From 86be84e8b682002fa1c198561c66e14ddb638575 Mon Sep 17 00:00:00 2001
From: nichogenius <nichogenius@gmail.com>
Date: Wed, 26 Jul 2017 01:27:53 -0600
Subject: [PATCH] Organizing, categorizing and prioritizing patterns

There's enough raw patterns in here to justify organizing the file.
Now that whitespace and comments are supported, I've been dividing it into sections

More critical problems should be near the top as I would rather the script identify a file as a backdoor instead of as a spammer.

I don't know the history behind a lot of these or the implication of the code, so I'm sure I mis-categorized many.  There are also many that I have not done yet.
---
 patterns_raw.txt | 251 ++++++++++++++++++++++++++++-------------------
 1 file changed, 148 insertions(+), 103 deletions(-)

diff --git a/patterns_raw.txt b/patterns_raw.txt
index 45e7e8b..7d6c9a8 100644
--- a/patterns_raw.txt
+++ b/patterns_raw.txt
@@ -1,74 +1,108 @@
-uname -a
-/etc/shadow
-/etc/passwd
-WSOstripslashes
-PD9waH
-w/cGhw
-8P3Boc
-c3lzdGVt
-N5c3Rlb
-zeXN0ZW
-\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
-cmVwbGFjZ
-JlcGxhY2
-yZXBsYWNl
-\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
-ZXhlYy
-V4ZWMo
-leGVjK
-\x65\x78\x65\x63' /* dec/hex issue? */, // exec
-='base'.(32*2).'_de'.'code'
-"base64_decode"
-YmFzZTY0X2RlY29kZ
-Jhc2U2NF9kZWNvZG
-iYXNlNjRfZGVjb2Rl
-"p"."r"."e"."g"."_"
-eval("?>
-ev\x61l
-\x65\166\x61\154\x28' /* dec/hex issue? */,
-\x65\x76\x61\x6C' /* case, dec/hex issue? */,
-ZXZhbC
-V2YWwo
-ldmFsK
-'ev'.'al'.'
-eval(base64_decode(
-\x47\x4c\x4f\x42\x41LS
-SFRUUF9VU0VSX0FHRU5U
-hUVFBfVVNFUl9BR0VOV
-IVFRQX1VTRVJfQUdFTl
-YWxsb3dfdXJsX2ZvcGVu
-FsbG93X3VybF9mb3Blb
-hbGxvd191cmxfZm9wZW
-${${
-file_get_contents('http://codepad.org
-PHPJiaMi
+#Raw string patterns
+#All strings in this file are case sensitive
+#Comments are support, but '#' must be the first character on the line.
+#More critical patterns should be higher in the file as only the first pattern match is reported.
+
+#Backdoor patterns
+@eval($_POST['
+Backdoor
 @include($_GET[
 system($_GET[
 md5($_GET[
-ShellBOT
-bgeteam
-DisablePHP=
-moban.html
-<?php eval
-$data = base64_decode("
-a,b,c,d,e,f,g
- freetellafriend.com
+fwrite($fpsetv, getenv("HTTP_COOKIE")
+system\"$cmd 1> /tmp/
+
+#Web-Shell patterns
+$sh3llColor
+w4ck1ng shell
+private Shell by m4rco
+Shell by Mawar_Hitam
 SHELL_PASSWORD
+ConnectBackShell
+ShellBOT
+== "bindshell"
+
+#Remote Code
 curl_get_from_webpage
-base=base64_encode
-@x0powo
-@preg_replace
-1@1.com
-META http-equiv="refresh" content="0;
-="create_";global
+file_get_contents('http://codepad.org
+
+
+#Base64 String Samples.  Each plain text string should have 3 base64 equivalents
+
+# "shell" in base64
+c2hlbG
+NoZWxs
+zaGVsb
+
+# "<?php" in base64
+PD9waH
+w/cGhw
+8P3Boc
+
+# "system" in base64
+c3lzdGVt
+N5c3Rlb
+zeXN0ZW
+
+# "replace" in base64
+cmVwbGFjZ
+JlcGxhY2
+yZXBsYWNl
+
+# "exec" in base64
+ZXhlYy
+V4ZWMo
+leGVjK
+
+# "base64_decode" in base64
+YmFzZTY0X2RlY29kZ
+Jhc2U2NF9kZWNvZG
+iYXNlNjRfZGVjb2Rl
+
+# "eval(" in base64
+ZXZhbC
+V2YWwo
+ldmFsK
+
+# "HTTP_USER_AGENT" in base64
+SFRUUF9VU0VSX0FHRU5U
+hUVFBfVVNFUl9BR0VOV
+IVFRQX1VTRVJfQUdFTl
+
+# "allow_url_fopen" in base64
+YWxsb3dfdXJsX2ZvcGVu
+FsbG93X3VybF9mb3Blb
+hbGxvd191cmxfZm9wZW
+
+# "anyresults.net" in base64 ... this one may be too specific ?
 YW55cmVzdWx0cy5uZX
 FueXJlc3VsdHMubmV0
 hbnlyZXN1bHRzLm5ld
-ZOBUGTEL
+
+# Obfuscation related code
+eval("?>
+"base64_decode"
+='base'.(32*2).'_de'.'code'
+"p"."r"."e"."g"."_"
+WSOstripslashes
+\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
