From ca48c697b8cb9c7e5879bc931e4564b1bf53b7ee Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 21 Mar 2018 18:53:03 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index d1212ae..0522768 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -436,7 +436,8 @@ my @regexen = (
     qr/<\?php\s+array\_map\(\"ass.+?rt\"\,\(array\)\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
     qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
     qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;\s+charset\=utf\-8\'\)\;\s+\$.+?\=urldecode\(.+?\)\;exit\(\)\;\}\}.+?\]\(\)\;\?>/is,
-    
+    qr/<\?php\s+function\s+selfURL\(.+?function\s+myshellexec\(\$cmd\).+?\$proxy\_shit\=.+?c79shexit\(\)\;\s+\?>/is,
+    qr/<\?\s+if\s+\(isset\(\$\_POST\[\'action\'\]\).+?if\s+\(\$action\=\=\"send\"\).+?print\s+\"\-\=ok\=\-\"\;\s+\}\s+\?>/is,
 
 
 );