshell_version', 'PHPDevShell V"),
+    array("phpAds", "/libraries/lib-dbconfig.inc.php", "\$phpAds_version_readable ="),
+    array("Smarty Framework", "/smarty/libs/Smarty.class.php", "var \$_version"),
 
 // still need to work on these
     array("CubeCart", "/index.php", "CubeCart v"), // may need one more line
diff --git a/malware5.pl b/malware5.pl
index 5128039..1d6524c 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -387,7 +387,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
     qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
     qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
-    
+    qr/<\?php\s+error\_reporting\(.+?\@include\(\$\_FILES\[\'u\'\]\[\'tmp\_name\'\]\)\;.+?header\(\"HTTP\/1\.0\s+404.+?exit\(\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
+        
 
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index cc1ba6b..514e6b9 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -870,7 +870,8 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
     qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
     qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
-    
+    qr/<\?php\s+error\_reporting\(.+?\@include\(\$\_FILES\[\'u\'\]\[\'tmp\_name\'\]\)\;.+?header\(\"HTTP\/1\.0\s+404.+?exit\(\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
 
 );