External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
deb569cd119d3dce61da0be24c8826f2999651d0
php-malware-scanner/patterns_raw.txt
nichogenius 6b55cfd8b3 Added Equivalent base64 pattern samples 
Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character.

for example:
base64_encode("system");
base64_encode(" system");
base64_encode("(  system");

The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'.  This is because the first letter of system, 's' fall on indices 0,1,2 respectively.

I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches.
2017-07-24 12:23:39 -06:00

175 lines
3.9 KiB
Plaintext
Raw Blame History

uname -a
/etc/shadow
/etc/passwd
WSOstripslashes
PD9waH
w/cGhw
8P3Boc
c3lzdGVt
N5c3Rlb
zeXN0ZW
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
cHJlZ19yZXBsYWNl
ByZWdfcmVwbGFjZ
wcmVnX3JlcGxhY2
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
ZXhlYy
V4ZWMo
leGVjK
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
='base'.(32*2).'_de'.'code'
"base64_decode"
YmFzZTY0X2RlY29kZ
Jhc2U2NF9kZWNvZG
iYXNlNjRfZGVjb2Rl
"p"."r"."e"."g"."_"
eval("?>
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
ZXZhbC
V2YWwo
ldmFsK
'ev'.'al'.'
eval(base64_decode(
\x47\x4c\x4f\x42\x41LS
SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl
YWxsb3dfdXJsX2ZvcGVu
FsbG93X3VybF9mb3Blb
hbGxvd191cmxfZm9wZW
${${
file_get_contents('http://codepad.org
PHPJiaMi
@include($_GET[
system($_GET[
md5($_GET[
ShellBOT
bgeteam
DisablePHP=
moban.html
<?php eval
$data = base64_decode("
a,b,c,d,e,f,g
freetellafriend.com
SHELL_PASSWORD
curl_get_from_webpage
base=base64_encode
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
YW55cmVzdWx0cy5uZX
FueXJlc3VsdHMubmV0
hbnlyZXN1bHRzLm5ld
ZOBUGTEL
MagelangCyber
//rasta//
Baby_Drakon
Net@ddress Mail
Created By EMMA
3xp1r3
NinjaVirus Here
<dot>IrIsT
Hacked By EnDLeSs
Punker2Bot
Zed0x
darkminz
ReaL_PuNiShEr
OoN_Boy
__VIEWSTATEENCRYPTED
M4ll3r
createFilesForInputOutput
Pashkela
== "bindshell"
Webcommander at
YENI3ERI
d3lete
Made by Delorean
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
Cybester90
ayu pr1 pr2 pr3 pr4 pr5 pr6
f0VMRgEBAQA
0d0a0d0a676c6f62616c20246d795f736d7
etalfnizg
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfVf
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
edoced_46esab
VOBRA GANGO
itsoknoproblembro
HTTP flood complete after
exploitcookie
az88pix00q98
The Dark Raver
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
463839610c000b00800100ffffffffffff21f90401000001002c000
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
zehirhacker
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
DX_Header_drawn
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
K!LL3r
MrHazem
BY MMNBOBZ
ConnectBackShell
Hackeado
d3b~X
REREFER_PTTH
Joomla_brute_Force
/usr/sbin/httpd
tmhapbzcerff
IrSecTeam
Spammer
FLoodeR
eriuqer
sshkeys
<kuku>
Backdoor
eggdrop
rwxrwxrwx
profexor.hell
GIF89A;<?php
$sh3llColor
fwrite($fpsetv, getenv("HTTP_COOKIE")
putbot $bot
bind join - *
privmsg $chan
fopen('/etc/passwd
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
find / \-type f \-name \.htpasswd
find / \-type f \-perm \-02000 \-ls
find / \-type f \-perm \-04000 \-ls
if(''==($df=@ini_get('disable_functions
system\"$cmd 1> /tmp/
ncftpput -u
wsoEx(
WSOsetcookie(
Dr.abolalh
C0derz.com
Mr.HiTman
\x47\x4c\x4f\x42\x41\x4c\x53
@eval($_POST['
Reference in New Issue View Git Blame Copy Permalink