mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Patterns update from manul samples
This commit is contained in:
@@ -31,6 +31,7 @@ Resources
|
|||||||
* [malware samples 1](https://github.com/nbs-system/php-malware-finder/tree/master/php-malware-finder/samples)
|
* [malware samples 1](https://github.com/nbs-system/php-malware-finder/tree/master/php-malware-finder/samples)
|
||||||
* [malware samples 2](https://github.com/r4v/php-exploits)
|
* [malware samples 2](https://github.com/r4v/php-exploits)
|
||||||
* [malware samples 3](https://github.com/nikicat/web-malware-collection)
|
* [malware samples 3](https://github.com/nikicat/web-malware-collection)
|
||||||
|
* [malware samples 4](https://github.com/antimalware/manul/tree/master/src/scanner/static/signatures)
|
||||||
|
|
||||||
Licensing
|
Licensing
|
||||||
---------
|
---------
|
||||||
|
|||||||
131
scan.php
131
scan.php
@@ -176,15 +176,9 @@ class MalwareScanner
|
|||||||
/* too open? */
|
/* too open? */
|
||||||
// 'gzinflate(base64_decode(',
|
// 'gzinflate(base64_decode(',
|
||||||
'md5($_GET[', // md5($_GET["ms-load"])
|
'md5($_GET[', // md5($_GET["ms-load"])
|
||||||
'/ShellBOT/i',
|
'ShellBOT',
|
||||||
'/YW55cmVzdWx0cy5uZXQ=/i',
|
|
||||||
'/base64_decode\s*\(/i',
|
|
||||||
'/str_rot13/i',
|
|
||||||
'/uudecode/i',
|
|
||||||
'/preg_replace',
|
|
||||||
'bgeteam',
|
'bgeteam',
|
||||||
'DisablePHP=',
|
'DisablePHP=',
|
||||||
'=urldecode',
|
|
||||||
'moban.html',
|
'moban.html',
|
||||||
'<?php eval',
|
'<?php eval',
|
||||||
'$data = base64_decode("',
|
'$data = base64_decode("',
|
||||||
@@ -197,11 +191,118 @@ class MalwareScanner
|
|||||||
'@preg_replace',
|
'@preg_replace',
|
||||||
'1@1.com',
|
'1@1.com',
|
||||||
'META http-equiv="refresh" content="0;',
|
'META http-equiv="refresh" content="0;',
|
||||||
'="create_";global'
|
'="create_";global',
|
||||||
|
'YW55cmVzdWx0cy5uZXQ=',
|
||||||
|
|
||||||
|
// imported manul samples
|
||||||
|
'ZOBUGTEL',
|
||||||
|
'MagelangCyber',
|
||||||
|
'//rasta//',
|
||||||
|
'Baby_Drakon',
|
||||||
|
'Net@ddress Mail',
|
||||||
|
'Created By EMMA',
|
||||||
|
'3xp1r3',
|
||||||
|
'NinjaVirus Here',
|
||||||
|
'<dot>IrIsT',
|
||||||
|
'Hacked By EnDLeSs',
|
||||||
|
'Punker2Bot',
|
||||||
|
'Zed0x',
|
||||||
|
'darkminz',
|
||||||
|
'ReaL_PuNiShEr',
|
||||||
|
'OoN_Boy',
|
||||||
|
'__VIEWSTATEENCRYPTED',
|
||||||
|
'M4ll3r',
|
||||||
|
'createFilesForInputOutput',
|
||||||
|
'Pashkela',
|
||||||
|
'== "bindshell"',
|
||||||
|
'Webcommander at',
|
||||||
|
'YENI3ERI',
|
||||||
|
'd3lete',
|
||||||
|
'Made by Delorean',
|
||||||
|
'R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA',
|
||||||
|
'Cybester90',
|
||||||
|
'ayu pr1 pr2 pr3 pr4 pr5 pr6',
|
||||||
|
'f0VMRgEBAQA',
|
||||||
|
'0d0a0d0a676c6f62616c20246d795f736d7',
|
||||||
|
'etalfnizg',
|
||||||
|
'JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV',
|
||||||
|
'edoced_46esab',
|
||||||
|
'VOBRA GANGO',
|
||||||
|
'itsoknoproblembro',
|
||||||
|
'HTTP flood complete after',
|
||||||
|
'exploitcookie',
|
||||||
|
'az88pix00q98',
|
||||||
|
'The Dark Raver',
|
||||||
|
'Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP',
|
||||||
|
'463839610c000b00800100ffffffffffff21f90401000001002c000',
|
||||||
|
'AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA',
|
||||||
|
'HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra',
|
||||||
|
'Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N',
|
||||||
|
'DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ',
|
||||||
