Backdoor script samples

Another obfuscated malware check
Merge pull request #80 from elliotkendall/master
2026-06-16 12:30:35 +00:00 · 2022-08-17 18:52:03 +02:00 · 2022-08-09 09:18:07 +02:00 · 2022-07-25 19:15:19 +02:00 · 2022-07-25 09:52:27 -07:00 · 2022-07-22 11:28:18 +02:00
5 changed files with 80 additions and 8 deletions
--- a/definitions/patterns_iraw.txt
+++ b/definitions/patterns_iraw.txt
@@ -16,7 +16,48 @@ opendns
 phishtank
 sophos
 surfright
-symantec
+# symantec - removed because already a TLD too so generate many false positives

 # SEO poison, pharmacy redirect
-dealonline.su
+dealonline.su
+
+# functions escaped as hexadecimal string
+7068705f756e616d65
+70687076657273696f6e
+6368646972
+676574637764
+707265675f73706c6974
+636f7079
+66696c655f6765745f636f6e74656e7473
+6261736536345f6465636f6465
+69735f646972
+6f625f656e645f636c65616e28293b
+756e6c696e6b
+6d6b646972
+63686d6f64
+7363616e646972
+7374725f7265706c616365
+68746d6c7370656369616c6368617273
+7661725f64756d70
+666f70656e
+667772697465
+66636c6f7365
+64617465
+66696c656d74696d65
+737562737472
+737072696e7466
+66696c657065726d73
+746f756368
+66696c655f657869737473
+72656e616d65
+69735f6172726179
+69735f6f626a656374
+737472706f73
+69735f7772697461626c65
+69735f7265616461626c65
+737472746f74696d65
+66696c6573697a65
+726d646972
+6f625f6765745f636c65616e
+7265616466696c65
+617373657274
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -384,6 +384,23 @@ cGhwOi8vaW5wdXQ=
 # backdoor script
 <font color="red">Upload Gagal..</font><br />
 explode('?>',$shell
+0.33333333333333+0.33333333333333+0.33333333333333
+0.66666666666667+0.66666666666667+0.66666666666667
+1.3333333333333+1.3333333333333+1.3333333333333
+class _t{private static$_
+'LQ'.'=='

 # common mobile agent check in SEO poison scripts
-Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+
+# eval url decoded string
+eval(rawurldecode('
+
+# simple obfuscated function
+'gz'.'unc'.'ompress'
+'create'.'_'.'function'
+'gzinf', 'la', 'te'
+'e_f', 'cti', 'un', 'on', 'cr', 'eat'
+'base', '64_dec', 'ode'
+'cook', 'set', 'ie'
+'repl', 'str_', 'ace'
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -60,7 +60,7 @@ chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*

 #Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
 # '_' as "\x5f"
-\\[Xx](5[Ff])
+# \\[Xx](5[Ff]) - removed because generate many false positives

 #Detects the '_' character placed inside a call to the 'chr()' function
 # '_' as 'chr(95)' or 'chr(0x5f)'
@@ -95,7 +95,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 ("[a-z0-9]+"\.chr\(\d+\)\.){3,}

 # nested function call used variables
-\$[a-z]+\(\$[a-z0-9]+\(
+\$[a-z0-9_]+\(\$[a-z0-9_]+\(

 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x
@@ -135,4 +135,16 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
@header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);

 # backdoor reported #72
-@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
+@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
+
+# reported #77
+\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
+
+# eval function return and concat
+eval\([A-Za-z]{5,}\(\) \. '
+
+# eval function return, parameter is a hex string
+eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
+
+# gzip payload called by variable named function
+\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
--- a/scan.php
+++ b/scan.php
@@ -709,14 +709,14 @@ class MalwareScanner
    //Returns true if the raw string exists in the file contents.
    private function scanFunc_STR(&$pattern, &$content)
    {
-        return strpos($content, $pattern);
+        return strpos($content, (string)$pattern);
    }

    //Performs raw string, case insensitive matching.
    //Returns true if the raw string exists in the file contents, ignoring case.
    private function scanFunc_STRI(&$pattern, &$content)
    {
-        return stripos($content, $pattern);
+        return stripos($content, (string)$pattern);
    }

    //Performs regular expression matching.
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -284,3 +284,5 @@ a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.
 1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
 cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
 ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
+ccce5f45d1ac66bd2bebe75d666b5720 wp-content/plugins/redirection/models/regex.php
+ae810d74d638c611d8bd958777c9ac6a wp-content/plugins/ssl-insecure-content-fixer/includes/nonces.php
Author	SHA1	Message	Date
Gabor Gyorvari	920cf8a4c6	Backdoor script samples	2022-08-17 18:52:03 +02:00
Gabor Gyorvari	aa774f4330	Another obfuscated malware check	2022-08-09 09:18:07 +02:00
Győrvári Gábor	cd1164dbb5	Merge pull request #80 from elliotkendall/master Cast $needle in calls to strpos/stripos to string to avoid automatic …	2022-07-25 19:15:19 +02:00
Elliot Kendall	77ebd8abd7	Cast $needle in calls to strpos/stripos to string to avoid automatic ordinal conversion of integer patterns	2022-07-25 09:52:27 -07:00
Gabor Gyorvari	29e6c73558	Webshell matching pattern update	2022-07-22 11:28:18 +02:00
Gabor Gyorvari	bf13288367	Nested function call pattern update	2022-07-17 08:17:20 +02:00
Gabor Gyorvari	088c0761b3	Pattern update about new infections found	2022-07-14 19:59:23 +02:00
Gabor Gyorvari	18b06fc48b	Whitelist update and two little pattern fix, reported in #78	2022-07-11 20:03:53 +02:00
Gabor Gyorvari	f1b8b89ca5	Samples update, reported in #77	2022-07-07 14:42:37 +02:00