new patterns

malware6.pl

@@ -301,6 +301,7 @@ my @regexen = (
     qr/<script language=javascript>var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}<\/script>/is,
     qr/var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}/is,
     qr/<\?php \@file_put_contents\(\'([A-z0-9_]{1,20})\'\,\'<\?php \'\.base64_decode\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\); \@include\(\'([A-z0-9_]{1,20})\'\); \@unlink\(\'([A-z0-9_]{1,20})\'\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'find \/ -type f -name \"\*\" \| xargs grep -rl \"<head\"\';\s+\$([A-z0-9_]{1,20}) = \"<script language=javascript>eval\(String\.fromCharCode\(.+?\@system\(\"chmod 777 \"\.\$([A-z0-9_]{1,20})\);\s+\@file_put_contents\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\);\s+echo \$([A-z0-9_]{1,20});\s+\}\s+\}\s+\}/is,
 
    
    

malwaresh.pl

@@ -1288,7 +1288,9 @@ my @regexen = (
     qr/<script language=javascript>var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}<\/script>/is,
     qr/var _0xfcc4=\[\"\\x66\\x72.+?\\x74\\x68\"\];var url=String\[_0xfcc4\[0\]\]\(104.+?\]\)\{n= false\}\};if\(n== true\)\{a\(\)\}\}/is,
     qr/<\?php \@file_put_contents\(\'([A-z0-9_]{1,20})\'\,\'<\?php \'\.base64_decode\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\); \@include\(\'([A-z0-9_]{1,20})\'\); \@unlink\(\'([A-z0-9_]{1,20})\'\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'find \/ -type f -name \"\*\" \| xargs grep -rl \"<head\"\';\s+\$([A-z0-9_]{1,20}) = \"<script language=javascript>eval\(String\.fromCharCode\(.+?\@system\(\"chmod 777 \"\.\$([A-z0-9_]{1,20})\);\s+\@file_put_contents\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\);\s+echo \$([A-z0-9_]{1,20});\s+\}\s+\}\s+\}/is,
     
+
 );
 
 my @base64_decodes = (