From bf8b457c633d6e35a413135f14cee15978cd3ed5 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 23 Apr 2018 08:56:50 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 2 ++
 malwaresh.pl | 1 +
 2 files changed, 3 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index 1415ef4..bfd7371 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -282,6 +282,8 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
     qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
+    qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
+    
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index f80ed96..8f33e7e 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -762,6 +762,7 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
     qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
+    qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
 
 );