From 83688c4b609030954a6b582d05f54ea4c613d05f Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 2 May 2018 13:34:19 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 1 +
 malwaresh.pl | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index 309efc1..9c88c9a 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -375,6 +375,7 @@ my @regexen = (
     qr/<\?php.+?system\s+file\s+do\s+not\s+delete.+?eval\(\$\_\_\_\(\$\_\_\)\)\;/is,
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
+    qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
    
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 8d674fa..26a65bd 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -858,6 +858,8 @@ my @regexen = (
     qr/<\?php.+?system\s+file\s+do\s+not\s+delete.+?eval\(\$\_\_\_\(\$\_\_\)\)\;/is,
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
+    qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
+    
 
 );