From e95924727a23206dc5f4d90addf7741d355df835 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 6 Apr 2018 12:08:33 +0200
Subject: [PATCH] new patterns

---
 malware5.pl | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index 18ce7d9..ce2d83c 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -113,8 +113,14 @@ my @regexen = (
     qr/<script\s+type\=\"text\/javascript\">.+?<\/script>\s+<\/head>\s+<\?php.+?\.\/Mr\.\s+aQ\..+?function\s+w\_wget\(\$array\)\{.+?mail\(\$idb1\,\s+\"Tetep\s+Ganteng\"\,\s+\$idb3\,\s+\"\[\s+\"\s+\.\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\s+.\s+\"\s+\]\"\)\;\s+\*\/\s+\?>.+?<\/html>/is,
     qr/<\!DOCTYPE.+?Yhuricka<\/title>.+?uid\=0\(root\)\s+gid\=0\(root\)\s+groups\=0\(root\).+?0ut<\/font>\s+<\/div>/is,
     qr/<\!DOCTYPE.+?HACKED.+?<\/html>.+?<\!\-\-\s+document\.write\(unescape\(.+?\/\/\-\->\s+<\/script>/is,
-
-
+    qr/<\?php\s+\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
+    qr/<html>\s+<head>\s+<title>Shell\s+Login<\/title>.+?<\?php\s+function\s+w\(\$dir\,\$perm\)\s+\{.+?if\(isset\(\$\_POST\[\'phpconfig\'\]\)\)\s+\{\s+\?>/is,
+    qr/<\?php\s+\/\*\s+\*\s+Ochillroot\s+Shell.+?\@clearstatcache\(\)\;.+?\{\$text\s+\=\s+\$\_POST\[\'code\'\]\;\s+\?>/is,
+    qr/<html>\s+<\!\-\-\s+Hacked\s+by.+?<\/body>\s+<\/html>/is,
+    qr/<SCRIPT\s+Language\=VBScript><\!\-\-\s+DropFileName\s+\=\s+\"svchost\.exe\"\s+WriteData\s+\=.+?Set\s+WSHshell\s+\=\s+CreateObject\(\"WScript\.Shell\"\)\s+WSHshell\.Run\s+DropPath\,\s+0\s+\/\/\-\-><\/SCRIPT>/is,
+    qr/<\?php.+?\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
+    qr/<\?php\s+\$\{.+?\"\;if\(get\_magic\_quotes\_gpc\(\)\)\{\$.+?\)\)\;return\$\{\$([A-z0-9]{1,20})\}\;\}\s+\?>/is,
+    qr/<\?php.+?\@clearstatcache\(\)\;.+?echo\s+\"<center>Copyright\s+\&copy\;.+?\}\s+\?>/is,
 
 );