From bea468873d1929a9b7b86d5f667419555d76e592 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 21 Apr 2018 13:22:44 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 18 ++++++++++++++++++
 malwaresh.pl | 14 ++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index 16cd963..5c59687 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -255,6 +255,24 @@ my @regexen = (
     qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is,
     qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is,
     qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is,
+    qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/is,
+    qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/\/\?\?\?\?\?\s+\?>/is,
+    qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is,
+    qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/is,
+    qr/\#\!\/bin\/sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is,
+    qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/is,
+    qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/logout<\/p>\s+<\/body>\s+<\/html>/is,
+    qr/\/\*\s+exploit\s+lib\s+\*\/.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is,
+    qr/\/\*.+?sd\@fucksheep\.org.+?struct\s+exploit\_state\s+\{.+?unlink\(\"\.\/suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/\'\.\'\.\*\/e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is,
+
+
+}/is,
+
+
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 32341b5..582a14b 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -735,7 +735,21 @@ my @regexen = (
     qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is,
     qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is,
     qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is,
+    qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/is,
+    qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/\/\?\?\?\?\?\s+\?>/is,
+    qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is,
+    qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/is,
+    qr/\#\!\/bin\/sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is,
+    qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/is,
+    qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/logout<\/p>\s+<\/body>\s+<\/html>/is,
+    qr/\/\*\s+exploit\s+lib\s+\*\/.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is,
+    qr/\/\*.+?sd\@fucksheep\.org.+?struct\s+exploit\_state\s+\{.+?unlink\(\"\.\/suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/\'\.\'\.\*\/e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is,
 
+    
 
 );