diff --git a/malware6.pl b/malware6.pl index cfbbd2a..8e9b90a 100644 --- a/malware6.pl +++ b/malware6.pl @@ -53,7 +53,9 @@ my @regexen = ( qr/<\?php.+?\$filter = base64_decode\( \$kses_str \);.+?echo \$wp_auth_check;/is, qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is, qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is, - + qr/<\?php echo \'
(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is, + qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode\(\'.+?\'\)\]\)\)\{\$([A-z0-9]{1,20})=\$_GET\[base64_decode\(\'([A-z0-9]{1,20})\'\)\];curl_setopt\(\([A-z0-9]{1,20}),CURLOPT_URL,\$([A-z0-9]{1,20})\);curl_setopt\(\$([A-z0-9]{1,20}),CURLOPT_RETURNTRANSFER,true\);eval\(curl_exec\(\$([A-z0-9]{1,20})\)\);curl_close\(\$([A-z0-9]{1,20})\);\}\}/is, + ); my @base64_decodes = ( diff --git a/malwaresh.pl b/malwaresh.pl index 4099be6..0846e41 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1038,7 +1038,8 @@ my @regexen = ( qr/<\?php.+?\$filter = base64_decode\( \$kses_str \);.+?echo \$wp_auth_check;/is, qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is, qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is, - + qr/<\?php echo \'
(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is, + qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode\(\'.+?\'\)\]\)\)\{\$([A-z0-9]{1,20})=\$_GET\[base64_decode\(\'([A-z0-9]{1,20})\'\)\];curl_setopt\(\([A-z0-9]{1,20}),CURLOPT_URL,\$([A-z0-9]{1,20})\);curl_setopt\(\$([A-z0-9]{1,20}),CURLOPT_RETURNTRANSFER,true\);eval\(curl_exec\(\$([A-z0-9]{1,20})\)\);curl_close\(\$([A-z0-9]{1,20})\);\}\}/is, ); my @base64_decodes = (