From ac40323bd1a06e3d066c7484aa2c2a3319f90d11 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 13 Jul 2017 20:34:30 +0200
Subject: [PATCH] added 5 new patterns

---
 malware4.pl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index 32c6188..188d9a4 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -113,6 +113,13 @@ my @regexen = (
     qr/<\?php\s+\/\*\*\s+\*\s+\@package.+?if\s+\(empty\s+\(\$\_POST\)\)\s+\{\s+echo\s+\'Empty\s+data\.\'.+?array\_map\s+\(.+?\$\_POST\[\'([A-z0-9]{1,5})\'\]\)\s+\)\)\;/is,
     qr/<\?php\s+\@require\(\'wp\-admin\/([0-9]{1,20})\'\)\;/is,
     qr/<\?php\s+echo\s+\'([0-9]{1,20})\.txt\'\;\s+\?>/is,
+    qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\}/is,
+    qr/<html>\s+<head>\s+<meta\s+http\-equiv\=\"refresh\"\s+content\=\"1\;url\=http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/\">\s+<\/head>\s+<body>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\s+\@require\(\'wp-admin\/([0-9]{1,20})\'\)\;/is,
+    qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(.+?\$'_([A-z0-9]{1,20})\(\)\;\s+\/\*([A-z0-9]{1,100})\*\//is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\/.+?\.php\"\;\s+\$([A-z0-9]{1,20})\=1\;\s+header\(\"content\-type\:text\/html\;charset\=utf\-8\"\)\;\@date\_default\_timezone\_set\(\"America\/Grenada\"\).+?break\;case\s+1\:\$([A-z0-9]{1,20})\=.+?return\s+\$([A-z0-9]{1,20})\;\}/is,
+    
+