Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/malware5.pl

410 lines
48 KiB
Perl
Raw Normal View History

new patterns
2018-03-30 10:04:44 +02:00
#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
new patterns
2018-04-12 06:07:21 +02:00
qr/<\?php.+?\;\$\{\"G.+?\;global\$mysqli\;global\$dbHost\;global\$dbUser\;\$.+?\;else\s+return\;break\;\}\}\s+\?>/is,
new patterns
2018-03-30 10:04:44 +02:00
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+spamdetectvr.+?add\_filter\(\'all\_plugins\'\,\s+\'SPAMDETECTVR\_hide\'\)\;.+?\/\/\s+\}\s+\/\/\}\)\;/is,
qr/<script\s+type\=\"text\/javascript\">\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\s+c\.toString\(.+?\.replace\(new\s+RegExp\(.+?script\|insertBefore\'\.split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/\/\/([A-z0-9]{32})\s+create\_function\(\'\'\,\s+gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\/([A-z0-9]{32})/is,
qr/<\?php\s+\$\{.+?\;protected\$instance\;protected\$request\;protected\$calls\=array\(\)\;protected\$response\=array\(\)\;protected\$hasCalls\=false\;private\$isBatchCall\=false\;protected\$hiddenMethods\=array\(\'execute\'\,\'\_\_construct\'\).+?\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\]\;\@mail\(.+?\]\}\)\;\$\_SESSION\[.+?\]\}\=curl\_init\(\)\;curl\_setopt\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;curl\_setopt\(\$\{\$\{.+?\]\}\}\;\}\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+Pisher.+?trojan\.25hack.+?\;\}\)\;\}\)\;\s+\?>/is,
qr/\s+<\?php\s+echo\(base64\_decode\(.+?\)\)\;eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;echo\s+\"\\x\d\d\\n\"\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<div\s+align\=\\\"center\\\">.+?if\(isset\(\$\_POST\[\"submit\"\]\)\)\{if\(\$\_FILES\[\"file\"\]\[\"error\"\]>0\)\{echo.+?Go\s+here\s+\:\s+\"\.\$path\.\"<br>\"\;\}\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+?>.+?IndoXploit.+?serverinfo\(\)\;\s+action\(\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?.+?Aldwiry\s+Hack3r.+?\$usrp\s+\=\s+\"jo\/usr\.pl\"\;.+?Error\s+CHMOD\s+\!\"\;\s+\}\s+\?>/is,
qr/<\/br>\"\;\s+session\_start\(\)\;.+?Moshkela\s+Hacker<\/title>.+?\}\/\/\s+end\s+if\s+\}\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'DB\_NAME\'\]\s+\=\s+array\(.+?if\(\!function\_exists\(\'bas\'\.\'e\'\.\'64\_\'\.\'en\'\.\'code\'\)\)\{.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\)\;\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+SAPE\.ru.+?class\s+SAPE\_globals\s+\{.+?\$this\->\_data\[\$this\->\_request\_mode\]\s+\=\s+\$data\;\s+\}\s+\}/is,
qr/<\?php\s+if\s+\(\!defined\(\'\_SAPE\_USER\'\)\)\{\s+define\(\'\_SAPE\_USER\'\,.+?echo\s+\$sape\->return\_links\(\)\;\s+\?>/is,
qr/<\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?else\s+header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$\w\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+\@date\_default\_timezone\_set\(.+?GetPageContent\(.+?EXPLOITOK.+?return\s+\(SASL\_CONTINUE\)\;\s+\}\s+\}/is,
qr/<\?php\s+function\s+cURLRequest\(\$url.+?function\s+Display404Page\(\)\s+\{.+?Display404Page\(\)\;\s+\}\s+exit\;\s+\}/is,
qr/<\?php\s+\$o0o\=\_\_FILE\_\_\;\$oOo\=\'.+?\'\;eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\?>/is,
qr/<\?php\s+\$o0O0\s+=.+?\$oO0\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$oO0o\=\@\$oO0\(.+?\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(.+?\,\$o0O0\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;.+?\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\?php\s+\$\w\_\_\_\w\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\=\$\w\_\_\_\w\(str\_replace\(\"\\n\"\,\ \'\'\,.+?<input\s+type\=\"submit\"value\=\"\&gt\;\"\/><\/form>/is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?Mister\s+Spy<\/title>.+?Upload\s+File.+?\?>\s+bypass.+?contact\@elmoujehidin\.net/is,
