External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
43876b337bac9c8dc14fb84f9fb4123a5b6720ba
php-malware-scanner/definitions/patterns_raw.txt

389 lines
7.3 KiB
Plaintext
Raw Normal View History

Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
#Raw string patterns
#All strings in this file are case sensitive
Typo fix Typo fix
2017-07-27 23:18:26 -06:00
#Comments are supported, but '#' must be the first character (index[0]) on the line.
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
#More critical patterns should be higher in the file as only the first pattern match is reported.
#Backdoor patterns
@eval($_POST['
Backdoor
@include($_GET[
system($_GET[
md5($_GET[
fwrite($fpsetv, getenv("HTTP_COOKIE")
system\"$cmd 1> /tmp/
Updated definitions by report #6
2017-10-15 09:25:33 +02:00
\145\166\141\154\050\142\141\163\145\066\064\137\144\145\143\157\144\145\050
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
#Web-Shell patterns
$sh3llColor
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
SHELL_PASSWORD
ConnectBackShell
ShellBOT
== "bindshell"
#Remote Code
curl_get_from_webpage
file_get_contents('http://codepad.org
#Base64 String Samples. Each plain text string should have 3 base64 equivalents
# "shell" in base64
c2hlbG
NoZWxs
zaGVsb
# "<?php" in base64
Added Equivalent base64 pattern samples Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character. for example: base64_encode("system"); base64_encode(" system"); base64_encode("( system"); The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'. This is because the first letter of system, 's' fall on indices 0,1,2 respectively. I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches.
2017-07-24 12:23:39 -06:00
PD9waH
w/cGhw
8P3Boc
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
Added functions, dropped Spammer. Spammers gives false positives. added a couple more php functions in base64
2017-07-27 07:08:05 -06:00
# "stat" in base64
c3Rhd
N0YX
zdGF0
# "copy" in base64
Y29we
NvcH
jb3B5
removed mail b64, added chr b64 removed mail b64, added chr b64 mail was generating too many false positives. chr has only one pattern that is long enough to use with any sort of reliability, but it is one that we want to look out for anyway.
2017-07-28 06:57:23 -06:00
# "chr" in base64
Y2hy
Added functions, dropped Spammer. Spammers gives false positives. added a couple more php functions in base64
2017-07-27 07:08:05 -06:00
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
# "system" in base64
Separate patterns from code
2017-02-22 13:56:09 +01:00
c3lzdGVt
Added Equivalent base64 pattern samples Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character. for example: base64_encode("system"); base64_encode(" system"); base64_encode("( system"); The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'. This is because the first letter of system, 's' fall on indices 0,1,2 respectively. I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches.
2017-07-24 12:23:39 -06:00
N5c3Rlb
zeXN0ZW
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
# "replace" in base64
preg_replace b64 sample shortened to 'replace' preg_replace should be shortened to just replace as it will also match str_replace, str_ireplace, ereg_replace, eregi_replace and many others I'm sure. Should increase number of hits. 'preg_replace' base64 strings: (removed) cHJlZ19yZXBsYWNl ByZWdfcmVwbGFjZ wcmVnX3JlcGxhY2 'replace' base64 strings: (added) cmVwbGFjZ JlcGxhY2 yZXBsYWNl
2017-07-24 22:32:57 -06:00
cmVwbGFjZ
JlcGxhY2
yZXBsYWNl
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
Adding str_, function, echo and include in base64 str_ will match 13 separate php functions, many of which can be used for string/modifcation aka obfuscation function added to catch function defining. echo added as it is a common php keyword, though experimental... may cause a of false positives include added as it is often used to link in other malware files.
2017-07-31 12:56:15 -06:00
# "str_" in base64
c3RyX
N0cl
zdHJf
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
# "exec" in base64
Added Equivalent base64 pattern samples Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character. for example: base64_encode("system"); base64_encode(" system"); base64_encode("( system"); The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'. This is because the first letter of system, 's' fall on indices 0,1,2 respectively. I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches.
