From e9bd670d51a1acb76b5dbe432c7a3dfaba012bbb Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 9 May 2018 10:16:45 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 8 +++++++-
 malwaresh.pl | 7 ++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index e01b055..ed5c073 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -469,7 +469,13 @@ my @regexen = (
     qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
     qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
     qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
-
+    qr/<\?php\s+error\_reporting.+?upload\s+shell.+?move\_uploaded\_file\(\$saw1\,\$saw2\)\;\s+\}\s+\?>/is,
+    qr/GIF89a.+?
<\?\s+eval\(stripslashes\(\$\_POST\[\w\]\)\)\;exit\;\?>\;/is,
+    qr/<\?php\s+error\_reporting\(.+?\$cookiename\=.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+Shell\s+I.+?exit\(\)\;\s+\?>/is,
+    qr/<\?\s+\$buffer\s+\=.+?\$buffer\.\=.+?\$newphrase\=str\_replace\(.+?eval\(\$\_\w\(\$newphrase\)\)\;\s+\?>/is,
+    qr/<\?pHp\s+\$([A-z0-9]{1,20})\s+\=\s+urldecode\(\$\_GET\[\'\w\'\]\)\;\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+file\_get\_contents\(\$([A-z0-9]{1,20})\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
+    qr/<\?php.+?function\s+ASGLogin\(\)\s+\{.+?if\s+\(empty\(\$tmpdir\)\).+?<\/html><\?php\s+chdir\(\$lastdir\)\;\s+\?>/is,
+    
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 38a082f..493f2f2 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -952,7 +952,12 @@ my @regexen = (
     qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
     qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
     qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
-    
+    qr/<\?php\s+error\_reporting.+?upload\s+shell.+?move\_uploaded\_file\(\$saw1\,\$saw2\)\;\s+\}\s+\?>/is,
+    qr/GIF89a.+?
<\?\s+eval\(stripslashes\(\$\_POST\[\w\]\)\)\;exit\;\?>\;/is,
+    qr/<\?php\s+error\_reporting\(.+?\$cookiename\=.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+Shell\s+I.+?exit\(\)\;\s+\?>/is,
+    qr/<\?\s+\$buffer\s+\=.+?\$buffer\.\=.+?\$newphrase\=str\_replace\(.+?eval\(\$\_\w\(\$newphrase\)\)\;\s+\?>/is,
+    qr/<\?pHp\s+\$([A-z0-9]{1,20})\s+\=\s+urldecode\(\$\_GET\[\'\w\'\]\)\;\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+file\_get\_contents\(\$([A-z0-9]{1,20})\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
+    qr/<\?php.+?function\s+ASGLogin\(\)\s+\{.+?if\s+\(empty\(\$tmpdir\)\).+?<\/html><\?php\s+chdir\(\$lastdir\)\;\s+\?>/is,
 
 );