From c5e27f31e65b44a5ec988efda11edf1bdfe66964 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 24 May 2018 11:04:39 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 2 ++
 malwaresh.pl | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index cf7c1cd..ba38c4b 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -61,6 +61,8 @@ my @regexen = (
     qr/<\?php eval\(chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(.+?\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\); \?>/is,
     qr/preg_replace\(\"\\x2f.+?\\x3d\"\);/is,
     qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
+    qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
+    qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 9a13da0..13e4568 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1046,7 +1046,9 @@ my @regexen = (
     qr/<\?php eval\(chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(.+?\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\); \?>/is,
     qr/preg_replace\(\"\\x2f.+?\\x3d\"\);/is,
     qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
-
+    qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
+    qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
+    
 );
 
 my @base64_decodes = (