From 88ecdf33a7e612a1b34a4d0cce5ffe18714dfcaa Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 28 Jun 2018 12:37:54 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 3 ++-
 malwaresh.pl | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index eb0134e..927e719 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -245,7 +245,8 @@ my @regexen = (
     qr/<title>Vuln!! patch it Now!<\/title>\s+<\?php\s+echo \'<form action=\"\".+?Shell Uploaded ! :\)<b><br><br>\'; \}\s+else \{ echo \'<b>Not uploaded ! <\/b><br><br>\'; \}\s+\}\s+\?>/is,
     qr/<\? eval\(gzinflate\(strrev\(unserialize\(str_rot13\(base64_decode\(.+?\)\)\)\)\)\); \?>/is,
     qr/<\?php \$ip = getenv\(\"REMOTE_ADDR\"\);.+?Link Mailer.+?mail\(\$bilsnd,\$bilsub,\$bilsmg,\$bilhead,\$message\); \?>/is,
-            
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'trre\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+        
 
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index aa328fd..75df1d8 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1233,6 +1233,7 @@ my @regexen = (
     qr/<title>Vuln!! patch it Now!<\/title>\s+<\?php\s+echo \'<form action=\"\".+?Shell Uploaded ! :\)<b><br><br>\'; \}\s+else \{ echo \'<b>Not uploaded ! <\/b><br><br>\'; \}\s+\}\s+\?>/is,
     qr/<\? eval\(gzinflate\(strrev\(unserialize\(str_rot13\(base64_decode\(.+?\)\)\)\)\)\); \?>/is,
     qr/<\?php \$ip = getenv\(\"REMOTE_ADDR\"\);.+?Link Mailer.+?mail\(\$bilsnd,\$bilsub,\$bilsmg,\$bilhead,\$message\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'trre\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,