From 1f6efc124b1a1e3b767940c693b5873bc92cf34e Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Tue, 27 Dec 2016 17:45:47 +0100
Subject: [PATCH] Patterns update from manul samples

---
 README.md |   1 +
 scan.php  | 131 +++++++++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 121 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 1f080d8..7d1aef1 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@ Resources
 * [malware samples 1](https://github.com/nbs-system/php-malware-finder/tree/master/php-malware-finder/samples)
 * [malware samples 2](https://github.com/r4v/php-exploits)
 * [malware samples 3](https://github.com/nikicat/web-malware-collection)
+* [malware samples 4](https://github.com/antimalware/manul/tree/master/src/scanner/static/signatures)
 
 Licensing
 ---------
diff --git a/scan.php b/scan.php
index c229560..8caee62 100644
--- a/scan.php
+++ b/scan.php
@@ -176,15 +176,9 @@ class MalwareScanner
             /* too open? */
             // 'gzinflate(base64_decode(',
             'md5($_GET[', // md5($_GET["ms-load"])
-    	    '/ShellBOT/i',
-    	    '/YW55cmVzdWx0cy5uZXQ=/i',
-    	    '/base64_decode\s*\(/i',
-    	    '/str_rot13/i',
-    	    '/uudecode/i',
-    	    '/preg_replace',
+            'ShellBOT',
     	    'bgeteam',
     	    'DisablePHP=',
-    	    '=urldecode',
     	    'moban.html',
     	    '<?php eval',
     	    '$data = base64_decode("',
@@ -197,11 +191,118 @@ class MalwareScanner
     		'@preg_replace',
     		'1@1.com',
     		'META http-equiv="refresh" content="0;',
-            '="create_";global'
+            '="create_";global',
+            'YW55cmVzdWx0cy5uZXQ=',
+
+            // imported manul samples
+            'ZOBUGTEL',
+            'MagelangCyber',
+            '//rasta//',
+            'Baby_Drakon',
+            'Net@ddress Mail',
+            'Created By EMMA',
+            '3xp1r3',
+            'NinjaVirus Here',
+            '<dot>IrIsT',
+            'Hacked By EnDLeSs',
+            'Punker2Bot',
+            'Zed0x',
+            'darkminz',
+            'ReaL_PuNiShEr',
+            'OoN_Boy',
+            '__VIEWSTATEENCRYPTED',
+            'M4ll3r',
+            'createFilesForInputOutput',
+            'Pashkela',
+            '== "bindshell"',
+            'Webcommander at',
+            'YENI3ERI',
+            'd3lete',
+            'Made by Delorean',
+            'R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA',
+            'Cybester90',
+            'ayu pr1 pr2 pr3 pr4 pr5 pr6',
+            'f0VMRgEBAQA',
+            '0d0a0d0a676c6f62616c20246d795f736d7',
+            'etalfnizg',
+            'JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV',
+            'edoced_46esab',
+            'VOBRA GANGO',
+            'itsoknoproblembro',
+            'HTTP flood complete after',
+            'exploitcookie',
+            'az88pix00q98',
+            'The Dark Raver',
+            'Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP',
+            '463839610c000b00800100ffffffffffff21f90401000001002c000',
+            'AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA',
+            'HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra',
+            'Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N',
+            'DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ',
+            'Asmodeus',
+            'Cautam fisierele de configurare',
+            'BRUTEFORCING',
+            'FaTaLisTiCz_Fx Fx29Sh',
+            'w4ck1ng shell',
+            'private Shell by m4rco',
+            'Shell by Mawar_Hitam',
+            'LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=',
+            '5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk',
+            'X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW',
+            'zehirhacker',
+            'R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA',
+            'm91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX',
+            'CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp',
+            'DX_Header_drawn',
+            'BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA',
+            'casus15',
+            'temp_r57_table',
+            'By Psych0',
+            'c99ftpbrutecheck',
+            'K!LL3r',
+            'MrHazem',
+            'BY MMNBOBZ',
+            'ConnectBackShell',
+            'Hackeado',
+            'd3b~X',
+            'REREFER_PTTH',
+            'Joomla_brute_Force',
+            '/usr/sbin/httpd',
+            'tmhapbzcerff',
+            'IrSecTeam',
+            'Spammer',
+            'FLoodeR',
+            'eriuqer',
+            'sshkeys',
+            '<kuku>',
+            'Backdoor',
+            'eggdrop',
+            'rwxrwxrwx',
+            'profexor.hell',
+            'GIF89A;<?php',
+            '$sh3llColor',
+            'fwrite($fpsetv, getenv("HTTP_COOKIE")',
+            'putbot $bot',
+            'bind join - *',
+            'privmsg $chan',
+            'fopen\'(/etc/passwd',
+            '\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f',
+            '\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd',
+            'find / \-type f \-name \.htpasswd',
+            'find / \-type f \-perm \-02000 \-ls',
+            'find / \-type f \-perm \-04000 \-ls',
+            'if(\'\'==($df=@ini_get(\'disable_functions',
+            'system\"$cmd 1> /tmp/',
+            'ncftpput -u ',
+            'wsoEx(',
+            'WSOsetcookie(',
+            'Dr.abolalh',
+            'C0derz.com',
+            'Mr.HiTman',
         );
-           if ($this->ExtraCheck) {
-                array_push($patterns, "googleBot", "htaccess");
-            }
+        if ($this->ExtraCheck) {
+            array_push($patterns, "googleBot", "htaccess");
+        }
         foreach ($patterns as $toSearch) {
             $substrCount = substr_count($fileContent, $toSearch);
             if ($substrCount > 0) {
@@ -235,6 +336,14 @@ class MalwareScanner
                 // $ewn=$ner("",$iqkpi);$ewn();
                 '{\s*eval\s*\(\s*\$',
                 // {eval($
+
+                // imported manul samples
+                'Googlebot[\'"]{0,1}\s*\)\){echo\s+file_get_contents',
+                'eVaL\(\s*trim\(\s*baSe64_deCoDe\(',
+                'if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text',
+                'fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[',
+                'echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)',
+                'chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)',
             );
             foreach ($patterns as $toSearch) {
                 if (preg_match('/' . $toSearch . '/is', $fileContent)) {