From 93f36b35a2309e1e97aecb18a738915cd9ade285 Mon Sep 17 00:00:00 2001
From: root <root@devops.palmasolutions.net>
Date: Mon, 5 Aug 2019 07:52:08 +0200
Subject: [PATCH] added new patterns

---
 malware.pl   | 3 +++
 malwaresh.pl | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/malware.pl b/malware.pl
index a727c12..c9c59a0 100644
--- a/malware.pl
+++ b/malware.pl
@@ -1453,6 +1453,9 @@ my @regexen = (
     qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$internal\(stripslashes\(\$user\)\) \&\& exit;\s+if \(\!class_exists\(\'Ratel\'\)\) \{.+?\$ratel->init\(\$ruri, \$host, \$is_bot\);\s+\}\s+\?>/is,
     qr/\@ini_set\(\'display_errors\', \'0\'\);\s+error_reporting\(0\);\s+\$skipme = false;\s+\$bad_agents = \'\~google.+?register_shutdown_function\(\'ob_end_flush\'\);\s+\}\s+\}\s+\?>/is,
     qr/if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
+    qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
+    qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
+    qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
     
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index ae56eb9..05e3edc 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1463,7 +1463,9 @@ my @regexen = (
     qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$internal\(stripslashes\(\$user\)\) \&\& exit;\s+if \(\!class_exists\(\'Ratel\'\)\) \{.+?\$ratel->init\(\$ruri, \$host, \$is_bot\);\s+\}\s+\?>/is,
     qr/\@ini_set\(\'display_errors\', \'0\'\);\s+error_reporting\(0\);\s+\$skipme = false;\s+\$bad_agents = \'\~google.+?register_shutdown_function\(\'ob_end_flush\'\);\s+\}\s+\}\s+\?>/is,
     qr/if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
-
+    qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
+    qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
+    qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
 );
 
 my @base64_decodes = (