new patterns

malware5.pl

@@ -464,8 +464,13 @@ my @regexen = (
     qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
     qr/<\?php.+?\@shell\_exec\(\"cd\s+\/tmp\;\s+wget\s+http\:\/\/.+?\?>/is,
     qr/<\?\s+error\_reporting\(.+?\)\.\"\.\"\.base64\_encode\(\$.+?if\s+\(\(include\(base64\_decode\(.+?\)\.\"\/\?\"\.\$str\)\;\}\s+\?>/is,
+    qr/GIF89a.+?<\?php\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
+    qr/GIF89a.+?<\?php.+?webadmin\.php.+?function\s+error\s+\(\$phrase\)\s+\{.+?\}\s+\?>/is,
+    qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
+    qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
+    qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
 
-    );
+);
 
 my @base64_decodes = (
 

malwaresh.pl

@@ -947,6 +947,12 @@ my @regexen = (
     qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
     qr/<\?php.+?\@shell\_exec\(\"cd\s+\/tmp\;\s+wget\s+http\:\/\/.+?\?>/is,
     qr/<\?\s+error\_reporting\(.+?\)\.\"\.\"\.base64\_encode\(\$.+?if\s+\(\(include\(base64\_decode\(.+?\)\.\"\/\?\"\.\$str\)\;\}\s+\?>/is,
+    qr/GIF89a.+?<\?php\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
+    qr/GIF89a.+?<\?php.+?webadmin\.php.+?function\s+error\s+\(\$phrase\)\s+\{.+?\}\s+\?>/is,
+    qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
+    qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
+    qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
+    
 
 );