From 99072293b08dcbffbd146a11c772c0c1390b9047 Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Wed, 5 Oct 2016 12:33:20 +0200
Subject: [PATCH] Update 'malware3.pl'

---
 malware3.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malware3.pl b/malware3.pl
index 601b00a..6118dc5 100644
--- a/malware3.pl
+++ b/malware3.pl
@@ -24,7 +24,7 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
     qr/<script.+?G91825.+?<\/script>/is,
     qr/<\?php\s+if\(\@md5\(\$\_SERVER\[\'HTTP\_PATH\'\]\)\=\=\=\'([A-z0-9]{1,32})\'\)\{\s+\@extract\(\$\_REQUEST\)\;\s+\@die\(\$stime\(\$mtime\)\)\;\s+\}\s+\?>/is,
-    qr/<\?php\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;\s+\}\s+\}.+?<input\s+type\=\"submit\"\s+value\=\"Sent\"\s+\/>\s+<\/form>\s+<\/body>\s+<\/html>\'\;/is,
+# needs review    qr/<\?php\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;\s+\}\s+\}.+?<input\s+type\=\"submit\"\s+value\=\"Sent\"\s+\/>\s+<\/form>\s+<\/body>\s+<\/html>\'\;/is,
     qr/<\?php\s+\/\/header\(\"Content\-Type\:\s+text\/html\;\s+charset\=utf\-8\"\)\;\s+\$config\_password\=\"yt\"\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;\s+if\(\$password\!\=\$config\_password\).+?function\s+createFolder\(\$path\)\s+\{\s+if\s+\(\!file\_exists\(\$path\)\)\s+\{\s+createFolder\(dirname\(\$path\)\)\;\s+mkdir\(\$path\,\s+0777\)\;\}\s+\}\s+\?>/is,
     qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$filename\=\$\_REQUEST\[\'filename\'\]\;\s+\$filepath\=\"\"\;\s+\$body\=stripslashes\(\$\_REQUEST\[\'body\'\]\)\;\s+if\(\$password\!\=\"abcdefgh\"\).+?echo\s+\"uploaded\"\;\s+\}\s+\?>/is,