From f4fa0198d0266dbecc688c283b101a728addff37 Mon Sep 17 00:00:00 2001
From: malin <malin@devops.palmasolutions.net>
Date: Fri, 26 Jul 2019 07:31:52 +0200
Subject: [PATCH] added new patterns

---
 malware.pl | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/malware.pl b/malware.pl
index 999fda5..7b13cc8 100644
--- a/malware.pl
+++ b/malware.pl
@@ -1404,7 +1404,11 @@ my @regexen = (
     qr/<\?php error_reporting\(0\);.+?ini_set\(\"error_log\", "\/dev\/null\"\);.+?\$contents = \@file_get_contents\(\$url, false, \$context\); \} \} return \$contents; \} \?>/is,
     qr/<\?php\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{32})\";\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,\$([A-z0-9_]{1,20})\)\{\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\);\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\).+?\);__halt_compiler\(\);
([A-z0-9_]{1,20})/is,
     qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\, \$([A-z0-9_]{1,20}) = \"\\61\\x32\\63\"\) .+?\(\"n\"\.\"o\"\.\"i\"\.\"t\"\..+?\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
-        
+    qr/<\?php\s+\$([A-z0-9_]{1,20}) = base64_decode\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);.+?imap_mail.+?echo \'([A-z0-9_]{1,20}) : \' \. \$([A-z0-9_]{1,20});\}/is,
+    qr/<\?php.+?\$a=\$_COOKIE\[\'a\'\];\$ho=urldecode\(\$_COOKIE\[\'ho\'\]\).+?Cookie: \"\.\$data\.\"\\r\\n\\r\\n\"\);socket_close\(\$socket\);\}die\(\);\}\s+\?>/is,
+    qr/<script type=\"text\/javascript\">var _0xc9e1=\[.+?\+ makeid\(\)\}\}<\/script>/is,
+    qr/<\?php if\(!class_exists\(\'Ratel\'\)\).+?init\(\$ruri,\$host,\$is_bot\);\}/is,
+    qr/<\?php if\(isset\(\$_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\$_REQUEST\[\'.+?\'\]\);exit;\/\*.+?\*\/\}\?>/is,
 );
 
 my @base64_decodes = (