From cda765f2c42e21b5057017e0486d56e44e7d6508 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 3 May 2018 07:06:34 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 6 ++++++
 malwaresh.pl | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 7fc9e55..5128039 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -20,6 +20,7 @@ our $q = CGI->new;
 print "Content-type: text/html\n\n";
 
 my @regexen = (
+    qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is,
     qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
     qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
     qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
@@ -382,6 +383,11 @@ my @regexen = (
     qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is,
     qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is,
     qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is,
+    qr/<\?php.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?><br>\s+<br>\Z/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
+    qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
+    qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
+    
 
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 84c96c0..cc1ba6b 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -26,6 +26,7 @@ print "Content-type: text/html\n\n";
 my $user = $ARGV[0];
 
 my @regexen = (
+    qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is,
     qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
     qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
     qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
@@ -865,7 +866,12 @@ my @regexen = (
     qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is,
     qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is,
     qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is,
-        
+    qr/<\?php.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?><br>\s+<br>\Z/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
+    qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
+    qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
+    
+
 );
 
 my @base64_decodes = (