From 96eb1e55369dc6b756c7f8e6a7573d2977f74dd4 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sun, 17 Feb 2019 07:28:56 +0100
Subject: [PATCH] new patterns + AEF fix

---
 cms-ver.php  | 4 ++--
 cms-vss.php  | 3 ++-
 malware6.pl  | 3 ++-
 malwaresh.pl | 1 +
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/cms-ver.php b/cms-ver.php
index 7eca323..8e5b1dd 100644
--- a/cms-ver.php
+++ b/cms-ver.php
@@ -82,7 +82,6 @@
         array("appRain", "/development/definition/system_configuration/config.xml", "<appRainversion>", ""),
         array("ClipperCMS", "/manager/includes/version.inc.php", "define('CMS_RELEASE_VERSION',", ""), // forked from ModX
         array("MyBB", "/inc/class_core.php", "public \$version =", ""),
-        array("AEF", "/globals.php", "// AEF : Advanced Electron Forum", ""),
         array("Vanilla", "/conf/config.php", "\$Configuration\['Vanilla'\]\['Version'\] =". ""),
         array("PunBB", "/include/constants.php", "define('FORUM_VERSION',", ""),
         array("FluxBB", "/include/common.php", "define('FORUM_VERSION',", ""),
@@ -276,7 +275,8 @@ $versiondouble = array (
     array("CS-Cart", "/config.php", "define('PRODUCT_NAME',", "define('PRODUCT_VERSION',", "Maintained"),
     array("SohoLaunch", "/sohoadmin/version.php", "## Soholaunch(R)", "## Version", "EOL"),
     array("XMB", "/db/mysql.php", "* eXtreme Message Board", " * XMB ", "EOL"),
-    
+    array("AEF", "/globals.php", "// AEF : Advanced Electron Forum", "// Version", "EOL"),
+
     );
 
 foreach($versiondouble as $raw){
diff --git a/cms-vss.php b/cms-vss.php
index 4f6224e..41a371c 100644
--- a/cms-vss.php
+++ b/cms-vss.php
@@ -96,7 +96,6 @@
         array("appRain", "/development/definition/system_configuration/config.xml", "<appRainversion>", ""),
         array("ClipperCMS", "/manager/includes/version.inc.php", "define('CMS_RELEASE_VERSION',", ""), // forked from ModX
         array("MyBB", "/inc/class_core.php", "public \$version =", ""),
-        array("AEF", "/globals.php", "// AEF : Advanced Electron Forum", ""),
         array("Vanilla", "/conf/config.php", "\$Configuration\['Vanilla'\]\['Version'\] =". ""),
         array("PunBB", "/include/constants.php", "define('FORUM_VERSION',", ""),
         array("FluxBB", "/include/common.php", "define('FORUM_VERSION',", ""),
@@ -290,6 +289,8 @@ $versiondouble = array (
     array("CS-Cart", "/config.php", "define('PRODUCT_NAME',", "define('PRODUCT_VERSION',", "Maintained"),
     array("SohoLaunch", "/sohoadmin/version.php", "## Soholaunch(R)", "## Version", "EOL"),
     array("XMB", "/db/mysql.php", "* eXtreme Message Board", " * XMB ", "EOL"),
+    array("AEF", "/globals.php", "// AEF : Advanced Electron Forum", "// Version", "EOL"),
+
 
     
     );
diff --git a/malware6.pl b/malware6.pl
index ea0f308..771c241 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -1376,7 +1376,8 @@ my @regexen = (
     qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?6.+?4.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
     qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
     qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is,
-        
+    qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is,
+       
     
    
     
diff --git a/malwaresh.pl b/malwaresh.pl
index c90511e..f0e7ed5 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1386,6 +1386,7 @@ my @regexen = (
     qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?6.+?4.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
     qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
     qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is,
+    qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is,
     
 
 );