qr/<\?php\s+\@\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\s+\$([A-z0-9]{1,20})\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\"([A-z0-9]{1,20})\"\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\s+\?>/is,
qr/<\!DOCTYPE.+?libraries\/joomla\/document\/json\/a\.txt\s+was\s+not\s+found.+?<\/html>/is,
qr/<\?php\s+session\_start\(\)\;.+?\$auth\_pass.+?IndoXploit.+?IndoXploit<\/font><\/a><\/center>\"\;\s+\}\s+\?>\s+<\/html>/is,
qr/<\?php.+?FOPO.+?\$([A-z0-9]{1,20})\=.+?\@eval\(\$([A-z0-9]{1,20})\(\s+\"([A-z0-9]{50,}).+?\"\)\)\;\s+\?>/is,
qr/<SCRIPT\s+SRC\=http\:\/\/w0rms\.com\/sayac\.js><\/SCRIPT>\s+<\?php.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<\?php\s+if\s+\(isset\s+\(\$\_GET\[\'.+?\'\]\)\).+?\$default\_use\_ajax\s+\=\s+true\;.+?preg\_replace\(\"\/\.\*\/e\"\,\".+?\"\,\"\.\"\)\;\s+\}\s+else\s+\{\s+echo\s+\"<div\s+style\=display\:none>.+?<\/div>\"\;\s+\}\s+\?>/is,
qr/<\?php\s+WSOCheckUA\(\)\;.+?\$disable\_functions\s+\=\s+\@ini\_get\(.+?if\(\s+\!empty\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+function\_exists\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\)\s+\{\s+call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\}/is,
qr/<\?php.+?Bypass\s+\.\/Config\s+\.\/User\s+\.\/Domain.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+wsoHeader\(\)\s+\{.+?\$drives\s+\=\s+\"\"\;.+?<div\s+style\=\"margin\:5\">\'\;\s+\}/is,
qr/<\?php\s+function\s+getBot\(\$url\)\s+.+?echo\s+\"<b>Namesis<br>.+?exit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?eval\(base64\_decode\(.+?\)\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?File\s+Manager<\/title>.+?\$pathen\s+\=\s+base64\_encode\(\$path\)\;.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_\w\s+\=\s+\'\'\.chr\(([0-9]{1,5})\)\.\'\'\.chr\(([0-9]{1,5})\)\.\'([A-z0-9]{1,20})\'\.chr\(([0-9]{1,5})\)\.\'de\'\s+\;\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\_\w\(\'\'\,array\(.+?\)\)\;\$([A-z0-9]{1,20})\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;.+?array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\).+?eval.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php.+?\'\'\.chr\(.+?\'\.chr\(.+?\(\'\'\,array\(.+?\)\.\'e64\_deco\'\.chr\(.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+header\(\'Content\-Type\:text\/.+?define\(\'SHELL\_PASSWORD\'\,.+?API\_VERSION\,\s+2\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*a\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t.+?\*\/\s+\?>/is,
qr/<\?php.+?\'\.chr\(.+?\)\.\'\'\.chr\(.+?aWYo.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\)\)\;\?>/is,
qr/<\?php\s+define\(\'EXT\_MYSQLI\'\,\s+\'mysqli\'\)\;.+?\{\s+if\s+\(file\_exists\(sprintf\(\'\%s\/wp\-config\.php\'.+?\s+break\;\s+\}\s+\}\s+else\s+\{\s+die\(\'ympf\'\)\;\s+\}/is,
qr/<\?php\s+\$.+?\=\s+array\(.+?\=\s+array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\('g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\)\.\'\'\.chr\(.+?\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+assert\_options\(ASSERT\_WARNING\,0\)\;.+?function\s+hex2ascii\(\$.+?\'e\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'.+?\.\'\'\.\'\'\.\'\'\.\'v\'\.\'a\'\.\'l\'\.\'\(\$.+?assert\(\$\w\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$([A-z0-9]{1,20})\s+\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/is,
new pattern