2017-07-24 12:23:39 -06:00
ZXhlYy
V4ZWMo
leGVjK
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
Adding str_, function, echo and include in base64 str_ will match 13 separate php functions, many of which can be used for string/modifcation aka obfuscation function added to catch function defining. echo added as it is a common php keyword, though experimental... may cause a of false positives include added as it is often used to link in other malware files.
2017-07-31 12:56:15 -06:00
# "echo" in base64
ZWNob
VjaG
lY2hv
# "function" in base64
ZnVuY3Rpb2
Z1bmN0aW9u
mdW5jdGlvb
# "include" in base64
aW5jbHVkZ
luY2x1ZG
pbmNsdWRl
added b64 pattern for 'require' added b64 pattern for 'require'
2017-08-19 17:05:23 -06:00
# "require" in base64
cmVxdWlyZ
JlcXVpcm
yZXF1aXJl
shortened base64_decode to just base64 shortened the base64 fingerprints of 'base64_decode' to just 'base64'. will also catch cases of base64_encode which isn't quite so bad but still worth finding.
2017-07-27 23:14:23 -06:00
# "base64" in base64
YmFzZTY0
Jhc2U2N
iYXNlNj
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
Added functions, dropped Spammer. Spammers gives false positives. added a couple more php functions in base64
2017-07-27 07:08:05 -06:00
# "eval" in base64
ZXZhb
V2YW
ldmFs
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
# "HTTP_USER_AGENT" in base64
Separate patterns from code
2017-02-22 13:56:09 +01:00
SFRUUF9VU0VSX0FHRU5U
Added Equivalent base64 pattern samples Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character. for example: base64_encode("system"); base64_encode(" system"); base64_encode("( system"); The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'. This is because the first letter of system, 's' fall on indices 0,1,2 respectively. I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches.
2017-07-24 12:23:39 -06:00
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
Added createfunction and gzinflate obfuscations Added createfunction and gzinflate obfuscations. also added gzinflate b64 patterns
2017-07-28 03:25:10 -06:00
# "gzinflate" in base64
Z3ppbmZsYXRl
d6aW5mbGF0Z
nemluZmxhdG
base64 pattern updates
2017-08-19 16:58:28 -06:00
# "open" in base64
b3Blb
9wZW
vcGVu
# "close" in base64
Y2xvc2
Nsb3Nl
jbG9zZ
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
Added array_ and cslashes Found a couple of cases where the php functions array_shift and addcslashes were used in base64 encoded malware. Adding strings to catch any references to 'cslashes' which will catch both addcslashes and strip cslashes Adding strings to catch any references to 'array_' which will catch about a dozen array modification functions.
2017-07-31 04:02:04 -06:00
# "array_" in base64
YXJyYXlf
FycmF5X
hcnJheV
# "cslashes" in base64
Y3NsYXNoZX
NzbGFzaGVz
jc2xhc2hlc
Added Experimental Patterns Removed anyresults.net from the base64 pattern strings. Added base64 patterns for $_POST $_GET $_REQUEST $_COOKIE extract and GLOBALS
2017-08-15 23:51:37 -06:00
# "extract" in base64
ZXh0cmFjd
V4dHJhY3
leHRyYWN0
# "$_GET" in base64
JF9HRV
RfR0VU
kX0dFV
# "$_POST" in base64
JF9QT1NU
RfUE9TV
kX1BPU1
# "$_COOKIE" in base64
JF9DT09LSU
RfQ09PS0lF
kX0NPT0tJR
# "$_REQUEST" in base64
JF9SRVFVRVNU
RfUkVRVUVTV
kX1JFUVVFU1
# "GLOBALS" in base64
R0xPQkFMU
dMT0JBTF
HTE9CQUxT
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
base64 pattern updates
2017-08-19 16:58:28 -06:00
# "sizeof" in base64
c2l6ZW9m
NpemVvZ
zaXplb2
# "printf" in base64
cHJpbnRm
ByaW50Z
wcmludG
# "define" in base64
ZGVmaW5l
RlZmluZ
kZWZpbm
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
# Obfuscation related code
eval("?>
Pattern updates from new infections
2021-05-27 06:38:53 +02:00
eval('?>
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
"base64_decode"
='base'.(32*2).'_de'.'code'
"p"."r"."e"."g"."_"
WSOstripslashes
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
'ev'.'al'.'
