From e60fa55f1f953c693e13f93f34153d37dc1f1fb6 Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Sun, 18 Dec 2016 11:46:09 +0100
Subject: [PATCH] Update 'malware3.pl'

---
 malware3.pl | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/malware3.pl b/malware3.pl
index b4af1ed..045193a 100644
--- a/malware3.pl
+++ b/malware3.pl
@@ -23,7 +23,7 @@ my @regexen = (
     qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
     qr/<script.+?G91825.+?<\/script>/is,
-    qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN.+?\)\)\;\s+\}/is,
+    qr/<\?php.+?defined.+?ALREADY\_RUN.+?ALREADY\_RUN.+?\)\)\;\s+\}/is,
     qr/<\?php\s+echo\"trest\"\;error\_reporting\(0\)\;.+?val\(base64\_decode\(\$kk\)\)\;\s+echo\"abrval\"\;\s+\?>/is,
     qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_([A-z0-9]{1,10})\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,
     qr/<\?php\s+\/\*\*\s+\*\s+\@version.+?\$b64\s+\=\s+\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\+\/\=\"\;.+?\$o3\s+\=\s+\$bits\s+\&\s+0xff\;.+?new\s+JApplication\(arrays+\(\'UID\'\s+\=>\s+\'.+?\'\)\)\;/is,
@@ -33,14 +33,8 @@ my @regexen = (
     qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-US\">\s+<head>.+?<link\s+rel\=\'dns\-prefetch\'\s+href\=\'\/\/blogg\.profsoffice\.se\'>.+?<div\s+id\=\"fb\-root\"><\/div>\s+<\/body>\s+<\/html><\/div>/is,
     qr/<\?php\s+\$arrId\s+\=\s+array\(.+?\)\;\s+\/\/file\s+end/is,
     qr/<html>\s+<head>\s+<title>\s+Dark\s+Shell.+?Rename\s+directory<\/a><\/td><\/tr>.+?\"\;\s+\}\s+\}\s+echo\s+\"<\/table>.+?\"\;\s+\?>/is,
-    qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+([A-z0-9]{1,10})\;\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\=Array\(\)\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$\{.+?\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
-#    qr/<\?\s+\$ua\=\@\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\;\$row\=split\(\"\=\=\=\"\,\$ua\)\;echo\s+\"\->\|\"\;if\(\$row\[0\]\=\=\"k8\"\)\@eval\(\$row\[1\]\)\;echo\s+\"\|<\-\"\;\?>/is,
-    
+    qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+([A-z0-9]{1,10})\;\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\=Array\(\)\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$\{.+?\]\]\)\;\}exit\(\)\;\}\s+\?>/is,    
     qr/<\?php\s+if\(\@md5\(\$\_SERVER\[\'HTTP\_PATH\'\]\)\=\=\=\'([A-z0-9]{1,32})\'\)\{\s+\@extract\(\$\_REQUEST\)\;\s+\@die\(\$stime\(\$mtime\)\)\;\s+\}\s+\?>/is,
-# needs review    qr/<\?php\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;\s+\}\s+\}.+?<input\s+type\=\"submit\"\s+value\=\"Sent\"\s+\/>\s+<\/form>\s+<\/body>\s+<\/html>\'\;/is,
-#    qr/<\?php\s+\/\/header\(\"Content\-Type\:\s+text\/html\;\s+charset\=utf\-8\"\)\;\s+\$config\_password\=\"yt\"\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;\s+if\(\$password\!\=\$config\_password\).+?function\s+createFolder\(\$path\)\s+\{\s+if\s+\(\!file\_exists\(\$path\)\)\s+\{\s+createFolder\(dirname\(\$path\)\)\;\s+mkdir\(\$path\,\s+0777\)\;\}\s+\}\s+\?>/is,
-#    qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$filename\=\$\_REQUEST\[\'filename\'\]\;\s+\$filepath\=\"\"\;\s+\$body\=stripslashes\(\$\_REQUEST\[\'body\'\]\)\;\s+if\(\$password\!\=\"abcdefgh\"\).+?echo\s+\"uploaded\"\;\s+\}\s+\?>/is,
-    
     qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+0\.0\;\s+width\:\s+0\.0\;\s+height\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
     qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+0\.0\;\s+width\:\s+0\.0\;\s+height\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?rel\=dofollow>.+?<\/a><\/h2>.+?<\/div>/is,
     qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+\[OR\]\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+RewriteRule\s+\^\.\*\$\s+index\.php\s+\[L\]\s+<\/IfModule>/is,