External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Patterns update from manul samples

Browse Source
This commit is contained in:
Gabor Gyorvari
2016-12-27 17:45:47 +01:00
parent 91174b5a60
commit 1f6efc124b
2 changed files with 121 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@@ -31,6 +31,7 @@ Resources
* [malware samples 1](https://github.com/nbs-system/php-malware-finder/tree/master/php-malware-finder/samples)
* [malware samples 2](https://github.com/r4v/php-exploits)
* [malware samples 3](https://github.com/nikicat/web-malware-collection)
* [malware samples 4](https://github.com/antimalware/manul/tree/master/src/scanner/static/signatures)
Licensing
---------

131
scan.php
View File

@@ -176,15 +176,9 @@ class MalwareScanner
/* too open? */
// 'gzinflate(base64_decode(',
'md5($_GET[', // md5($_GET["ms-load"])
'/ShellBOT/i',
'/YW55cmVzdWx0cy5uZXQ=/i',
'/base64_decode\s*\(/i',
'/str_rot13/i',
'/uudecode/i',
'/preg_replace',
'ShellBOT',
'bgeteam',
'DisablePHP=',
'=urldecode',
'moban.html',
'<?php eval',
'$data = base64_decode("',
@@ -197,11 +191,118 @@ class MalwareScanner
'@preg_replace',
'1@1.com',
'META http-equiv="refresh" content="0;',
'="create_";global'
'="create_";global',
'YW55cmVzdWx0cy5uZXQ=',
// imported manul samples
'ZOBUGTEL',
'MagelangCyber',
'//rasta//',
'Baby_Drakon',
'Net@ddress Mail',
'Created By EMMA',
'3xp1r3',
'NinjaVirus Here',
'<dot>IrIsT',
'Hacked By EnDLeSs',
'Punker2Bot',
'Zed0x',
'darkminz',
'ReaL_PuNiShEr',
'OoN_Boy',
'__VIEWSTATEENCRYPTED',
'M4ll3r',
'createFilesForInputOutput',
'Pashkela',
'== "bindshell"',
'Webcommander at',
'YENI3ERI',
'd3lete',
'Made by Delorean',
'R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA',
'Cybester90',
'ayu pr1 pr2 pr3 pr4 pr5 pr6',
'f0VMRgEBAQA',
'0d0a0d0a676c6f62616c20246d795f736d7',
'etalfnizg',
'JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV',
'edoced_46esab',
'VOBRA GANGO',
'itsoknoproblembro',
'HTTP flood complete after',
'exploitcookie',
'az88pix00q98',
'The Dark Raver',
'Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP',
'463839610c000b00800100ffffffffffff21f90401000001002c000',
'AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA',
'HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra',
'Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N',
'DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ',
'Asmodeus',
'Cautam fisierele de configurare',
'BRUTEFORCING',
'FaTaLisTiCz_Fx Fx29Sh',
'w4ck1ng shell',
'private Shell by m4rco',
'Shell by Mawar_Hitam',
'LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=',
'5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk',
'X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW',
'zehirhacker',
'R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA',
'm91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX',
'CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp',
'DX_Header_drawn',
'BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA',
'casus15',
'temp_r57_table',
'By Psych0',
'c99ftpbrutecheck',
'K!LL3r',
'MrHazem',
'BY MMNBOBZ',
'ConnectBackShell',
'Hackeado',
'd3b~X',
'REREFER_PTTH',
'Joomla_brute_Force',
'/usr/sbin/httpd',
'tmhapbzcerff',
'IrSecTeam',
'Spammer',
'FLoodeR',
'eriuqer',
'sshkeys',
'<kuku>',
'Backdoor',
'eggdrop',
'rwxrwxrwx',
'profexor.hell',
'GIF89A;<?php',
'$sh3llColor',
'fwrite($fpsetv, getenv("HTTP_COOKIE")',
'putbot $bot',
'bind join - *',
'privmsg $chan',
'fopen\'(/etc/passwd',
'\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f',
'\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd',
'find / \-type f \-name \.htpasswd',
'find / \-type f \-perm \-02000 \-ls',
'find / \-type f \-perm \-04000 \-ls',
'if(\'\'==($df=@ini_get(\'disable_functions',
'system\"$cmd 1> /tmp/',
'ncftpput -u ',
'wsoEx(',
'WSOsetcookie(',
'Dr.abolalh',
'C0derz.com',
'Mr.HiTman',
);
if ($this->ExtraCheck) {
array_push($patterns, "googleBot", "htaccess");
}
if ($this->ExtraCheck) {
array_push($patterns, "googleBot", "htaccess");
}
foreach ($patterns as $toSearch) {
$substrCount = substr_count($fileContent, $toSearch);
if ($substrCount > 0) {
@@ -235,6 +336,14 @@ class MalwareScanner
// $ewn=$ner("",$iqkpi);$ewn();
'{\s*eval\s*\(\s*\$',
// {eval($
// imported manul samples
'Googlebot[\'"]{0,1}\s*\)\){echo\s+file_get_contents',
'eVaL\(\s*trim\(\s*baSe64_deCoDe\(',
'if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text',
'fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[',
'echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)',
'chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)',
);
foreach ($patterns as $toSearch) {
if (preg_match('/' . $toSearch . '/is', $fileContent)) {