eval(base64_decode(
<?php eval
$data = base64_decode("
edoced_46esab
base=base64_encode
Adding definitions based on recent code injection
2020-11-17 03:34:21 +01:00
'b'.'ase6'.'4_e'.'ncode'
Added createfunction and gzinflate obfuscations Added createfunction and gzinflate obfuscations. also added gzinflate b64 patterns
2017-07-28 03:25:10 -06:00
cr"."eat"."e_fun"."cti"."on
gz'.'inf'.'late
Added http://www.fopo.com.ar/ http://www.fopo.com.ar/ is a free online php obfuscator that apparently leaves comments in the code which we should be looking for.
2017-07-28 02:38:08 -06:00
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
http://www.fopo.com.ar/
Signature update reported in #39
2018-11-07 22:26:25 +01:00
@eval("\
Pattern updates from new infections
2021-05-27 06:38:53 +02:00
";eval(
eval(eval(
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
#Malware/Attack specific strings/fingerprints/signatures
Separate patterns from code
2017-02-22 13:56:09 +01:00
MagelangCyber
//rasta//
Baby_Drakon
Created By EMMA
3xp1r3
NinjaVirus Here
<dot>IrIsT
Hacked By EnDLeSs
Punker2Bot
Zed0x
darkminz
ReaL_PuNiShEr
OoN_Boy
Pashkela
Webcommander at
YENI3ERI
d3lete
Made by Delorean
Cybester90
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
K!LL3r
MrHazem
BY MMNBOBZ
Hackeado
bgeteam
VOBRA GANGO
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
DX_Header_drawn
Dr.abolalh
C0derz.com
Mr.HiTman
IrSecTeam
FLoodeR
eriuqer
zehirhacker
freetellafriend.com
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
d3b~X
profexor.hell
ZOBUGTEL
The Dark Raver
<kuku>
M4ll3r
itsoknoproblembro
tmhapbzcerff
Added New Malware Signatures/Fingerprints IndoXploit FaisaL Ahmed aka rEd X 'F'.'il'.'esMan' FilesMan
2017-08-15 23:58:49 -06:00
IndoXploit
FaisaL Ahmed aka rEd X
Adding definitions based on recent code injection
2020-11-17 03:34:21 +01:00
smisbot
smotherbot
Indonesian Hacker Rulez
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
PR-47 comment and duplicate fix
2019-05-17 13:21:04 +02:00
# WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
Update patterns_raw.txt Added WP-VCD Malware strings
2019-02-11 05:53:33 +11:00
wp-vcd
class.theme-modules.php
PR-47 comment and duplicate fix
2019-05-17 13:21:04 +02:00
wp-tmp.php
Update patterns_raw.txt Added WP-VCD Malware strings
2019-02-11 05:53:33 +11:00
tmpcontentx
function wp_temp_setupx
derna.top/code.php
stripos($tmpcontent, $wp_auth_key)
Organizing, categorizing and prioritizing patterns There's enough raw patterns in here to justify organizing the file. Now that whitespace and comments are supported, I've been dividing it into sections More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer. I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many. There are also many that I have not done yet.
