php-malware-scanner/definitions/patterns_raw.txt

#Raw string patterns
#All strings in this file are case sensitive
#Comments are supported, but '#' must be the first character (index[0]) on the line.
#More critical patterns should be higher in the file as only the first pattern match is reported.

#Backdoor patterns
@eval($_POST['
Backdoor
@include($_GET[
system($_GET[
md5($_GET[
fwrite($fpsetv, getenv("HTTP_COOKIE")
system\"$cmd 1> /tmp/
\145\166\141\154\050\142\141\163\145\066\064\137\144\145\143\157\144\145\050

#Web-Shell patterns
$sh3llColor
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
SHELL_PASSWORD
ConnectBackShell
ShellBOT
== "bindshell"

#Remote Code
curl_get_from_webpage
file_get_contents('http://codepad.org


#Base64 String Samples.  Each plain text string should have 3 base64 equivalents

# "shell" in base64
c2hlbG
NoZWxs
zaGVsb

# "<?php" in base64
PD9waH
w/cGhw
8P3Boc

# "stat" in base64
c3Rhd
N0YX
zdGF0

# "copy" in base64
Y29we
NvcH
jb3B5

# "chr" in base64
Y2hy

# "system" in base64
c3lzdGVt
N5c3Rlb
zeXN0ZW

# "replace" in base64
cmVwbGFjZ
JlcGxhY2
yZXBsYWNl

# "str_" in base64
c3RyX
N0cl
zdHJf

# "exec" in base64
ZXhlYy
V4ZWMo
leGVjK

# "echo" in base64
ZWNob
VjaG
lY2hv

# "function" in base64
ZnVuY3Rpb2
Z1bmN0aW9u
mdW5jdGlvb

# "include" in base64
aW5jbHVkZ
luY2x1ZG
pbmNsdWRl

# "require" in base64
cmVxdWlyZ
JlcXVpcm
yZXF1aXJl

# "base64" in base64
YmFzZTY0
Jhc2U2N
iYXNlNj

# "eval" in base64
ZXZhb
V2YW
ldmFs

# "HTTP_USER_AGENT" in base64
SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl

# "file" in base64
ZmlsZ
ZpbG
maWxl

# "gzinflate" in base64
Z3ppbmZsYXRl
d6aW5mbGF0Z
nemluZmxhdG

# "open" in base64
b3Blb
9wZW
vcGVu

# "close" in base64
Y2xvc2
Nsb3Nl
jbG9zZ

# "array_" in base64
YXJyYXlf
FycmF5X
hcnJheV

# "cslashes" in base64
Y3NsYXNoZX
NzbGFzaGVz
jc2xhc2hlc

# "extract" in base64
ZXh0cmFjd
V4dHJhY3
leHRyYWN0

# "$_GET" in base64
JF9HRV
RfR0VU
kX0dFV

# "$_POST" in base64
JF9QT1NU
RfUE9TV
kX1BPU1

# "$_COOKIE" in base64
JF9DT09LSU
RfQ09PS0lF
kX0NPT0tJR

# "$_REQUEST" in base64
JF9SRVFVRVNU
RfUkVRVUVTV
kX1JFUVVFU1

# "GLOBALS" in base64
R0xPQkFMU
dMT0JBTF
HTE9CQUxT

# "sizeof" in base64
c2l6ZW9m
NpemVvZ
zaXplb2

# "printf" in base64
cHJpbnRm
ByaW50Z
wcmludG

# "define" in base64
ZGVmaW5l
RlZmluZ
kZWZpbm

# Obfuscation related code
eval("?>
"base64_decode"
='base'.(32*2).'_de'.'code'
"p"."r"."e"."g"."_"
WSOstripslashes
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
'ev'.'al'.'
eval(base64_decode(
<?php eval
$data = base64_decode("
edoced_46esab
base=base64_encode
cr"."eat"."e_fun"."cti"."on
gz'.'inf'.'late
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
http://www.fopo.com.ar/


#Malware/Attack specific strings/fingerprints/signatures
MagelangCyber
//rasta//
Baby_Drakon
Created By EMMA
3xp1r3
NinjaVirus Here
<dot>IrIsT
Hacked By EnDLeSs
Punker2Bot
Zed0x
darkminz
ReaL_PuNiShEr
OoN_Boy
Pashkela
Webcommander at
YENI3ERI
d3lete
Made by Delorean
Cybester90
K!LL3r
MrHazem
BY MMNBOBZ
Hackeado
bgeteam
VOBRA GANGO
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
DX_Header_drawn
Dr.abolalh
C0derz.com
Mr.HiTman
IrSecTeam
FLoodeR
eriuqer
zehirhacker
freetellafriend.com
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
d3b~X
profexor.hell
ZOBUGTEL
The Dark Raver
<kuku>
M4ll3r
itsoknoproblembro
tmhapbzcerff
IndoXploit
FaisaL Ahmed aka rEd X


#Miscellaneous
uname -a
/etc/shadow
/etc/passwd
\x47\x4c\x4f\x42\x41LS
${${
PHPJiaMi
DisablePHP=
moban.html
a,b,c,d,e,f,g
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
Net@ddress Mail
__VIEWSTATEENCRYPTED
createFilesForInputOutput
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
ayu pr1 pr2 pr3 pr4 pr5 pr6
f0VMRgEBAQA
0d0a0d0a676c6f62616c20246d795f736d7
etalfnizg
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
HTTP flood complete after
exploitcookie
az88pix00q98
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
463839610c000b00800100ffffffffffff21f90401000001002c000
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
REREFER_PTTH
Joomla_brute_Force
/usr/sbin/httpd
sshkeys
eggdrop
rwxrwxrwx
GIF89A;<?php
putbot $bot
bind join - *
privmsg $chan
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
find / \-type f \-name \.htpasswd
find / \-type f \-perm \-02000 \-ls
find / \-type f \-perm \-04000 \-ls
if(''==($df=@ini_get('disable_functions
ncftpput -u
wsoEx(
WSOsetcookie(
\x47\x4c\x4f\x42\x41\x4c\x53
# create_function
'OY<--X17N-.OB8X'^',+YLY=nQ;CM;+W6';
# matches for a basic web shell
Mister Spy
Souheyl Bypass Shell
Welcome To Our Shell
Devloped By El Moujahidin
$f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
.php.suspected
# join escaped
\x6A\x6F\x69\x6E
# reverse escaped
\x72\x65\x76\x65\x72\x73\x65
# split escaped
\x73\x70\x6C\x69\x74
# >tpircs/< aka </script>
\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C
# comment spoof function call
/*;*/
# web shells host type extraction
php_uname()