From dece0ba888ee4b36ea7626802b4bfe65a6945a54 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sat, 2 Dec 2017 10:24:09 +0100 Subject: [PATCH] new pattern --- malware4.pl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/malware4.pl b/malware4.pl index 7118f7d..ea9cd92 100644 --- a/malware4.pl +++ b/malware4.pl @@ -198,8 +198,9 @@ my @regexen = ( qr/<\?php\s+error\_reporting\(E\_ERROR.+?\$wp\_code\s+\=.+?\?>/is, qr/<\?php\s+\$s\_pass\s+\=\s+\"\"\;\s+eval\(\"\\\$x\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(.+?\)\)\;\"\)\;eval\(\"\?>\"\.\$x\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$([A-z0-9]{1,20})\=\@\$([A-z0-9]{1,20})\(\'\$([A-z0-9]{1,20})\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$([A-z0-9]{1,20})\)\)\)\;\'\)\;\@\$([A-z0-9]{1,20}).+?\)\;/is, - qr/<\?php\s+\$m\=\\\'bas\\\'\.chr\(101\)\.\\\'64\_d\\\'\.chr\(101\)\.\\\'cod\\\'\.chr\(101\)\;\$m\=\$m\(\$\_POST\[\\\'s\\\'\]\)\;file\_put\_contents\(\\\'a\\\'\,\\\'<\?php\s+\\\'\.\$m\)\;include\(\\\'a\\\'\)\;unlink\(\\\'a\\\'\)\;/is, - +# qr/<\?php.+?bas._?64\_d.+?cod.+?POST\[.+?file\_put\_contents.+?include\(.+?unlink\(.+?\'\)\;/is, + qr/<\?php\s+\@eval\(\$\_POST\[\".+?\"\]\)\;\?>/is, + ); my @base64_decodes = (