From 8009e4c078e75051ff2d713c471d1d5294b94ab7 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 28 Aug 2017 12:53:00 +0200
Subject: [PATCH] new patterns

---
 malware4.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index 80fa1e2..889a37e 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -171,6 +171,9 @@ my @regexen = (
     qr/<\?php\s+\/\/\/\s+WebShell.+?echo\s+\"sent\_error\"\;\s+\}\s+\}\s+\?>/is,
     qr/<\?php\s+error\_reporting\(0\)\;\s+define\(\'TMP\'\,\'\.\/tmp\/\'\)\;\s+define\(\'BUF\'\,65536\)\;\s+define\(\'ZLEVEL\'\,9\)\;.+?header\(\"STATUS\:\s+OK\"\)\;\s+\}/is,
     qr/<\?php\s+\$cfg\=.+?\)\)\{echo\s+\$goto\_body\;\}\s+\?>/is,
+    qr/<\!DOCTYPE.+?<title>404.+?<address>Apache\/2\.4.+?<\/html>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1})\"\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\)\;\s+\?>/is,
+    
     
 );
 my @base64_decodes = (