From 8b02938f662166f09056a904d18f37a11112716d Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 20 Jan 2018 11:15:48 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/malware4.pl b/malware4.pl
index 4213562..34205a6 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -283,11 +283,14 @@ my @regexen = (
     qr/<\?php\s+if\(\!\@\$codevyp\)\{if\(preg\_match\(\'\/alltheweb\|aol\|baidu\|.+?\;\}\@\$codevyp\=true\;\}\?>/is,
     qr/<\?php\s+if\(\!\@\$incode\!\=false\|\|\!\@\$incode\!\=null\).+?foreach\(scandir\(.+?\=true\;\$incode\=true\;\}\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,30})\=\".+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{1,30})\)\)\)\)\;\?>/is,
-    qr/<\?php\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$color\s+\=\s+\"\#df5\"\;\s+\$default\_action\s+\=\s+\'FilesMan\'\;\s+\$default\_use\_ajax\s+\=\s+true\;\s+\$default\_charset\s+\=\s+\'UTF\-8\'\;if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
+    qr/<\?php\s+\$auth\_pass.+?\$default\_action.+?\$userAgents\).+?\s+exit\;/is,
     qr/<\?php\s+define\(\'vpsp\_version\'\,\s+\'2\.5\.0\'\)\;\s+define\(\'vpsp\_pwd\'.+?\}\s+else\s+\{\s+\$ok\s+\=\s+fread\(\$input\,\s+2\)\;\s+if\s+\(\$ok\s+\!\=\s+\'OK\'\)\s+\{\s+header\(\'X\-VPSP\-ERROR\:\s+bad\_request\'\)\;\s+header\(\'X\-VPSP\-HOST\:\s+\'\s+\.\s+\(isset\(\$\_SERVER\[\'HTTPS\'\]\).+?function\s+VC\_Decrypt\(\$str\).+?\}\s+return\s+\$out\;\s+\}/is,
     qr/<\?php\s+preg\_replace\(\"\/\.\*\/e\"\,\"\Wx65.+?\Wx3B\"\,\"\.\"\)\;\s+\?>/is,
+    qr/<\?php\s+\$D\=strrev\(\'edoced\_46esab\'\)\;\$s\=gzinflate\(\$D\(.+?\)\)\;create\_function\(\'\'\,\"\}\$s\/\/\"\)\;\s+\?>/is,
+    qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+if\(isset\(\$\_POST\[\'Enoc\'\]\)\).+?<script>\s+alert\(\'\-\-\-Todos\s+Spammed\-\-\-\'\)\;\s+<\/script>.+?<\/html>/is,
+    qr/<\?php\s+\@date\_default\_timezone\_set\(\'UTC\'\)\;\$\_\_\_\_\=base64\_decode\(.+?\=create\_function\(\'\'\,\'\?>.+?\'\)\;\?>/is,
+    qr/<\?php\s+error\_reporting\(0\)\;\$host\=base64\_decode.+?\$bot\=urlencode.+?\$ident\)eval\(stripslashes\(\$\_REQUEST\[base64\_decode\(.+?\)\]\)\)\;\?>/is,
     
-
 );
 
 my @base64_decodes = (