2018-03-30 10:34:23 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'g\'\.\s+\'z\'\.\s+\'u\'\.\s+\'n\'\.\s+\'c\'.\s+\'o\'\.\s+\'m\'\.\s+\'p\'\.\s+\'r\'\.\s+\'e\'\.\s+\'s\'\.\s+\'s\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
new patterns
2018-03-30 11:25:23 +02:00
qr/<\?php\s+\@session\_start\(\)\;.+?if\(\$chk\_login\).+?echo\s+\$buff\;\s+\}\s+\?>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/GIF89a\?<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is,
qr/<title>MCL<\/title><form\s+enctype\=multipart\/form\-data\s+method\=post>.+?<\?\s+echo\s+base64\_decode\(.+?\$fp\=fopen\(base64\_decode\(\$\_REQUEST\[.+?\@copy\(\$\_FILES\[.+?\}\}\;\s+\?>/is,
qr/<\?php\s+\$a\=\"4\"\;\s+\$b\=\"0\"\;\s+\$c\=\"4\"\;\s+echo\s+\$a\.\$b\.\$c\.\"\#\"\;\s+\?>\s+<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\s+\$\w\_File\=fopen\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\"\/1\.txt\"\,\"w\"\)\;\s+if\(\!\$\w\_File\)\s+echo\s+\"writewrong\"\;\s+else\s+echo\s+\"writeok\"\;\s+\?>/is,
qr/GIF89a\s+<\%\s+eval\s+request\(\"([A-z0-9]{1,20})\"\)\%>\s+abcabcabc/is,
qr/GIF89a<\?php\s+\@eval\(\$\_POST\[.+?\$response\s+\=\s+curl\(\$shell\_url\)\;.+?function\s+getcontent\(\$file\)\{.+?return\s+\$tmp\_content\;\s+\}/is,
qr/GIF89a.+?<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
qr/GIF89a<\?PHP\s+fputs\(fopen\(\'([A-z0-9]{1,20})\.php\'\,\'w\'\)\,\'<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>abcabcabc\'\)\;\?>/is,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\".+?\$\_POST\[\'\_\'\]\=\=\"GO\"\)\{if\(\@copy\(\$\_FILES\[.+?Err<\/b>\'\;\}\}\?>/is,
qr/GIF89a\?\s+<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is,
qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?<title>\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/title>.+?print\s+\$footer\;.+?exit\(\)\;\s+\?>/is,
new patterns
2018-04-07 10:50:32 +02:00
qr/<\?php\s+\/\/header\(.+?\=urldecode\(.+?\\x\d\d\"\]\(\)\;\?>/is,
new patterns
2018-03-30 11:25:23 +02:00
qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
new patterns
2018-04-06 21:22:05 +02:00
qr/<\?php\s+\$\{\"\\x.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?\;\$\{.+?base64\_decode\(substr\(\$\{\$\{.+?\}\;\}exit\(\)\;\}break\;\}\}\}\}\}\s+\?>/is,
new patterns
2018-03-30 11:25:23 +02:00
# qr/GIF89a.+?<\?php.+?\?>/is,
new patterns & fixes
2018-03-31 13:56:59 +02:00
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'\;\$.+?\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
new patterns
2018-04-01 11:26:10 +02:00
qr/<\?php\s+\$s\_pass\s+\=.+?\$s\_func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\@\$s\_func\(\'\$x\,\$y\'\,\'ev\'\.\'al\'\.\'\(\"\\\$\s\_pass\=\\\"\$y\\\"\;\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$x\)\)\)\;\'\)\;\@\$b374k\(.+?\$s\_pass\)\;\?>/is,
qr/\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?file\_put\_contents\(\"tivuser\.zip\"\,\$data\)\;.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?array\(.+?\$([A-z0-9]{1,20})\s+=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
new patterns
2018-04-02 08:42:46 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'b\'\s+\,\'a\'\s+\,\'s\'\s+\,\'e\'\s+\,\'6\'\s+\,\'4\'\s+\,\'\_\'\s+\,\'d\'\s+\,\'e\'\s+\,\'c\'\s+\,\'o\'\s+\,\'d\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
new pattern
2018-04-02 10:48:23 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\=\s+array\(.+?\'esab\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\.\'\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/\$z\=get\_option\(\"([A-z0-9]{20,})\"\)\;\s+\$z\=base64\_decode\(str\_rot13\(\$z\)\)\;\s+if\(strpos\(\$z\,\"([A-z0-9]{1,20})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\)\;\s+\@\$\_z\(\)\;\s+\}/is,
