External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added comment lines for each regex

Browse Source 
Added comment lines for each regex
This is to allow the -comment flag to provide either an accurate comment or no comment at all.
This commit is contained in:
nichogenius
2017-08-19 17:24:04 -06:00
committed by GitHub
parent 1f352dc4b4
commit ea2da42f8e
1 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
patterns_re.txt
View File

@@ -1,35 +1,68 @@
#PHP Regular Expressions #eval /* */
#All comment lines must have '#' as the first character of the line.
#More critical rules should be put higher in the list as only the first pattern matched is reported to the user.
eval\/\*[a-z0-9]+\*\/ eval\/\*[a-z0-9]+\*\/
#
eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\); eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);
#
(chr\(\d+\^\d+\)\.){4,} (chr\(\d+\^\d+\)\.){4,}
#
(\$[a-z0-9]{3,}\[\d+\]\.){4,} (\$[a-z0-9]{3,}\[\d+\]\.){4,}
#
chr\(\d+\)\.""\.""\.""\.""\."" chr\(\d+\)\.""\.""\.""\.""\.""
#
\$GLOBALS\[\$GLOBALS['[a-z0-9]{4,}'\]\[\d+\]\.\$GLOBALS\['[a-z-0-9]{4,}'\]\[\d+\]. \$GLOBALS\[\$GLOBALS['[a-z0-9]{4,}'\]\[\d+\]\.\$GLOBALS\['[a-z-0-9]{4,}'\]\[\d+\].
#
\$GLOBALS\['[a-z0-9]{5,}'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\. \$GLOBALS\['[a-z0-9]{5,}'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.
#
eval\([a-z0-9_]+\(base64_decode\( eval\([a-z0-9_]+\(base64_decode\(
#
\$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\); \$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\);
#
{\s*eval\s*\(\s*\$ {\s*eval\s*\(\s*\$
#
Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents
#execute base64 code
eVaL\(\s*trim\(\s*baSe64_deCoDe\( eVaL\(\s*trim\(\s*baSe64_deCoDe\(
#
if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text
# Write HTTP Request to File
fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[ fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[
# Download Remote Code
echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST) echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)
# 'eval' in ascii chr() chars
chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\) chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)
#
(\$OOO_O_000_\{\d+\}.){3,} (\$OOO_O_000_\{\d+\}.){3,}
#Detects the '_' character encoded in a string like "\x5F". '_' is present in many functions that malware would want to hide. #Detects the '_' character encoded in a string like "\x5F". '_' is present in many functions that malware would want to hide.
# '_' as "\x5f"
\\[Xx](5[Ff]) \\[Xx](5[Ff])
#Detects the '_' character placed inside a call to the 'chr()' function #Detects the '_' character placed inside a call to the 'chr()' function
# '_' as 'chr(95)' or 'chr(0x5f)'
chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\) chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
#Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars. #Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
#260 was a threshold chosen because strings of 256 characters are common enough. Might increase later to reduce false positives. #260 was a threshold chosen because strings of 256 characters are common enough. Might increase later to reduce false positives.
#Long base64 quoted string.
['"][A-Za-z0-9+\/]{260,}={0,3}['"] ['"][A-Za-z0-9+\/]{260,}={0,3}['"]
#Detects long single lines contained within PHP tags. #Detects long single lines contained within PHP tags.
#We can increase from 750 later if we need to. #We can increase from 1100 later if we need to.
#Long single line of PHP.
^.*<\?php.{1100,}\?>.*$ ^.*<\?php.{1100,}\?>.*$