mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
b9b5de9e72
removed mail b64, added chr b64 mail was generating too many false positives. chr has only one pattern that is long enough to use with any sort of reliability, but it is one that we want to look out for anyway.
250 lines
5.0 KiB
Plaintext
250 lines
5.0 KiB
Plaintext
#Raw string patterns
|
|
#All strings in this file are case sensitive
|
|
#Comments are supported, but '#' must be the first character (index[0]) on the line.
|
|
#More critical patterns should be higher in the file as only the first pattern match is reported.
|
|
|
|
#Backdoor patterns
|
|
@eval($_POST['
|
|
Backdoor
|
|
@include($_GET[
|
|
system($_GET[
|
|
md5($_GET[
|
|
fwrite($fpsetv, getenv("HTTP_COOKIE")
|
|
system\"$cmd 1> /tmp/
|
|
|
|
#Web-Shell patterns
|
|
$sh3llColor
|
|
w4ck1ng shell
|
|
private Shell by m4rco
|
|
Shell by Mawar_Hitam
|
|
SHELL_PASSWORD
|
|
ConnectBackShell
|
|
ShellBOT
|
|
== "bindshell"
|
|
|
|
#Remote Code
|
|
curl_get_from_webpage
|
|
file_get_contents('http://codepad.org
|
|
|
|
|
|
#Base64 String Samples. Each plain text string should have 3 base64 equivalents
|
|
|
|
# "shell" in base64
|
|
c2hlbG
|
|
NoZWxs
|
|
zaGVsb
|
|
|
|
# "<?php" in base64
|
|
PD9waH
|
|
w/cGhw
|
|
8P3Boc
|
|
|
|
# "stat" in base64
|
|
c3Rhd
|
|
N0YX
|
|
zdGF0
|
|
|
|
# "copy" in base64
|
|
Y29we
|
|
NvcH
|
|
jb3B5
|
|
|
|
# "chr" in base64
|
|
Y2hy
|
|
|
|
# "system" in base64
|
|
c3lzdGVt
|
|
N5c3Rlb
|
|
zeXN0ZW
|
|
|
|
# "replace" in base64
|
|
cmVwbGFjZ
|
|
JlcGxhY2
|
|
yZXBsYWNl
|
|
|
|
# "exec" in base64
|
|
ZXhlYy
|
|
V4ZWMo
|
|
leGVjK
|
|
|
|
# "base64" in base64
|
|
YmFzZTY0
|
|
Jhc2U2N
|
|
iYXNlNj
|
|
|
|
# "eval" in base64
|
|
ZXZhb
|
|
V2YW
|
|
ldmFs
|
|
|
|
# "create_function" in base64
|
|
Y3JlYXRlX2Z1bmN0aW9u
|
|
NyZWF0ZV9mdW5jdGlvb
|
|
jcmVhdGVfZnVuY3Rpb2
|
|
|
|
# "HTTP_USER_AGENT" in base64
|
|
SFRUUF9VU0VSX0FHRU5U
|
|
hUVFBfVVNFUl9BR0VOV
|
|
IVFRQX1VTRVJfQUdFTl
|
|
|
|
# "file_get_contents" in base64
|
|
ZmlsZV9nZXRfY29udGVudH
|
|
ZpbGVfZ2V0X2NvbnRlbnRz
|
|
maWxlX2dldF9jb250ZW50c
|
|
|
|
# "gzinflate" in base64
|
|
Z3ppbmZsYXRl
|
|
d6aW5mbGF0Z
|
|
nemluZmxhdG
|
|
|
|
# "fopen" in base64
|
|
Zm9wZW
|
|
ZvcGVu
|
|
mb3Blb
|
|
|
|
# "anyresults.net" in base64 ... this one may be too specific ?
|
|
YW55cmVzdWx0cy5uZX
|
|
FueXJlc3VsdHMubmV0
|
|
hbnlyZXN1bHRzLm5ld
|
|
|
|
# Obfuscation related code
|
|
eval("?>
|
|
"base64_decode"
|
|
='base'.(32*2).'_de'.'code'
|
|
"p"."r"."e"."g"."_"
|
|
WSOstripslashes
|
|
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
|
|
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
|
|
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
|
|
ev\x61l
|
|
\x65\166\x61\154\x28' /* dec/hex issue? */,
|
|
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
|
|
'ev'.'al'.'
