From b7d3cfad3d3838942d14b5dd9038d51c56ee1685 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 14 Jul 2017 14:29:57 +0200
Subject: [PATCH] fixed pattern

---
 malware4.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/malware4.pl b/malware4.pl
index d34e013..c55a1e3 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -129,8 +129,8 @@ my @regexen = (
     qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\(\)\;\Z/is,
     qr/<\?php\s+set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
     qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match\(\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing\)\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is,
-    qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[\'mod\'\]\=\=\'0XX\'\s+OR\s+\$\_GET\[\'mod\'\]\=\=\'00X\'\)\{\$g\_sch\=file\_get\_contents\(\'http\:\/\/.+?gethostbyname\(\$\_SERVER\[\'HTTP\_HOST\'\]\.\'\.dbl\.spamhaus\.org\'\)\;.+?header\(\'HTTP\/1\.1\s+301\s+Moved\s+Permanently\'\)\;header\(\'Location\:\s+http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\'\)\;\s+\?>/is,
-    
+    qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'\)\;.+?header\(\'HTTP\/1\.1\s+301\s+Moved\s+Permanently\'\)\;header\(\'Location\:\s+http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\'\)\;\s+\?>/is,
+