From e47776c7cfb9ec0a58dc399b57858cc4329e93c1 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 14 Jul 2017 14:35:49 +0200
Subject: [PATCH] fixed pattern again

---
 malware4.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index c55a1e3..14b72c3 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -129,7 +129,7 @@ my @regexen = (
     qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\(\)\;\Z/is,
     qr/<\?php\s+set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
     qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match\(\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing\)\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is,
-    qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'\)\;.+?header\(\'HTTP\/1\.1\s+301\s+Moved\s+Permanently\'\)\;header\(\'Location\:\s+http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\'\)\;\s+\?>/is,
+    qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[.+?file\_get\_contents\(\'http\:\/\/.+?gethostbyname.+?dbl\.spamhaus\.org\'\)\;.+?\?>/is,