From 9eddaf938e85e9212fc6c01152724dd9b28a3331 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 26 May 2018 06:43:32 +0200
Subject: [PATCH] new pattern

---
 malware6.pl  | 3 ++-
 malwaresh.pl | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/malware6.pl b/malware6.pl
index a44d720..7edd2d1 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -80,7 +80,8 @@ my @regexen = (
     qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
     qr/<\?php\s+\/\*\s+b374k.+?\$b374k=\@\$.+?\);\?>/is,
     qr/<\?php\s+\$auth_pass.+?\$noname.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\$noname\)\)\)\)\);/is,
-    
+    qr/if\(isset\(\$_REQUEST\[\'sort\'\]\)\)\{\s+\$string = \$_REQUEST\[\'sort\'\];\s+\$array_name = \'\';\s+\$alphabet =.+?strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
+
     
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 3c805fd..0541d88 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1065,7 +1065,8 @@ my @regexen = (
     qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
     qr/<\?php\s+\/\*\s+b374k.+?\$b374k=\@\$.+?\);\?>/is,
     qr/<\?php\s+\$auth_pass.+?\$noname.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\$noname\)\)\)\)\);/is,
-    
+    qr/if\(isset\(\$_REQUEST\[\'sort\'\]\)\)\{\s+\$string = \$_REQUEST\[\'sort\'\];\s+\$array_name = \'\';\s+\$alphabet =.+?strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
+
 
 );