From e6de003b6eb3f6f0122fdb008806fb43169e3fbb Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 23 Apr 2018 06:51:01 +0200
Subject: [PATCH] new patterns

---
 cms-ver.php       |  3 ++-
 malware5.pl       | 10 +++++++++-
 malwaresh.pl      |  9 ++++++++-
 patterns/swag.txt |  3 +++
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/cms-ver.php b/cms-ver.php
index 10739c2..b431e96 100644
--- a/cms-ver.php
+++ b/cms-ver.php
@@ -14,7 +14,7 @@ $versions = array(
     array("PHPlist", "/admin/connect.php", "define(\"VERSION\","),    
     array("RoundCube", "/program/include/iniset.php", "define('RCMAIL_VERSION',"),
     array("Squirrel Mail", "/functions/strings.php", "\$version ="),
-    array("Dede CMS<", "/config_base.php", "\$cfg_soft_enname\|\$cfg_version"),
+    array("Dede CMS", "/config_base.php", "\$cfg_soft_enname\|\$cfg_version"),
     array("Sugar CRM", "/sugar_version.php", "\$sugar_version"),
     array("XOOPS", "/version.php", "XOOPS_VERSION"),
     array("Concrete5", "/config/concrete.php", "version_installed"),
@@ -132,6 +132,7 @@ $versions = array(
     array("Dokeos", "main/inc/installedVersion.inc.php", "\$dokeos_version"),
     array("CakePHP","cake/config/config.php","\$config['Cake.version'] ="),
     array("phpFormGenerator", "/fields.php", "<title>phpFormGenerator v"), // does not escape correctly
+    array("ZenPhoto", "/zp-core/functions.php", "define('ZENPHOTO_VERSION',"),
 
 // still need to work on these
     array("CubeCart", "/index.php", "CubeCart v"), // may need one more line
diff --git a/malware5.pl b/malware5.pl
index d492829..ac2ae30 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -272,7 +272,15 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is,
-    
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is,
+    qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
+
 
 }/is,
 
diff --git a/malwaresh.pl b/malwaresh.pl
index e7ee921..fe9ccfb 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -752,7 +752,14 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is,
-    
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is,
+    qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
 
 );
 
diff --git a/patterns/swag.txt b/patterns/swag.txt
index 515d275..85d694a 100644
--- a/patterns/swag.txt
+++ b/patterns/swag.txt
@@ -1 +1,4 @@
 United Bangladeshi Hackers
+ubhteam.org
+Prappo Prince
+prappo-prince.me