mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
f0bdb1f1e1 | ||
|
|
43876b337b | ||
|
|
1fad164790 | ||
|
|
f4d53e89d8 |
@@ -180,6 +180,7 @@ kZWZpbm
|
|||||||
|
|
||||||
# Obfuscation related code
|
# Obfuscation related code
|
||||||
eval("?>
|
eval("?>
|
||||||
|
eval('?>
|
||||||
"base64_decode"
|
"base64_decode"
|
||||||
='base'.(32*2).'_de'.'code'
|
='base'.(32*2).'_de'.'code'
|
||||||
"p"."r"."e"."g"."_"
|
"p"."r"."e"."g"."_"
|
||||||
@@ -202,6 +203,8 @@ gz'.'inf'.'late
|
|||||||
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
|
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
|
||||||
http://www.fopo.com.ar/
|
http://www.fopo.com.ar/
|
||||||
@eval("\
|
@eval("\
|
||||||
|
";eval(
|
||||||
|
eval(eval(
|
||||||
|
|
||||||
#Malware/Attack specific strings/fingerprints/signatures
|
#Malware/Attack specific strings/fingerprints/signatures
|
||||||
MagelangCyber
|
MagelangCyber
|
||||||
@@ -374,3 +377,13 @@ ZeroByte
|
|||||||
# SEO poisoning control site call
|
# SEO poisoning control site call
|
||||||
"http://$xxx
|
"http://$xxx
|
||||||
?useragent=$botbotbot
|
?useragent=$botbotbot
|
||||||
|
|
||||||
|
# php://input encoded in base64
|
||||||
|
cGhwOi8vaW5wdXQ=
|
||||||
|
|
||||||
|
# backdoor script
|
||||||
|
<font color="red">Upload Gagal..</font><br />
|
||||||
|
explode('?>',$shell
|
||||||
|
|
||||||
|
# common mobile agent check in SEO poison scripts
|
||||||
|
Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
|
||||||
@@ -117,3 +117,19 @@ create_function\s*\(\s*['"]{2}
|
|||||||
|
|
||||||
# control concated from cookie at the call
|
# control concated from cookie at the call
|
||||||
(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
|
(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
|
||||||
|
|
||||||
|
# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
|
||||||
|
(\$[A-Z]+\{\d+\}\.){3,}
|
||||||
|
|
||||||
|
# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
|
||||||
|
\$_REQUEST\s*\/\*[A-Za-z]+\*\/\[
|
||||||
|
|
||||||
|
# cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
|
||||||
|
\(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)
|
||||||
|
|
||||||
|
# gzipped payload post process
|
||||||
|
explode\('\|\x01\|\x03\|\x03', gzinflate\(
|
||||||
|
|
||||||
|
# backdoor reported #71
|
||||||
|
@header\(\w{3,5}::\w{1,2}\('_\w{1,3}' \. '\w{1,3}', '_\w{1,3}'\)\);
|
||||||
|
@header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);
|
||||||
|
|||||||
Reference in New Issue
Block a user