From b13e39e47f16740387b6ee9955ba5d8a3f997f96 Mon Sep 17 00:00:00 2001 From: Malin Date: Sat, 14 Jan 2017 14:21:48 +0100 Subject: [PATCH] Update 'malware4.pl' --- malware4.pl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/malware4.pl b/malware4.pl index 871ab59..9c2bd52 100644 --- a/malware4.pl +++ b/malware4.pl @@ -33,6 +33,10 @@ my @regexen = ( qr/<\?php\s+\if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array\(.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom\)\-1\)\]\.\'\/file\.php\'\;.+?header\(\'Location\:\s+\'\.\$url\)\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"id\"\]\)\)\s+header\(.+?\.\$\_GET\[\"id\"\]\)\;\s+\?>/is, + qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is, + qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is, + qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is, ); my @base64_decodes = (