From a82bea1352fca8cbe8abb3e61536ec97a3c353e5 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 10 May 2018 08:33:11 +0200
Subject: [PATCH] moved pattern priority

---
 malwaresh.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/malwaresh.pl b/malwaresh.pl
index caff50f..72de73d 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -26,6 +26,8 @@ print "Content-type: text/html\n\n";
 my $user = $ARGV[0];
 
 my @regexen = (
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
     qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
     qr/<\?php\s+\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?exit\(\)\;\s+\}\Z/is,
     qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is,
@@ -973,8 +975,6 @@ my @regexen = (
     qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,.+?function\s+wp\_cd\(\$.+?\$npDcheckClassBgp.+?\}\s+\?>/is,
     qr/<\?php\s+\$login\=\"\"\;\s+\$md5\_pass\=\"\".+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+\/\*.+?\*\/\s+\@error\_reporting\(0\)\;\s+\@eval\(base64\_decode\(\".+?\)\)\;\s+\/\*.+?\*\/\s+\?>/is,
-    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
-    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
 
 );