php-malware-scanner/patterns_raw.txt

#Raw string patterns
#All strings in this file are case sensitive
#Comments are support, but '#' must be the first character on the line.
#More critical patterns should be higher in the file as only the first pattern match is reported.

#Backdoor patterns
@eval($_POST['
Backdoor
@include($_GET[
system($_GET[
md5($_GET[
fwrite($fpsetv, getenv("HTTP_COOKIE")
system\"$cmd 1> /tmp/

#Web-Shell patterns
$sh3llColor
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
SHELL_PASSWORD
ConnectBackShell
ShellBOT
== "bindshell"

#Remote Code
curl_get_from_webpage
file_get_contents('http://codepad.org


#Base64 String Samples.  Each plain text string should have 3 base64 equivalents

# "shell" in base64
c2hlbG
NoZWxs
zaGVsb

# "<?php" in base64
PD9waH
w/cGhw
8P3Boc

# "system" in base64
c3lzdGVt
N5c3Rlb
zeXN0ZW

# "replace" in base64
cmVwbGFjZ
JlcGxhY2
yZXBsYWNl

# "exec" in base64
ZXhlYy
V4ZWMo
leGVjK

# "base64_decode" in base64
YmFzZTY0X2RlY29kZ
Jhc2U2NF9kZWNvZG
iYXNlNjRfZGVjb2Rl

# "eval(" in base64
ZXZhbC
V2YWwo
ldmFsK

# "HTTP_USER_AGENT" in base64
SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl

# "allow_url_fopen" in base64
YWxsb3dfdXJsX2ZvcGVu
FsbG93X3VybF9mb3Blb
hbGxvd191cmxfZm9wZW

# "anyresults.net" in base64 ... this one may be too specific ?
YW55cmVzdWx0cy5uZX
FueXJlc3VsdHMubmV0
hbnlyZXN1bHRzLm5ld

# Obfuscation related code
eval("?>
"base64_decode"
='base'.(32*2).'_de'.'code'
"p"."r"."e"."g"."_"
WSOstripslashes
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
'ev'.'al'.'
eval(base64_decode(
<?php eval
$data = base64_decode("
edoced_46esab
base=base64_encode


#Malware/Attack specific strings/fingerprints/signatures
MagelangCyber
//rasta//
Baby_Drakon
Created By EMMA
3xp1r3
NinjaVirus Here
<dot>IrIsT
Hacked By EnDLeSs
Punker2Bot
Zed0x
darkminz
ReaL_PuNiShEr
OoN_Boy
Pashkela
Webcommander at
YENI3ERI
d3lete
Made by Delorean
Cybester90
K!LL3r
MrHazem
BY MMNBOBZ
Hackeado
bgeteam
VOBRA GANGO
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
DX_Header_drawn
Dr.abolalh
C0derz.com
Mr.HiTman
IrSecTeam
#Spammer gives a lot of false positives... maybe worth dropping
Spammer
FLoodeR
eriuqer
zehirhacker
freetellafriend.com
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
d3b~X
profexor.hell
ZOBUGTEL
The Dark Raver
<kuku>
M4ll3r
itsoknoproblembro
tmhapbzcerff


#Miscellaneous
uname -a
/etc/shadow
/etc/passwd
\x47\x4c\x4f\x42\x41LS
${${
PHPJiaMi
DisablePHP=
moban.html
a,b,c,d,e,f,g
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
Net@ddress Mail
__VIEWSTATEENCRYPTED
createFilesForInputOutput
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
ayu pr1 pr2 pr3 pr4 pr5 pr6
f0VMRgEBAQA
0d0a0d0a676c6f62616c20246d795f736d7
etalfnizg
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
HTTP flood complete after
exploitcookie
az88pix00q98
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
463839610c000b00800100ffffffffffff21f90401000001002c000
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
REREFER_PTTH
Joomla_brute_Force
/usr/sbin/httpd
sshkeys
eggdrop
rwxrwxrwx
GIF89A;<?php
putbot $bot
bind join - *
privmsg $chan
fopen('/etc/passwd
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
find / \-type f \-name \.htpasswd
find / \-type f \-perm \-02000 \-ls
find / \-type f \-perm \-04000 \-ls
if(''==($df=@ini_get('disable_functions
ncftpput -u
wsoEx(
WSOsetcookie(
\x47\x4c\x4f\x42\x41\x4c\x53