From 8ba47dae1c87cd9b3acadd2c325c5c8abc7ed34d Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 7 May 2018 11:14:57 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 1 +
 malwaresh.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index 4207211..70e8bb6 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -463,6 +463,7 @@ my @regexen = (
     qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
     qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
     qr/<\?php.+?\@shell\_exec\(\"cd\s+\/tmp\;\s+wget\s+http\:\/\/.+?\?>/is,
+    qr/<\?\s+error\_reporting\(.+?\)\.\"\.\"\.base64\_encode\(\$.+?if\s+\(\(include\(base64\_decode\(.+?\)\.\"\/\?\"\.\$str\)\;\}\s+\?>/is,
 
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index d9f3aba..d7ef016 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -946,6 +946,7 @@ my @regexen = (
     qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
     qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
     qr/<\?php.+?\@shell\_exec\(\"cd\s+\/tmp\;\s+wget\s+http\:\/\/.+?\?>/is,
+    qr/<\?\s+error\_reporting\(.+?\)\.\"\.\"\.base64\_encode\(\$.+?if\s+\(\(include\(base64\_decode\(.+?\)\.\"\/\?\"\.\$str\)\;\}\s+\?>/is,
 
 );