From c827071819c961823e58fde9e1e11db51310a9ce Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 24 May 2018 12:56:20 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 9 +++++++++
 malwaresh.pl | 8 ++++++++
 2 files changed, 17 insertions(+)

diff --git a/malware6.pl b/malware6.pl
index 166f396..d7ce2e5 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -65,6 +65,15 @@ my @regexen = (
     qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
     qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
     qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
+    qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
+    qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
+    qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
+    qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
+    qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
+    qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
+    qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
+    
+
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index bf89ff2..81688f5 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1050,6 +1050,14 @@ my @regexen = (
     qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
     qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
     qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
+    qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
+    qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
+    qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
+    qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
+    qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
+    qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
+    qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
+    
 
 );