From a9cddf8329d8f45b3e2a350ed21cb05749458130 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 7 May 2018 07:06:01 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 8 ++++++++
 malwaresh.pl | 9 +++++++++
 2 files changed, 17 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index 539ca2d..39c6cb3 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -454,6 +454,14 @@ my @regexen = (
     qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
     qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
     qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
+    qr/<\?php.+?c99\s+injektor.+?<\?php\s+chdir\(\$lastdir\)\;\s+c99shexit\(\)\;\s+\?>/is,
+    qr/<\?php.+?\$language\=\'ru\'\;.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+\$script\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?function\s+getUniqueCode\(\)\{.+?\$pageURL\.\"osh3\.php\"\;.+?o3\:\$o3<br>\"\;\s+\?>/is,
+    qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\?>/is,
+    qr/<\?\s+\$times\=rand\(.+?\$code\=\s+<<<EOD.+?\$encoded\=base64\_encode\(\$code\)\;.+?closedir\(\$dh\)\;\s+\}\s+\}\s+\}\s+\?>/is,
+    qr/<\?.+?if\(isset\(\$\_SERVER\[\'WINDIR\'\]\)\)\{.+?if\(strstr\(\$contents\,\"c99\"\)\)\{\s+return\s+true\;\s+\}\s+\}\s+\?>/is,
+    qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
+    qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
 
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 92c2004..bda87ee 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -937,6 +937,15 @@ my @regexen = (
     qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
     qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
     qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
+    qr/<\?php.+?c99\s+injektor.+?<\?php\s+chdir\(\$lastdir\)\;\s+c99shexit\(\)\;\s+\?>/is,
+    qr/<\?php.+?\$language\=\'ru\'\;.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+\$script\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?function\s+getUniqueCode\(\)\{.+?\$pageURL\.\"osh3\.php\"\;.+?o3\:\$o3<br>\"\;\s+\?>/is,
+    qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\?>/is,
+    qr/<\?\s+\$times\=rand\(.+?\$code\=\s+<<<EOD.+?\$encoded\=base64\_encode\(\$code\)\;.+?closedir\(\$dh\)\;\s+\}\s+\}\s+\}\s+\?>/is,
+    qr/<\?.+?if\(isset\(\$\_SERVER\[\'WINDIR\'\]\)\)\{.+?if\(strstr\(\$contents\,\"c99\"\)\)\{\s+return\s+true\;\s+\}\s+\}\s+\?>/is,
+    qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
+    qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
+
 
 );