mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
b138ce1707
Added some comments to the file and added a generic base64 string regex for long base64 strings.
27 lines
1.4 KiB
Plaintext
27 lines
1.4 KiB
Plaintext
#PHP Regular Expressions
|
|
#All comment lines must have '#' as the first character of the line.
|
|
#More critical rules should be put higher in the list as only the first pattern matched is reported to the user.
|
|
|
|
eval\/\*[a-z0-9]+\*\/
|
|
eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);
|
|
(chr\(\d+\)\.){4,}
|
|
(chr\(\d+\^\d+\)\.){4,}
|
|
(\$[a-z0-9]{3,}\[\d+\]\.){4,}
|
|
chr\(\d+\)\.""\.""\.""\.""\.""
|
|
\$GLOBALS\[\$GLOBALS['[a-z0-9]{4,}'\]\[\d+\]\.\$GLOBALS\['[a-z-0-9]{4,}'\]\[\d+\].
|
|
\$GLOBALS\['[a-z0-9]{5,}'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.
|
|
eval\([a-z0-9_]+\(base64_decode\(
|
|
\$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\);
|
|
{\s*eval\s*\(\s*\$
|
|
Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents
|
|
eVaL\(\s*trim\(\s*baSe64_deCoDe\(
|
|
if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text
|
|
fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[
|
|
echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)
|
|
chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)
|
|
(\$OOO_O_000_\{\d+\}.){3,}
|
|
|
|
#Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
|
|
#260 was a threshold chosen because strings of 256 characters are common enough. Might increase later to reduce false positives.
|
|
['"][A-Za-z0-9+\/]{260,}={0,3}['"]
|