|
'Asmodeus',
|
||||||
|
'Cautam fisierele de configurare',
|
||||||
|
'BRUTEFORCING',
|
||||||
|
'FaTaLisTiCz_Fx Fx29Sh',
|
||||||
|
'w4ck1ng shell',
|
||||||
|
'private Shell by m4rco',
|
||||||
|
'Shell by Mawar_Hitam',
|
||||||
|
'LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=',
|
||||||
|
'5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk',
|
||||||
|
'X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW',
|
||||||
|
'zehirhacker',
|
||||||
|
'R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA',
|
||||||
|
'm91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX',
|
||||||
|
'CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp',
|
||||||
|
'DX_Header_drawn',
|
||||||
|
'BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA',
|
||||||
|
'casus15',
|
||||||
|
'temp_r57_table',
|
||||||
|
'By Psych0',
|
||||||
|
'c99ftpbrutecheck',
|
||||||
|
'K!LL3r',
|
||||||
|
'MrHazem',
|
||||||
|
'BY MMNBOBZ',
|
||||||
|
'ConnectBackShell',
|
||||||
|
'Hackeado',
|
||||||
|
'd3b~X',
|
||||||
|
'REREFER_PTTH',
|
||||||
|
'Joomla_brute_Force',
|
||||||
|
'/usr/sbin/httpd',
|
||||||
|
'tmhapbzcerff',
|
||||||
|
'IrSecTeam',
|
||||||
|
'Spammer',
|
||||||
|
'FLoodeR',
|
||||||
|
'eriuqer',
|
||||||
|
'sshkeys',
|
||||||
|
'<kuku>',
|
||||||
|
'Backdoor',
|
||||||
|
'eggdrop',
|
||||||
|
'rwxrwxrwx',
|
||||||
|
'profexor.hell',
|
||||||
|
'GIF89A;<?php',
|
||||||
|
'$sh3llColor',
|
||||||
|
'fwrite($fpsetv, getenv("HTTP_COOKIE")',
|
||||||
|
'putbot $bot',
|
||||||
|
'bind join - *',
|
||||||
|
'privmsg $chan',
|
||||||
|
'fopen\'(/etc/passwd',
|
||||||
|
'\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f',
|
||||||
|
'\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd',
|
||||||
|
'find / \-type f \-name \.htpasswd',
|
||||||
|
'find / \-type f \-perm \-02000 \-ls',
|
||||||
|
'find / \-type f \-perm \-04000 \-ls',
|
||||||
|
'if(\'\'==($df=@ini_get(\'disable_functions',
|
||||||
|
'system\"$cmd 1> /tmp/',
|
||||||
|
'ncftpput -u ',
|
||||||
|
'wsoEx(',
|
||||||
|
'WSOsetcookie(',
|
||||||
|
'Dr.abolalh',
|
||||||
|
'C0derz.com',
|
||||||
|
'Mr.HiTman',
|
||||||
);
|
);
|
||||||
if ($this->ExtraCheck) {
|
if ($this->ExtraCheck) {
|
||||||
array_push($patterns, "googleBot", "htaccess");
|
array_push($patterns, "googleBot", "htaccess");
|
||||||
}
|
}
|
||||||
foreach ($patterns as $toSearch) {
|
foreach ($patterns as $toSearch) {
|
||||||
$substrCount = substr_count($fileContent, $toSearch);
|
$substrCount = substr_count($fileContent, $toSearch);
|
||||||
if ($substrCount > 0) {
|
if ($substrCount > 0) {
|
||||||
@@ -235,6 +336,14 @@ class MalwareScanner
|
|||||||
// $ewn=$ner("",$iqkpi);$ewn();
|
// $ewn=$ner("",$iqkpi);$ewn();
|
||||||
'{\s*eval\s*\(\s*\$',
|
'{\s*eval\s*\(\s*\$',
|
||||||
// {eval($
|
// {eval($
|
||||||
|
|
||||||
|
// imported manul samples
|
||||||
|
'Googlebot[\'"]{0,1}\s*\)\){echo\s+file_get_contents',
|
||||||
|
'eVaL\(\s*trim\(\s*baSe64_deCoDe\(',
|
||||||
|
'if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text',
|
||||||
|
'fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[',
|
||||||
|
'echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)',
|
||||||
|
'chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)',
|
||||||
);
|
);
|
||||||
foreach ($patterns as $toSearch) {
|
foreach ($patterns as $toSearch) {
|
||||||
if (preg_match('/' . $toSearch . '/is', $fileContent)) {
|
if (preg_match('/' . $toSearch . '/is', $fileContent)) {
|
||||||
|
|||||||
Reference in New Issue
Block a user