From f5dc504ffa549fff40a7b544f1dbbdc87839892b Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 5 Mar 2018 11:01:06 +0100
Subject: [PATCH] new pattern

---
 malware4.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index c83ebb8..b445347 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -338,7 +338,7 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\[\d\]\)\)\;exit\(\)\;\}\}\}\s+\?>/is,
     qr/<\?php\s+header\(\"Cache\-Control\:\s+tect\"\)\;\s+\@error\_reporting\(0\)\;\s+\@ini\_set\(\"display\_errors\"\,0\)\;\s+\@ini\_set\(\"log\_errors\"\,0\)\;\s+\@ini\_set\(\"error\_log\"\,0\)\;\s+if\s+\(isset\(\$\_POST\[\"x\"\]\)\)\s+\{\s+eval\(\$\_POST\[\"x\"\]\)\;\s+\}\s+\?>/is,
     qr/<\?php.+?\$data\s+\=\s+file\_get\_contents\(\'php:\/\/input\'\)\;.+?\$data\s+\=\s+base64\_decode\(\$data\)\;.+?if\s+\(\$ok\)\s+\{\s+d\(\'ok\'\)\;\s+\}\s+else\s+\{\s+d\(\'bad\:\'\.\$fname\.\'\|\'\.\_\_DIR\_\_\)\;\s+\}/is,
-    
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\'b\'\.\'a\'\.\'s\'\.\'e64\_deco\'\.\'de\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
     
 );