From e822c2308f79dbb64c295a36a6886ed9cec25a74 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 2 Jun 2018 09:58:08 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 7 +++++++
 malwaresh.pl | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/malware6.pl b/malware6.pl
index 075cbe4..3cc19d6 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -141,6 +141,13 @@ my @regexen = (
     qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/is,
     qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/.+?\" \/>\';\s+\?>/is,
     qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/is,
+    qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\)\).+?\}function randStringfrpernames\(\).+?\}return\$([A-z0-9_]{1,30});\};\s+\?>/is,
+    qr/<\?php ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\)\{\$([A-z0-9_]{1,20})=gzcompress\(base64_encode\(urlencode\(\$([A-z0-9_]{1,20})\)\),\d\);return urlencode\(\$([A-z0-9_]{1,20})\);\};\?>/is,
+    qr/<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?><\?php\s+error_reporting\(E_ALL\);\$DOMAIN_FNAME1_([A-z0-9_]{1,10})=\'\.SIc7CYwgY\';\$DOMAIN_FNAME2_([A-z0-9_]{1,10})=\'\/var\/tmp\/\.SIc7CYwgY\';if\(isset\(\$_POST\[.+?\$str=enc\(\$str\);fwrite\(\$file,\$str\);fclose\(\$file\);\}\?>\s+<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?>/is,
+    qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\.\"\);exit;\?>/is,
+    qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
+    qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
 
 
     
diff --git a/malwaresh.pl b/malwaresh.pl
index aa8ee7c..2f3e0f0 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1126,6 +1126,14 @@ my @regexen = (
     qr/<\?php\s+\$to\s+= stripslashes\(\$_POST\[\"to_address\"\]\);.+?\'error : \'\.\$result;\s+\}\s+\?>/is,
     qr/<\?php\s+echo \'good\';\s+echo \'<meta http-equiv=\"refresh\" content=\"0; url=http:\/\/.+?\" \/>\';\s+\?>/is,
     qr/<\?php mail\(\'.+?\', \'MIME-Version: 1\.0.+?\'\);class DeleteOnExit \{function __destruct\(\)\{unlink\(__FILE__\);\}\}\$g_delete_on_exit = new DeleteOnExit\(\);echo \'good\';\?>/is,
+    qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\)\).+?\}function randStringfrpernames\(\).+?\}return\$([A-z0-9_]{1,30});\};\s+\?>/is,
+    qr/<\?php ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\)\{\$([A-z0-9_]{1,20})=gzcompress\(base64_encode\(urlencode\(\$([A-z0-9_]{1,20})\)\),\d\);return urlencode\(\$([A-z0-9_]{1,20})\);\};\?>/is,
+    qr/<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?><\?php\s+error_reporting\(E_ALL\);\$DOMAIN_FNAME1_([A-z0-9_]{1,10})=\'\.SIc7CYwgY\';\$DOMAIN_FNAME2_([A-z0-9_]{1,10})=\'\/var\/tmp\/\.SIc7CYwgY\';if\(isset\(\$_POST\[.+?\$str=enc\(\$str\);fwrite\(\$file,\$str\);fclose\(\$file\);\}\?>\s+<\?php \/\* ([A-z0-9_]{10,}) \*\/ \?>/is,
+    qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\.\"\);exit;\?>/is,
+    qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
+    qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
+
 
 
 )