So there have been a rash of next generation Malware scripts that are using some tools that make them much more difficult to be detected. This post is intended to be a reference to several of the important REGEX patterns that I was albe to use to find the Malware packages to be removed.
<?php $GLOBALS['q489'] = "\x64\x69\x5c\x2b\x6c\x40\x59\x79\x30\x44\x6f\x3a\x27\x2e\x72\x57\x38\x49\x2a\x45
Can be detected with the following string
\<\?php.*(\\x[a-zA-Z0-9]*?)+
Here is another string to detect base64_decode strings with long packages that could indicate that something malicious is hiding
base64_decode(.{200,})
eval\(.*?base64_decode\(.{200,}
Also be sure to be on the look out for these other functions I've seen in conjunction with Malware
str_rot13(), assert()