php-malware-scanner/definitions/patterns_raw.txt

#Raw string patterns
#All strings in this file are case sensitive
#Comments are supported, but '#' must be the first character (index[0]) on the line.
#More critical patterns should be higher in the file as only the first pattern match is reported.

#Backdoor patterns
@eval($_POST['
Backdoor
@include($_GET[
system($_GET[
md5($_GET[
fwrite($fpsetv, getenv("HTTP_COOKIE")
system\"$cmd 1> /tmp/
\145\166\141\154\050\142\141\163\145\066\064\137\144\145\143\157\144\145\050

#Web-Shell patterns
$sh3llColor
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
SHELL_PASSWORD
ConnectBackShell
ShellBOT
== "bindshell"
".\x00..\x20"
FM_SESSION_ID
HACKED BY
_Mybb

#Remote Code
curl_get_from_webpage
file_get_contents('http://codepad.org

#mailers
leafmailer.pw

#Base64 String Samples.  Each plain text string should have 3 base64 equivalents

# https://
aHR0cHM6Ly

# "shell" in base64
c2hlbG
NoZWxs
zaGVsb

# "<?php" in base64
PD9waH
w/cGhw
8P3Boc

# "stat" in base64
c3Rhd
N0YX
zdGF0

# "copy" in base64
Y29we
NvcH
jb3B5

# "chr" in base64
Y2hy

# "system" in base64
c3lzdGVt
N5c3Rlb
zeXN0ZW

# "replace" in base64
cmVwbGFjZ
JlcGxhY2
yZXBsYWNl

# "str_" in base64
c3RyX
N0cl
zdHJf

# "exec" in base64
ZXhlYy
V4ZWMo
leGVjK

# "echo" in base64
ZWNob
VjaG
lY2hv

# "function" in base64
ZnVuY3Rpb2
Z1bmN0aW9u
mdW5jdGlvb

# "include" in base64
aW5jbHVkZ
luY2x1ZG
pbmNsdWRl

# "require" in base64
cmVxdWlyZ
JlcXVpcm
yZXF1aXJl

# "base64" in base64
YmFzZTY0
Jhc2U2N
iYXNlNj

# "eval" in base64
ZXZhb
V2YW
ldmFs

# "HTTP_USER_AGENT" in base64
SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl

# "gzinflate" in base64
Z3ppbmZsYXRl
d6aW5mbGF0Z
nemluZmxhdG

# "open" in base64
b3Blb
9wZW
vcGVu

# "close" in base64
Y2xvc2
Nsb3Nl
jbG9zZ

# "array_" in base64
YXJyYXlf
FycmF5X
hcnJheV

# "cslashes" in base64
Y3NsYXNoZX
NzbGFzaGVz
jc2xhc2hlc

# "extract" in base64
ZXh0cmFjd
V4dHJhY3
leHRyYWN0

# "$_GET" in base64
JF9HRV
RfR0VU
kX0dFV

# "$_POST" in base64
JF9QT1NU
RfUE9TV
kX1BPU1

# "$_COOKIE" in base64
JF9DT09LSU
RfQ09PS0lF
kX0NPT0tJR

# "$_REQUEST" in base64
JF9SRVFVRVNU
RfUkVRVUVTV
kX1JFUVVFU1

# "GLOBALS" in base64
R0xPQkFMU
dMT0JBTF
HTE9CQUxT

# "sizeof" in base64
c2l6ZW9m
NpemVvZ
zaXplb2

# "printf" in base64
cHJpbnRm
ByaW50Z
wcmludG

# "define" in base64
ZGVmaW5l
RlZmluZ
kZWZpbm

# Obfuscation related code
'.'6'.'4'.'_'.'
bas'.'e64_dec
file'.'_put_co
fil'.'e_ex
Pz4=
L3gvaQ==
eval("?>
eval('?>
@eval(
"base64_decode"
='base'.(32*2).'_de'.'code'
"p"."r"."e"."g"."_"
WSOstripslashes
\x5f\x43\x4f\x4f\x4b\x49\x45
\x73\x79\x73\x74\x65\x6d
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65
\x65\x78\x65\x63
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
'ev'.'al'.'
eval(base64_decode(
<?php eval
$data = base64_decode("
edoced_46esab
base=base64_encode
'b'.'ase6'.'4_e'.'ncode'
cr"."eat"."e_fun"."cti"."on
gz'.'inf'.'late
@eval("\
";eval(
eval(eval(
@eval(`
eVaL('?>
eval($_REQUEST
convert_uudecode(convert_uuencode
"64_decode"
'f' . 'il' . 'e' . '_'
'co' . 'nt' . 'e' . 'nt'
'h' . 'tm' . 'l' . 'sp'
'ha' . 'r' . 's'

# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
http://www.fopo.com.ar/

#Malware/Attack specific strings/fingerprints/signatures
MagelangCyber
//rasta//
Baby_Drakon
Created By EMMA
3xp1r3
NinjaVirus Here
<dot>IrIsT
Hacked By EnDLeSs
Punker2Bot
Zed0x
darkminz
ReaL_PuNiShEr
OoN_Boy
Pashkela
Webcommander at
YENI3ERI
d3lete
Made by Delorean
Cybester90
K!LL3r
MrHazem
BY MMNBOBZ
Hackeado
bgeteam
VOBRA GANGO
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
DX_Header_drawn
Dr.abolalh
C0derz.com
Mr.HiTman
IrSecTeam
FLoodeR
eriuqer
zehirhacker
freetellafriend.com
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
d3b~X
profexor.hell
ZOBUGTEL
The Dark Raver
<kuku>
M4ll3r
itsoknoproblembro
tmhapbzcerff
IndoXploit
FaisaL Ahmed aka rEd X
smisbot
smotherbot
Indonesian Hacker Rulez
pwetan.com
iNHUMaN
Heartzz
Bye Bye Litespeed
BunnyInvisible
SEMOGABERKAH
BUTERFLYCOUNTRY

# WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
wp-vcd
class.theme-modules.php
wp-tmp.php
tmpcontentx
function wp_temp_setupx
derna.top/code.php
stripos($tmpcontent, $wp_auth_key)

#Miscellaneous
uname -a
/etc/shadow
/etc/passwd
\x47\x4c\x4f\x42\x41LS
${${
PHPJiaMi
DisablePHP=
moban.html
a,b,c,d,e,f,g
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
Net@ddress Mail
__VIEWSTATEENCRYPTED
createFilesForInputOutput
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
ayu pr1 pr2 pr3 pr4 pr5 pr6
f0VMRgEBAQA
0d0a0d0a676c6f62616c20246d795f736d7
etalfnizg
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
HTTP flood complete after
exploitcookie
az88pix00q98
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
463839610c000b00800100ffffffffffff21f90401000001002c000
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
REREFER_PTTH
Joomla_brute_Force
/usr/sbin/httpd
sshkeys
eggdrop
rwxrwxrwx
GIF89A;<?php
putbot $bot
bind join - *
privmsg $chan
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
find / \-type f \-name \.htpasswd
find / \-type f \-perm \-02000 \-ls
find / \-type f \-perm \-04000 \-ls
if(''==($df=@ini_get('disable_functions
ncftpput -u
wsoEx(
WSOsetcookie(
\x47\x4c\x4f\x42\x41\x4c\x53
# create_function
'OY<--X17N-.OB8X'^',+YLY=nQ;CM;+W6';
# matches for a basic web shell
Mister Spy
Souheyl Bypass Shell
Welcome To Our Shell
Devloped By El Moujahidin
$f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
.php.suspected
# join escaped
\x6A\x6F\x69\x6E
# reverse escaped
\x72\x65\x76\x65\x72\x73\x65
# split escaped
\x73\x70\x6C\x69\x74
# >tpircs/< aka </script>
\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C
# comment spoof function call
/*;*/
# web shells host type extraction
php_uname()
# decode content with basic rot13
str_split(rawurldecode(str_rot13(
# generating PHP file name to put content
substr(md5(time()), 0, 8) . ".php"
'a:1:{s:13:\"administrator\";b:1;}'

# webshell
0byt3m1n1
ZeroByte

# obfuscated function name
'str_' .'rot13'
'st' .'rrev'

# JS escaped: document.createElement('script');
100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59

# JS escaped: String.fromCharCode(
83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40

# SEO poisoning control site call
"http://$xxx
?useragent=$botbotbot
[#*#*#]

# php://input encoded in base64
cGhwOi8vaW5wdXQ=

# backdoor script
<font color="red">Upload Gagal..</font><br />
explode('?>',$shell
0.33333333333333+0.33333333333333+0.33333333333333
0.66666666666667+0.66666666666667+0.66666666666667
1.3333333333333+1.3333333333333+1.3333333333333
class _t{private static$_
'LQ'.'=='

# common mobile agent check in SEO poison scripts
Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",

# eval url decoded string
eval(rawurldecode('
eval(htmlspecialchars_decode(

# simple obfuscated function
'gz'.'unc'.'ompress'
'create'.'_'.'function'
'gzinf', 'la', 'te'
'e_f', 'cti', 'un', 'on', 'cr', 'eat'
'base', '64_dec', 'ode'
'cook', 'set', 'ie'
'repl', 'str_', 'ace'
"base"."64_"
'base'.'64_'
"t"."m"."p"."_"."n"."a"."m"."e"
"f"."i"."l"."e"."_"."p"."u"."t"
"f"."i"."l"."e"."_"."g"."e"."t"
'ode', 'e64_', 'bas', 'dec'
'unct', 'ion', 'te_f', 'crea'
'te', 'g', 'nf', 'l', 'a', 'zi'
'tion', 'e_func', 'creat'
'64_d', 'se', 'eco', 'de', 'ba'
'co', 'ki', 'e', 'o', 'set'
'str', '_rep', 'lace'

# process data from request object directly
extract($_REQUEST) && @$
extract($_REQUEST)&&@$
xtract($_REQUEST)&&@$

# uncompress cafted content
gzuncompress(strrev(substr(

# disable error reporting
<?php error_reporting(0);?>

# infected file include attached on the top of a legit file
<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>
<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>