From 7c8596cfd67dd187afc078c68363f0b3c5bce8f4 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 28 May 2018 10:43:33 +0200
Subject: [PATCH] new pattern

---
 malware6.pl  | 1 +
 malwaresh.pl | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index 36c7127..102be30 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -107,6 +107,7 @@ my @regexen = (
     qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
     qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
     qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
+    qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is,
 
 
     
diff --git a/malwaresh.pl b/malwaresh.pl
index 0e7ed2f..c2da3d9 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1092,7 +1092,7 @@ my @regexen = (
     qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
     qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
     qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
-
+    qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is,