mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
3f516f9e15
interesting note from the php.net manual on create_function: Caution This function internally performs an eval() and as such has the same security issues as eval(). Additionally it has bad performance and memory usage characteristics.
238 lines
4.8 KiB
Plaintext
238 lines
4.8 KiB
Plaintext
#Raw string patterns
|
|
#All strings in this file are case sensitive
|
|
#Comments are support, but '#' must be the first character on the line.
|
|
#More critical patterns should be higher in the file as only the first pattern match is reported.
|
|
|
|
#Backdoor patterns
|
|
@eval($_POST['
|
|
Backdoor
|
|
@include($_GET[
|
|
system($_GET[
|
|
md5($_GET[
|
|
fwrite($fpsetv, getenv("HTTP_COOKIE")
|
|
system\"$cmd 1> /tmp/
|
|
|
|
#Web-Shell patterns
|
|
$sh3llColor
|
|
w4ck1ng shell
|
|
private Shell by m4rco
|
|
Shell by Mawar_Hitam
|
|
SHELL_PASSWORD
|
|
ConnectBackShell
|
|
ShellBOT
|
|
== "bindshell"
|
|
|
|
#Remote Code
|
|
curl_get_from_webpage
|
|
file_get_contents('http://codepad.org
|
|
|
|
|
|
#Base64 String Samples. Each plain text string should have 3 base64 equivalents
|
|
|
|
# "shell" in base64
|
|
c2hlbG
|
|
NoZWxs
|
|
zaGVsb
|
|
|
|
# "<?php" in base64
|
|
PD9waH
|
|
w/cGhw
|
|
8P3Boc
|
|
|
|
# "stat" in base64
|
|
c3Rhd
|
|
N0YX
|
|
zdGF0
|
|
|
|
# "copy" in base64
|
|
Y29we
|
|
NvcH
|
|
jb3B5
|
|
|
|
# "mail" in base64
|
|
bWFpb
|
|
1haW
|
|
tYWls
|
|
|
|
# "system" in base64
|
|
c3lzdGVt
|
|
N5c3Rlb
|
|
zeXN0ZW
|
|
|
|
# "replace" in base64
|
|
cmVwbGFjZ
|
|
JlcGxhY2
|
|
yZXBsYWNl
|
|
|
|
# "exec" in base64
|
|
ZXhlYy
|
|
V4ZWMo
|
|
leGVjK
|
|
|
|
# "base64_decode" in base64
|
|
YmFzZTY0X2RlY29kZ
|
|
Jhc2U2NF9kZWNvZG
|
|
iYXNlNjRfZGVjb2Rl
|
|
|
|
# "eval" in base64
|
|
ZXZhb
|
|
V2YW
|
|
ldmFs
|
|
|
|
# "create_function" in base64
|
|
Y3JlYXRlX2Z1bmN0aW9u
|
|
NyZWF0ZV9mdW5jdGlvb
|
|
jcmVhdGVfZnVuY3Rpb2
|
|
|
|
# "HTTP_USER_AGENT" in base64
|
|
SFRUUF9VU0VSX0FHRU5U
|
|
hUVFBfVVNFUl9BR0VOV
|
|
IVFRQX1VTRVJfQUdFTl
|
|
|
|
# "allow_url_fopen" in base64
|
|
YWxsb3dfdXJsX2ZvcGVu
|
|
FsbG93X3VybF9mb3Blb
|
|
hbGxvd191cmxfZm9wZW
|
|
|
|
# "anyresults.net" in base64 ... this one may be too specific ?
|
|
YW55cmVzdWx0cy5uZX
|
|
FueXJlc3VsdHMubmV0
|
|
hbnlyZXN1bHRzLm5ld
|
|
|
|
# Obfuscation related code
|
|
eval("?>
|
|
"base64_decode"
|
|
='base'.(32*2).'_de'.'code'
|
|
"p"."r"."e"."g"."_"
|
|
WSOstripslashes
|
|
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
|
|
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
|
|
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
|
|
ev\x61l
|
|
\x65\166\x61\154\x28' /* dec/hex issue? */,
|
|
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
|
|
'ev'.'al'.'
