From c66ae8a1379643745611a78d3789c62e46835d73 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sun, 22 Oct 2017 12:23:42 +0200
Subject: [PATCH] new patterns & fixes

---
 malware4.pl | 3 +++
 scan.php    | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index 755b1d2..528c1be 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -186,6 +186,9 @@ my @regexen = (
     qr/<\?php\s+set\_time\_limit\(0\)\;\s+ignore\_user\_abort\(\)\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is,
     qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require\(\"\$rifilename\"\)\;\s+\/\/installend/is,
     qr/\;\(function\(\)\{var\s+k\=navigator\[b\(\"st\{n\(e4g9A2r\,exs\,u8\"\)\]\;var\s+s\=document\[b\(\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-\)\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\(\)\;/is,
+    qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(.+?if\(\@\$isbot\)\{.+?echo\s+\$result\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval\(\$b\(\$new\)\)\;\s+\?>/is,
+    qr/<\?php\s+\/\*\s+\(c\)\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode\(.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is,
     
 );
 my @base64_decodes = (
diff --git a/scan.php b/scan.php
index 2226a60..15b6985 100644
--- a/scan.php
+++ b/scan.php
@@ -159,7 +159,7 @@ error_reporting(E_ALL);
     "fistik=PHVayv;",
     "Dark Shell",
     "CTT SHELL",
-    "\/etc\/passwd",
+    /* "\/etc\/passwd", --too many false positives */
     "<tr><td>Chiave<\/td><td>Valore<\/td><\/tr>",
     "fonk_kap = get_cfg_var",
     "PHPSHELL_VERSION",