new patterns

malware6.pl

@@ -148,6 +148,10 @@ my @regexen = (
     qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
     qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
+    qr/<\?php\s+eval \( base64_decode \(\".+?\) \); \?>\s+<!--([A-z0-9_]{20,})-->/is,
+    qr/<\?php.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
+    qr/<\?php\s+\$this->zipname = \$p_zipname.+?\$archive = new PclZip\(\"([A-z0-9_]{1,20})\.zip\"\);.+?\@unlink\(\"([A-z0-9_]{1,20})\.zip\"\);\s+die\(\"([0-9]{1,20})\"\);\s+\}/is,
+    qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$catch\(stripslashes\(\$user\)\) \&\& exit;.+?function ([A-z0-9_]{1,20})\(\)\{\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+return \"\{\$([A-z0-9_]{1,20})\}\{\$([A-z0-9_]{1,20})\}\";\s+\}\s+\?>/is,
 
 
     

malwaresh.pl

@@ -1133,9 +1133,12 @@ my @regexen = (
     qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
     qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
+    qr/<\?php\s+eval \( base64_decode \(\".+?\) \); \?>\s+<!--([A-z0-9_]{20,})-->/is,
+    qr/<\?php.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
+    qr/<\?php\s+\$this->zipname = \$p_zipname.+?\$archive = new PclZip\(\"([A-z0-9_]{1,20})\.zip\"\);.+?\@unlink\(\"([A-z0-9_]{1,20})\.zip\"\);\s+die\(\"([0-9]{1,20})\"\);\s+\}/is,
+    qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$catch\(stripslashes\(\$user\)\) \&\& exit;.+?function ([A-z0-9_]{1,20})\(\)\{\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+return \"\{\$([A-z0-9_]{1,20})\}\{\$([A-z0-9_]{1,20})\}\";\s+\}\s+\?>/is,
 
-
-
+    
 )
 ;