External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sample update from #94 and some found in servers

Browse Source
This commit is contained in:
Gabor Gyorvari
2026-02-24 06:58:29 +01:00
parent 201ab77516
commit ba466dc1ff
2 changed files with 26 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
definitions/patterns_raw.txt
View File

@@ -25,6 +25,7 @@ ShellBOT
".\x00..\x20" ".\x00..\x20"
FM_SESSION_ID FM_SESSION_ID
HACKED BY HACKED BY
_Mybb
#Remote Code #Remote Code
curl_get_from_webpage curl_get_from_webpage
@@ -35,6 +36,9 @@ leafmailer.pw
#Base64 String Samples. Each plain text string should have 3 base64 equivalents #Base64 String Samples. Each plain text string should have 3 base64 equivalents
# https://
aHR0cHM6Ly
# "shell" in base64 # "shell" in base64
c2hlbG c2hlbG
NoZWxs NoZWxs
@@ -184,6 +188,12 @@ RlZmluZ
kZWZpbm kZWZpbm
# Obfuscation related code # Obfuscation related code
'.'6'.'4'.'_'.'
bas'.'e64_dec
file'.'_put_co
fil'.'e_ex
Pz4=
L3gvaQ==
eval("?> eval("?>
eval('?> eval('?>
@eval( @eval(
@@ -191,9 +201,10 @@ eval('?>
='base'.(32*2).'_de'.'code' ='base'.(32*2).'_de'.'code'
"p"."r"."e"."g"."_" "p"."r"."e"."g"."_"
WSOstripslashes WSOstripslashes
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system \x5f\x43\x4f\x4f\x4b\x49\x45
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace \x73\x79\x73\x74\x65\x6d
\x65\x78\x65\x63' /* dec/hex issue? */, // exec \x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65
\x65\x78\x65\x63
ev\x61l ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */, \x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */, \x65\x76\x61\x6C' /* case, dec/hex issue? */,
@@ -206,12 +217,12 @@ base=base64_encode
'b'.'ase6'.'4_e'.'ncode' 'b'.'ase6'.'4_e'.'ncode'
cr"."eat"."e_fun"."cti"."on cr"."eat"."e_fun"."cti"."on
gz'.'inf'.'late gz'.'inf'.'late
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
http://www.fopo.com.ar/
@eval("\ @eval("\
";eval( ";eval(
eval(eval( eval(eval(
@eval(` @eval(`
eVaL('?>
eval($_REQUEST
convert_uudecode(convert_uuencode convert_uudecode(convert_uuencode
"64_decode" "64_decode"
'f' . 'il' . 'e' . '_' 'f' . 'il' . 'e' . '_'
@@ -219,6 +230,9 @@ convert_uudecode(convert_uuencode
'h' . 'tm' . 'l' . 'sp' 'h' . 'tm' . 'l' . 'sp'
'ha' . 'r' . 's' 'ha' . 'r' . 's'
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
http://www.fopo.com.ar/
#Malware/Attack specific strings/fingerprints/signatures #Malware/Attack specific strings/fingerprints/signatures
MagelangCyber MagelangCyber
//rasta// //rasta//
@@ -398,6 +412,7 @@ ZeroByte
# SEO poisoning control site call # SEO poisoning control site call
"http://$xxx "http://$xxx
?useragent=$botbotbot ?useragent=$botbotbot
[#*#*#]
# php://input encoded in base64 # php://input encoded in base64
cGhwOi8vaW5wdXQ= cGhwOi8vaW5wdXQ=

7
definitions/patterns_re.txt
View File

@@ -146,6 +146,8 @@ eval\([A-Za-z0-9]{5,}\(\) \. '
# eval function return, parameter is a hex string # eval function return, parameter is a hex string
eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,} eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
eval\(\s+'\?>'
# gzip payload called by variable named function # gzip payload called by variable named function
\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E \$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
@@ -159,4 +161,7 @@ return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
# JS - escaped command # JS - escaped command
\.fromCharCode\([0-9,]{4,}\) \.fromCharCode\([0-9,]{4,}\)
\+-parseInt\(\w\('0x[0-9a-z]+'\)\)\/ \+-parseInt\(\w\('0x[0-9a-z]+'\)\)\/
# concated hash value
('[a-z0-9]{2,}'\.){4,}