From cb715cfd4c43776529798df7dc2e18cda370ea1c Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sun, 18 Mar 2018 12:40:25 +0100
Subject: [PATCH] new pattens

---
 malware4.pl | 7 +++++++
 scan.php    | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index fea097a..21237aa 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -415,6 +415,13 @@ my @regexen = (
     qr/<\?php\s+\$\{.+?\=\@unserialize\(decode\(get\_param.+?\]\}\;\}\s+\?>/is,
     qr/<\?php.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{100,}).+?<\/form>\'\;\s+\?>/is,
     qr/<\?php\s+\/\*\s+DO.+?class\s+ADODB\_Pager.+?\$pager\->render\_pagelinks\(\)\;/is,
+    qr/\#\!\/usr\/bin\/env\s+php\s+<\?php.+?private\s+function\s+extractFile\(\$info\).+?\_\_HALT\_COMPILER\(\)\;\s+\?>/is,
+    qr/<\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
+    qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
+    qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
+    qr/include\s+\"\\x.+?php\"\;.+?eval\(base64\_decode\(.+?\)\)\;/is,
+    qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,20})\)\;\$i\+\+\)\s+\{\s+\$([A-z0-9]{1,20})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,20})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}eval\(([A-z0-9]{1,20})\(.+?\)\)\;\?>/is,
+    
 
 
 
diff --git a/scan.php b/scan.php
index 74629d1..668c62e 100644
--- a/scan.php
+++ b/scan.php
@@ -34,6 +34,11 @@ set_time_limit(0);
 error_reporting(E_ALL);
 
     $pattern = array(
+    "if\(isset\(\$_REQUEST\[(.*)\{eval\((.*)\$_REQUEST\[(.*)exit",
+    "<\?php.*?if\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
+    "<\?php.*?if\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
+    "<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
+    "<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
     "^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)\(\?><\?php\)*\n",
     "eval(\s*)\((.*)base64_decode(\s*)\(",
     "this.form.upload_file.disabled=false",
@@ -465,6 +470,8 @@ error_reporting(E_ALL);
 	"<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>",
     "<\?php.*?if\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
     "<\?php.*?if\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
+    "<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
+    "<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
     // hacker emails & socials
     "b0x\@hotmail\.com",
     "facebook\.com\/007mrspy",