+\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
+\x65\x78\x65\x63' /* dec/hex issue? */, // exec
+ev\x61l
+\x65\166\x61\154\x28' /* dec/hex issue? */,
+\x65\x76\x61\x6C' /* case, dec/hex issue? */,
+'ev'.'al'.'
+eval(base64_decode(
+<?php eval
+$data = base64_decode("
+edoced_46esab
+base=base64_encode
+
+
+#Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
 //rasta//
 Baby_Drakon
-Net@ddress Mail
 Created By EMMA
 3xp1r3
 NinjaVirus Here
@@ -79,17 +113,66 @@ Zed0x
 darkminz
 ReaL_PuNiShEr
 OoN_Boy
-__VIEWSTATEENCRYPTED
-M4ll3r
-createFilesForInputOutput
 Pashkela
-== "bindshell"
 Webcommander at
 YENI3ERI
 d3lete
 Made by Delorean
-R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
 Cybester90
+K!LL3r
+MrHazem
+BY MMNBOBZ
+Hackeado
+bgeteam
+VOBRA GANGO
+Asmodeus
+Cautam fisierele de configurare
+BRUTEFORCING
+FaTaLisTiCz_Fx Fx29Sh
+DX_Header_drawn
+Dr.abolalh
+C0derz.com
+Mr.HiTman
+IrSecTeam
+#Spammer gives a lot of false positives... maybe worth dropping
+Spammer
+FLoodeR
+eriuqer
+zehirhacker
+freetellafriend.com
+casus15
+temp_r57_table
+By Psych0
+c99ftpbrutecheck
+d3b~X
+profexor.hell
+ZOBUGTEL
+The Dark Raver
+<kuku>
+M4ll3r
+itsoknoproblembro
+tmhapbzcerff
+
+
+#Miscellaneous
+uname -a
+/etc/shadow
+/etc/passwd
+\x47\x4c\x4f\x42\x41LS
+${${
+PHPJiaMi
+DisablePHP=
+moban.html
+a,b,c,d,e,f,g
+@x0powo
+@preg_replace
+1@1.com
+META http-equiv="refresh" content="0;
+="create_";global
+Net@ddress Mail
+__VIEWSTATEENCRYPTED
+createFilesForInputOutput
+R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
 ayu pr1 pr2 pr3 pr4 pr5 pr6
 f0VMRgEBAQA
 0d0a0d0a676c6f62616c20246d795f736d7
@@ -97,62 +180,29 @@ etalfnizg
 JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
 R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
 kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
-edoced_46esab
-VOBRA GANGO
-itsoknoproblembro
 HTTP flood complete after
 exploitcookie
 az88pix00q98
-The Dark Raver
 Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
 463839610c000b00800100ffffffffffff21f90401000001002c000
 AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
 HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
 Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
 DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
-Asmodeus
-Cautam fisierele de configurare
-BRUTEFORCING
-FaTaLisTiCz_Fx Fx29Sh
-w4ck1ng shell
-private Shell by m4rco
-Shell by Mawar_Hitam
 LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
 5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
 X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
-zehirhacker
 R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
 m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
 CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
-DX_Header_drawn
 BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
-casus15
-temp_r57_table
-By Psych0
-c99ftpbrutecheck
-K!LL3r
-MrHazem
-BY MMNBOBZ
-ConnectBackShell
-Hackeado
-d3b~X
 REREFER_PTTH
 Joomla_brute_Force
 /usr/sbin/httpd
-tmhapbzcerff
-IrSecTeam
-Spammer
-FLoodeR
-eriuqer
 sshkeys
-<kuku>
-Backdoor
 eggdrop
 rwxrwxrwx
-profexor.hell
 GIF89A;<?php
-$sh3llColor
-fwrite($fpsetv, getenv("HTTP_COOKIE")
 putbot $bot
 bind join - *
 privmsg $chan
@@ -163,12 +213,7 @@ find / \-type f \-name \.htpasswd
 find / \-type f \-perm \-02000 \-ls
 find / \-type f \-perm \-04000 \-ls
 if(''==($df=@ini_get('disable_functions
-system\"$cmd 1> /tmp/
 ncftpput -u
 wsoEx(
 WSOsetcookie(
-Dr.abolalh
-C0derz.com
-Mr.HiTman
 \x47\x4c\x4f\x42\x41\x4c\x53
-@eval($_POST['