2017-07-26 01:27:53 -06:00
#Miscellaneous
uname -a
/etc/shadow
/etc/passwd
\x47\x4c\x4f\x42\x41LS
${${
PHPJiaMi
DisablePHP=
moban.html
a,b,c,d,e,f,g
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
Net@ddress Mail
__VIEWSTATEENCRYPTED
createFilesForInputOutput
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
Separate patterns from code
2017-02-22 13:56:09 +01:00
ayu pr1 pr2 pr3 pr4 pr5 pr6
f0VMRgEBAQA
0d0a0d0a676c6f62616c20246d795f736d7
etalfnizg
Minor correction to base64 sample JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf is correct. encoded version of "$visitcount = $HTTP_COOKIE_" I seem to have added a couple of extra characters than what I should have. Not sure where they came from.
2017-07-24 21:51:43 -06:00
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
Added Equivalent base64 pattern samples Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character. for example: base64_encode("system"); base64_encode(" system"); base64_encode("( system"); The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'. This is because the first letter of system, 's' fall on indices 0,1,2 respectively. I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches.
2017-07-24 12:23:39 -06:00
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
Separate patterns from code
2017-02-22 13:56:09 +01:00
HTTP flood complete after
exploitcookie
az88pix00q98
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
463839610c000b00800100ffffffffffff21f90401000001002c000
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
REREFER_PTTH
Joomla_brute_Force
/usr/sbin/httpd
sshkeys
eggdrop
rwxrwxrwx
GIF89A;<?php
putbot $bot
bind join - *
privmsg $chan
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
find / \-type f \-name \.htpasswd
find / \-type f \-perm \-02000 \-ls
find / \-type f \-perm \-04000 \-ls
if(''==($df=@ini_get('disable_functions
ncftpput -u
wsoEx(
WSOsetcookie(
Pattern update according to japanese seo hack
2017-02-27 12:47:34 +01:00
\x47\x4c\x4f\x42\x41\x4c\x53
Fix for #11
2018-03-02 18:53:17 +01:00
# create_function
Fix for #10
2018-03-03 08:20:46 +01:00
'OY<--X17N-.OB8X'^',+YLY=nQ;CM;+W6';
# matches for a basic web shell
Mister Spy
Souheyl Bypass Shell
Welcome To Our Shell
Raw signature update reported in #17
2018-07-26 07:33:50 +02:00
Devloped By El Moujahidin
$f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
Raw signature update reported in #16
2018-07-26 07:42:26 +02:00
.php.suspected
# join escaped
\x6A\x6F\x69\x6E
# reverse escaped
\x72\x65\x76\x65\x72\x73\x65
# split escaped
\x73\x70\x6C\x69\x74
# >tpircs/< aka </script>
Signature update reported in #19
2018-08-02 08:20:49 +02:00
\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C
# comment spoof function call
/*;*/
# web shells host type extraction
php_uname()
Signature update reported in #20
2018-08-14 07:44:16 +02:00
# decode content with basic rot13
str_split(rawurldecode(str_rot13(
# generating PHP file name to put content
Signature update reported in #23
2018-09-05 09:32:23 +02:00
substr(md5(time()), 0, 8) . ".php"
# webshell
0byt3m1n1
Signature update reported in #25
2018-09-22 18:30:02 +02:00
ZeroByte
# obfuscated function name
'str_' .'rot13'
Signature update reported in #26
2018-09-30 13:26:53 +02:00
'st' .'rrev'
# JS escaped: document.createElement('script');
100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59
# JS escaped: String.fromCharCode(
Update patterns_raw.txt Added WP-VCD Malware strings
2019-02-11 05:53:33 +11:00
83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40
Signature update from new infections
2020-10-01 11:26:02 +02:00
# SEO poisoning control site call
"http://$xxx
?useragent=$botbotbot
Pattern updates from new infections
2021-05-27 06:38:53 +02:00
# php://input encoded in base64
cGhwOi8vaW5wdXQ=
# backdoor script
<font color="red">Upload Gagal..</font><br />
Pattern updates from new infections
2021-05-27 06:56:53 +02:00
explode('?>',$shell
# common mobile agent check in SEO poison scripts
Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
Reference in New Issue Copy Permalink