From de9c8f05811af6ac80e2bce45b50b38360f663f3 Mon Sep 17 00:00:00 2001
From: root <root@devops.palmasolutions.net>
Date: Sat, 27 Jul 2019 11:05:38 +0200
Subject: [PATCH] new patterns

---
 malware.pl   | 7 ++++++-
 malwaresh.pl | 5 +++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/malware.pl b/malware.pl
index f63e9c3..c1f43e1 100644
--- a/malware.pl
+++ b/malware.pl
@@ -1434,7 +1434,12 @@ my @regexen = (
     qr/<\?php\s+\$c0000101101.+?\$c00100.+?\);\s+\?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\'\,\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' \,\'a\' \,\'s\' \,\'e\' \,\'6\' \,\'4\' \,\'\_\' \,\'d\' \,\'e\' \,\'c\' \,\'o\' \,\'d\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\'\, \'comp\'\, \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'im\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'\'\.chr\(100\)\.\'e\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\'\, \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
-    
+    qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\}\?>/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\=\/\*([A-z0-9_]{1,20})\*\/\"asser\"\.\"t\";\$([A-z0-9_]{1,20})=\$k\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
+    qr/<\?php if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
+        
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index dc9769f..facb10a 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1444,6 +1444,11 @@ my @regexen = (
     qr/<\?php\s+\$c0000101101.+?\$c00100.+?\);\s+\?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\'\,\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' \,\'a\' \,\'s\' \,\'e\' \,\'6\' \,\'4\' \,\'\_\' \,\'d\' \,\'e\' \,\'c\' \,\'o\' \,\'d\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\'\, \'comp\'\, \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'im\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'\'\.chr\(100\)\.\'e\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\'\, \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
+    qr/<\?php if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\/\*([A-z0-9_]{1,20})\*\/eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\}\?>/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\/\*([A-z0-9_]{1,20})\*\/\{\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\=\/\*([A-z0-9_]{1,20})\*\/\"asser\"\.\"t\";\$([A-z0-9_]{1,20})=\$k\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
+    qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
+    qr/<\?php if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,