From f885d01bd9d596ded87650262c4d2cf03d67a44f Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 19 Mar 2018 06:14:57 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/malware4.pl b/malware4.pl
index 21237aa..89dfab9 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -421,8 +421,10 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
     qr/include\s+\"\\x.+?php\"\;.+?eval\(base64\_decode\(.+?\)\)\;/is,
     qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,20})\)\;\$i\+\+\)\s+\{\s+\$([A-z0-9]{1,20})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,20})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}eval\(([A-z0-9]{1,20})\(.+?\)\)\;\?>/is,
-    
-
+    qr/<\?php\s+\$randStr\s+\=\s+str\_shuffle\(.+?if\(is\_dir\(\$RootDir\s+\.\s+\"\/wp\-admin\"\)\)\{.+?\}\s+unlink\(\"\.\/test\.php\"\)\;/is,
+    qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\,base64\_decode\(.+?\)\,base64\_decode\(.+?\)\)\;\s+\?><\?\s+function.+?\=Array\(.+?return\s+base64\_decode\(.+?\]\)\;\}\s+\?><\?php\s+\$GLOBALS\[.+?\)\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
+    qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\@set\_time\_limit\(3600\)\;.+?if\(isset\(.+?echo\s+\'\#ok\#\'\;.+?return\s+\$dir\;\s+\}\s+\/\//is,
+    qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is,
 
 
 );