External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4161148d3cf318604ace2da4e5002a074139ae86
php-malware-scanner/patterns_raw.txt
nichogenius 4161148d3c base64 pattern updates
2017-08-19 16:58:28 -06:00

326 lines
5.6 KiB
Plaintext
Raw Blame History

#Raw string patterns
#All strings in this file are case sensitive
#Comments are supported, but '#' must be the first character (index[0]) on the line.
#More critical patterns should be higher in the file as only the first pattern match is reported.
#Backdoor patterns
@eval($_POST['
Backdoor
@include($_GET[
system($_GET[
md5($_GET[
fwrite($fpsetv, getenv("HTTP_COOKIE")
system\"$cmd 1> /tmp/
#Web-Shell patterns
$sh3llColor
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
SHELL_PASSWORD
ConnectBackShell
ShellBOT
== "bindshell"
#Remote Code
curl_get_from_webpage
file_get_contents('http://codepad.org
#Base64 String Samples. Each plain text string should have 3 base64 equivalents
# "shell" in base64
c2hlbG
NoZWxs
zaGVsb
# "<?php" in base64
PD9waH
w/cGhw
8P3Boc
# "stat" in base64
c3Rhd
N0YX
zdGF0
# "copy" in base64
Y29we
NvcH
jb3B5
# "chr" in base64
Y2hy
# "system" in base64
c3lzdGVt
N5c3Rlb
zeXN0ZW
# "replace" in base64
cmVwbGFjZ
JlcGxhY2
yZXBsYWNl
# "str_" in base64
c3RyX
N0cl
zdHJf
# "exec" in base64
ZXhlYy
V4ZWMo
leGVjK
# "echo" in base64
ZWNob
VjaG
lY2hv
# "function" in base64
ZnVuY3Rpb2
Z1bmN0aW9u
mdW5jdGlvb
# "include" in base64
aW5jbHVkZ
luY2x1ZG
pbmNsdWRl
# "base64" in base64
YmFzZTY0
Jhc2U2N
iYXNlNj
# "eval" in base64
ZXZhb
V2YW
ldmFs
# "create_function" in base64
Y3JlYXRlX2Z1bmN0aW9u
NyZWF0ZV9mdW5jdGlvb
jcmVhdGVfZnVuY3Rpb2
# "HTTP_USER_AGENT" in base64
SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl
# "file" in base64
ZmlsZ
ZpbG
maWxl
# "gzinflate" in base64
Z3ppbmZsYXRl
d6aW5mbGF0Z
nemluZmxhdG
# "open" in base64
b3Blb
9wZW
vcGVu
# "close" in base64
Y2xvc2
Nsb3Nl
jbG9zZ
# "array_" in base64
YXJyYXlf
FycmF5X
hcnJheV
# "cslashes" in base64
Y3NsYXNoZX
NzbGFzaGVz
jc2xhc2hlc
# "extract" in base64
ZXh0cmFjd
V4dHJhY3
leHRyYWN0
# "$_GET" in base64
JF9HRV
RfR0VU
kX0dFV
# "$_POST" in base64
JF9QT1NU
RfUE9TV
kX1BPU1
# "$_COOKIE" in base64
JF9DT09LSU
RfQ09PS0lF
kX0NPT0tJR
# "$_REQUEST" in base64
JF9SRVFVRVNU
RfUkVRVUVTV
kX1JFUVVFU1
# "GLOBALS" in base64
R0xPQkFMU
dMT0JBTF
HTE9CQUxT
# "sizeof" in base64
c2l6ZW9m
NpemVvZ
zaXplb2
# "printf" in base64
cHJpbnRm
ByaW50Z
wcmludG
# "define" in base64
ZGVmaW5l
RlZmluZ
kZWZpbm
# Obfuscation related code
eval("?>
"base64_decode"
='base'.(32*2).'_de'.'code'
"p"."r"."e"."g"."_"
WSOstripslashes
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
'ev'.'al'.'
eval(base64_decode(
<?php eval
$data = base64_decode("
edoced_46esab
base=base64_encode
cr"."eat"."e_fun"."cti"."on
gz'.'inf'.'late
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
http://www.fopo.com.ar/
#Malware/Attack specific strings/fingerprints/signatures
MagelangCyber
//rasta//
Baby_Drakon
Created By EMMA
3xp1r3
NinjaVirus Here
<dot>IrIsT
Hacked By EnDLeSs
Punker2Bot
Zed0x
darkminz
ReaL_PuNiShEr
OoN_Boy
Pashkela
Webcommander at
YENI3ERI
d3lete
Made by Delorean
Cybester90
K!LL3r
MrHazem
BY MMNBOBZ
Hackeado
bgeteam
VOBRA GANGO
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
DX_Header_drawn
Dr.abolalh
C0derz.com
Mr.HiTman
IrSecTeam
FLoodeR
eriuqer
zehirhacker
freetellafriend.com
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
d3b~X
profexor.hell
ZOBUGTEL
The Dark Raver
<kuku>
M4ll3r
itsoknoproblembro
tmhapbzcerff
IndoXploit
FaisaL Ahmed aka rEd X
#Miscellaneous
uname -a
/etc/shadow
/etc/passwd
\x47\x4c\x4f\x42\x41LS
${${
PHPJiaMi
DisablePHP=
moban.html
a,b,c,d,e,f,g
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
Net@ddress Mail
__VIEWSTATEENCRYPTED
createFilesForInputOutput
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
ayu pr1 pr2 pr3 pr4 pr5 pr6
f0VMRgEBAQA
0d0a0d0a676c6f62616c20246d795f736d7
etalfnizg
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
HTTP flood complete after
exploitcookie
az88pix00q98
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
463839610c000b00800100ffffffffffff21f90401000001002c000
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
REREFER_PTTH
Joomla_brute_Force
/usr/sbin/httpd
sshkeys
eggdrop
rwxrwxrwx
GIF89A;<?php
putbot $bot
bind join - *
privmsg $chan
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
find / \-type f \-name \.htpasswd
find / \-type f \-perm \-02000 \-ls
find / \-type f \-perm \-04000 \-ls
if(''==($df=@ini_get('disable_functions
ncftpput -u
wsoEx(
WSOsetcookie(
\x47\x4c\x4f\x42\x41\x4c\x53
Reference in New Issue View Git Blame Copy Permalink