|
|
eval(base64_decode(
|
|
<?php eval
|
|
$data = base64_decode("
|
|
edoced_46esab
|
|
base=base64_encode
|
|
|
|
|
|
#Malware/Attack specific strings/fingerprints/signatures
|
|
MagelangCyber
|
|
//rasta//
|
|
Baby_Drakon
|
|
Created By EMMA
|
|
3xp1r3
|
|
NinjaVirus Here
|
|
<dot>IrIsT
|
|
Hacked By EnDLeSs
|
|
Punker2Bot
|
|
Zed0x
|
|
darkminz
|
|
ReaL_PuNiShEr
|
|
OoN_Boy
|
|
Pashkela
|
|
Webcommander at
|
|
YENI3ERI
|
|
d3lete
|
|
Made by Delorean
|
|
Cybester90
|
|
K!LL3r
|
|
MrHazem
|
|
BY MMNBOBZ
|
|
Hackeado
|
|
bgeteam
|
|
VOBRA GANGO
|
|
Asmodeus
|
|
Cautam fisierele de configurare
|
|
BRUTEFORCING
|
|
FaTaLisTiCz_Fx Fx29Sh
|
|
DX_Header_drawn
|
|
Dr.abolalh
|
|
C0derz.com
|
|
Mr.HiTman
|
|
IrSecTeam
|
|
FLoodeR
|
|
eriuqer
|
|
zehirhacker
|
|
freetellafriend.com
|
|
casus15
|
|
temp_r57_table
|
|
By Psych0
|
|
c99ftpbrutecheck
|
|
d3b~X
|
|
profexor.hell
|
|
ZOBUGTEL
|
|
The Dark Raver
|
|
<kuku>
|
|
M4ll3r
|
|
itsoknoproblembro
|
|
tmhapbzcerff
|
|
|
|
|
|
#Miscellaneous
|
|
uname -a
|
|
/etc/shadow
|
|
/etc/passwd
|
|
\x47\x4c\x4f\x42\x41LS
|
|
${${
|
|
PHPJiaMi
|
|
DisablePHP=
|
|
moban.html
|
|
a,b,c,d,e,f,g
|
|
@x0powo
|
|
@preg_replace
|
|
1@1.com
|
|
META http-equiv="refresh" content="0;
|
|
="create_";global
|
|
Net@ddress Mail
|
|
__VIEWSTATEENCRYPTED
|
|
createFilesForInputOutput
|
|
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
|
|
ayu pr1 pr2 pr3 pr4 pr5 pr6
|
|
f0VMRgEBAQA
|
|
0d0a0d0a676c6f62616c20246d795f736d7
|
|
etalfnizg
|
|
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
|
|
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
|
|
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
|
|
HTTP flood complete after
|
|
exploitcookie
|
|
az88pix00q98
|
|
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
|
|
463839610c000b00800100ffffffffffff21f90401000001002c000
|
|
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
|
|
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
|
|
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
|
|
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
|
|
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
|
|
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
|
|
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
|
|
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
|
|
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
|
|
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
|
|
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
|
|
REREFER_PTTH
|
|
Joomla_brute_Force
|
|
/usr/sbin/httpd
|
|
sshkeys
|
|
eggdrop
|
|
rwxrwxrwx
|
|
GIF89A;<?php
|
|
putbot $bot
|
|
bind join - *
|
|
privmsg $chan
|
|
fopen('/etc/passwd
|
|
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
|
|
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
|
|
find / \-type f \-name \.htpasswd
|
|
find / \-type f \-perm \-02000 \-ls
|
|
find / \-type f \-perm \-04000 \-ls
|
|
if(''==($df=@ini_get('disable_functions
|
|
ncftpput -u
|
|
wsoEx(
|
|
WSOsetcookie(
|
|
\x47\x4c\x4f\x42\x41\x4c\x53
|