new patterns

malware4.pl

@@ -374,6 +374,17 @@ my @regexen = (
     qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
     qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\$([A-z0-9]{1,20})\)\;\}\}\s+\?>/is,
+    qr/<\!\-\-\s+this\_file\_is\_blocked\s+\-\-><\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\'\.\'\_\'\.\'d\'\.\'eco\'\.\'d\'\.\'e\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\.\'.+?\'\.\'.+?\'\)\)\;/is,
+    qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\=\"\"\).+?\)\)\)\;\s+\$([A-z0-9]{1,20})\(\)\;/is,
+    qr/<\?php\s+\/\/([A-z0-9]{150,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
+    qr/<\?php\s+if\(isset\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\)\{if\(isset\(\$\_FILES\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=getcwd\(\)\.\'\/\'\;\$([A-z0-9]{1,20})\=\$\_FILES\[\'([A-z0-9]{1,20})\'\]\;\@move\_uploaded\_file\(\$([A-z0-9]{1,20})\[\'tmp\_name\'\]\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\)\;echo\"Done\:\s+\"\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\;\}else\{\?><form\s+method\=\"POST\"\s+enctype\=\"multipart\/form\-data\"><input\s+type\=\"file\"\s+name\=\"([A-z0-9]{1,20})\"\/><input\s+type\=\"Submit\"\/><\/form><\?php\s+\}\}\s+\?>/is,
+    qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
+    qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
+    qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
+    
+
+
 );
 
 my @base64_decodes = (

scan.php

@@ -463,7 +463,9 @@ error_reporting(E_ALL);
 	"RewriteCond %{HTTP_REFERER}\s*\^\.\*\s*\([^\)]*[google|yahoo|bing|ask|wikipedia|youtube][^\)]",
 	"^<\?php\s*if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}",
 	"<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>",
-        // hacker emails & socials
+    "<\?php(.*)if\(isset\(\$\_REQUEST\[(.*)assert(.*)exit(.*)\?>",
+    "<\?php(.*)if\(isset\(\$\_REQUEST\[(.*)\"asse\"\.\"rt\"(.*)exit(.*)\?>",
+    // hacker emails & socials
     "b0x\@hotmail\.com",
     "facebook\.com\/007mrspy",
     "Skype\:\s*live\:zepek_al",