Sample update

scr34m · scr34m · commit 70edc4210d54 · 2023-05-14T08:45:20.000+02:00
diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
@@ -262,6 +262,7 @@ FaisaL Ahmed aka rEd X
 smisbot
 smotherbot
 Indonesian Hacker Rulez
+pwetan.com
 
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -404,3 +405,19 @@ eval(rawurldecode('
 'base', '64_dec', 'ode'
 'cook', 'set', 'ie'
 'repl', 'str_', 'ace'
+"base"."64_"
+'base'.'64_'
+"t"."m"."p"."_"."n"."a"."m"."e"
+"f"."i"."l"."e"."_"."p"."u"."t"
+"f"."i"."l"."e"."_"."g"."e"."t"
+'ode', 'e64_', 'bas', 'dec'
+'unct', 'ion', 'te_f', 'crea'
+'te', 'g', 'nf', 'l', 'a', 'zi'
+
+# process data from request object directly
+extract($_REQUEST) && @$
+extract($_REQUEST)&&@$
+xtract($_REQUEST)&&@$
+
+# uncompress cafted content
+gzuncompress(strrev(substr(
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
@@ -141,7 +141,7 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
 \$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
 
 # eval function return and concat
-eval\([A-Za-z]{5,}\(\) \. '
+eval\([A-Za-z0-9]{5,}\(\) \. '
 
 # eval function return, parameter is a hex string
 eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
@@ -150,4 +150,7 @@ eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
 \$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
 
 # obfuscated code return with error suppression
-return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
+return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
+
+# htaccess alternating
+[a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)