|
|
eval(base64_decode(
|
|
<?php eval
|
|
$data = base64_decode("
|
|
edoced_46esab
|
|
base=base64_encode
|
|
cr"."eat"."e_fun"."cti"."on
|
|
gz'.'inf'.'late
|
|
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
|
|
http://www.fopo.com.ar/
|
|
|
|
|
|
#Malware/Attack specific strings/fingerprints/signatures
|
|
MagelangCyber
|
|
//rasta//
|
|
Baby_Drakon
|
|
Created By EMMA
|
|
3xp1r3
|
|
NinjaVirus Here
|
|
<dot>IrIsT
|
|
Hacked By EnDLeSs
|
|
Punker2Bot
|
|
Zed0x
|
|
darkminz
|
|
ReaL_PuNiShEr
|
|
OoN_Boy
|
|
Pashkela
|
|
Webcommander at
|
|
YENI3ERI
|
|
d3lete
|
|
Made by Delorean
|
|
Cybester90
|
|
K!LL3r
|
|
MrHazem
|
|
BY MMNBOBZ
|
|
Hackeado
|
|
bgeteam
|
|
VOBRA GANGO
|
|
Asmodeus
|
|
Cautam fisierele de configurare
|
|
BRUTEFORCING
|
|
FaTaLisTiCz_Fx Fx29Sh
|
|
DX_Header_drawn
|
|
Dr.abolalh
|
|
C0derz.com
|
|
Mr.HiTman
|
|
IrSecTeam
|
|
FLoodeR
|
|
eriuqer
|
|
zehirhacker
|
|
freetellafriend.com
|
|
casus15
|
|
temp_r57_table
|
|
By Psych0
|
|
c99ftpbrutecheck
|
|
d3b~X
|
|
profexor.hell
|
|
ZOBUGTEL
|
|
The Dark Raver
|
|
<kuku>
|
|
M4ll3r
|
|
itsoknoproblembro
|
|
tmhapbzcerff
|
|
|
|
|
|
#Miscellaneous
|
|
uname -a
|
|
/etc/shadow
|
|
/etc/passwd
|
|
\x47\x4c\x4f\x42\x41LS
|
|
${${
|
|
PHPJiaMi
|
|
DisablePHP=
|
|
moban.html
|
|
a,b,c,d,e,f,g
|
|
@x0powo
|
|
@preg_replace
|
|
1@1.com
|
|
META http-equiv="refresh" content="0;
|
|
="create_";global
|
|
Net@ddress Mail
|
|
__VIEWSTATEENCRYPTED
|
|
createFilesForInputOutput
|
|
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
|
|
ayu pr1 pr2 pr3 pr4 pr5 pr6
|
|
f0VMRgEBAQA
|
|
0d0a0d0a676c6f62616c20246d795f736d7
|
|
etalfnizg
|
|
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
|
|
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
|
|
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
|
|
HTTP flood complete after
|
|
exploitcookie
|
|
az88pix00q98
|
|
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
|
|
463839610c000b00800100ffffffffffff21f90401000001002c000
|
|
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
|
|
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
|
|
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
|
|
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
|
|
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
|
|
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
|
|
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
|
|
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
|
|
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
|
|
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
|
|
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
|
|
REREFER_PTTH
|
|
Joomla_brute_Force
|
|
/usr/sbin/httpd
|
|
sshkeys
|
|
eggdrop
|
|
rwxrwxrwx
|
|
GIF89A;<?php
|
|
putbot $bot
|
|
bind join - *
|
|
privmsg $chan
|
|
fopen('/etc/passwd
|
|
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
|
|
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
|
|
find / \-type f \-name \.htpasswd
|
|
find / \-type f \-perm \-02000 \-ls
|
|
find / \-type f \-perm \-04000 \-ls
|
|
if(''==($df=@ini_get('disable_functions
|
|
ncftpput -u
|
|
wsoEx(
|
|
WSOsetcookie(
|
|
\x47\x4c\x4f\x42\x41\x4c\x53
|