new patterns
2018-04-04 21:48:31 +02:00
qr/function\s+add\_js\_scripts\(\)\s+\{\s+wp\_enqueue\_script\(\'js\-rws\'\,\s+\'http\:\/\/cloudflare\.solutions.+?wp\_enqueue\_script\(\'js\-cors\'\,\s+\'http\:\/\/cloudflare\.solutions\/ajax\/libs\/cors\/cors\.js\'\,\s+\'\'\,\s+null\,\s+true\)\;\s+\}.+?add\_action\(\'login\_enqueue\_scripts\'\,\s+\'add\_js\_scripts\'\s+\)\;/is,
qr/<html><head><meta.+?Mocus7Shell.+?<\?php\s+echo\s+wordwrap\(php\_uname\(\).+?<\/body><\/html><\?php\s+chdir\(\$lastdir\)\;\s+c79shexit\(\)\;\s+\}\s+\?>/is,
qr/<\?php\s+session\_start\(\)\;.+?\@clearstatcache\(\)\;.+?\$auth\_pass\s+\=.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$([A-z0-9]{1,20})\)\)\)\)\)\)\)\)\;/is,
qr/<\!doctype.+?L0LZ666H05T.+?<\/body>\s+<html>/is,
qr/<html>\s+<head>.+?213\_90N6.+?<\/body>\s+<\/html>/is,
qr/<iframe\s+width\=0px\s+height\=0px\s+frameborder\=no\s+name\=frame1\s+src\=http\:\/\/.+?\.ru>\s+<\/iframe>/is,
qr/<\?php\s+\$\{.+?\"\;eval\(base64\_decode\(\$\{\$\{\"G\\x.+?\"\;eval\(base64\_decode\(\$\{\$.+?\}\,CURLOPT\_CONNECTTIMEOUT\,10\)\;curl\_setopt\(\$\{\$\{.+?>\"\;\s+\?>/is,
qr/<\?php.+?x48x\s+Mini\s+Shell\s+Backdoor.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+\?>/is,
qr/<\?php\s+\/\*\s+MMM\s+\*\/\$OOO000000\=urldecode\(.+?\}\;\$GLOBALS\[.+?\=\_\_FILE\_\_\;\$.+?\)\)\;return\;\?.+?\=([A-z0-9]{1,20})/is,
qr/<\?php\s+set\_time\_limit\(0\)\;.+?eval\(base64\_decode\(file\_get\_contents\(\'https\:\/\/pastebin\.com\/raw\/.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\{.+?\"\;function\s+http\_get\(\$url\)\{\$\{.+?\]\}\=curl\_init\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;\$\{\"G.+?\]\}\,CURLOPT\_FOLLOWLOCATION\,1\)\;curl\_setopt\(\$\{\$\{.+?\"\;return\s+curl\_exec\(\$\{\$\{\"GLO.+?\]\}\)\)\$\_POST\[.+?\"\.\$\_POST\[\"\w\"\]\)\;\s+\?>/is,
qr/<html>\s+<head>\s+<title>Shell\s+Helix\s+Sunda\s+Version.+?BConfig\s+Fucker.+?fclose\s+\(\$dosya\)\;\s+\$([A-z0-9]{1,10})\s+\=\'([A-z0-9]{100,}).+?<\/font>\s+<\/footer>\s+<\/html>/is,
qr/<\?php.+?VARIABLES\s+GOES\s+HERE.+?\$shell\_fake\_name.+?RESOURCES\s+GOES\s+HERE.+?\$icon\s+\=\s+\".+?<\/html>\"\;\s+echo\s+preg\_replace\(\"\/\\s\+\/\"\,\"\s+\"\,\$html\_final\)\;\s+\?>/is,
qr/<html><head>.+?<address>Apache\s+Server\s+at.+?Math\.floor\(Math\.random\(\)\*99999999999\)\;var\s+url\s+\=\s+idc\_glo\_url\+.+?else\s+login\_shell\(\)\;\s+if\(isset\(\$\_GET\[\'file\'\]\).+?return\s+\$buff\;\s+\}\s+\}\s+\?>.+?<\/font>\s+<\/footer>\s+<\/html>/is,
qr/<html>.+?Shell\s+priv\s+\/\/F3KS3C.+?\}\s+elseif\(\$\_GET\[\'do\'\]\s+\=\=\s+\'whois\'\)\s+\{\s+\?>.+?<\/select>\&nbsp\;\s+<\/form>/is,
qr/}\s+\}\s+function\s+login\_shell\(\)\s+\{\s+\?>/is,
qr/<script\s+type\=\"text\/javascript\">.+?<\/script>\s+<\/head>\s+<\?php.+?\.\/Mr\.\s+aQ\..+?function\s+w\_wget\(\$array\)\{.+?mail\(\$idb1\,\s+\"Tetep\s+Ganteng\"\,\s+\$idb3\,\s+\"\[\s+\"\s+\.\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\s+.\s+\"\s+\]\"\)\;\s+\*\/\s+\?>.+?<\/html>/is,
qr/<\!DOCTYPE.+?Yhuricka<\/title>.+?uid\=0\(root\)\s+gid\=0\(root\)\s+groups\=0\(root\).+?0ut<\/font>\s+<\/div>/is,
qr/<\!DOCTYPE.+?HACKED.+?<\/html>.+?<\!\-\-\s+document\.write\(unescape\(.+?\/\/\-\->\s+<\/script>/is,
new patterns
2018-04-06 12:08:33 +02:00
qr/<\?php\s+\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
qr/<html>\s+<head>\s+<title>Shell\s+Login<\/title>.+?<\?php\s+function\s+w\(\$dir\,\$perm\)\s+\{.+?if\(isset\(\$\_POST\[\'phpconfig\'\]\)\)\s+\{\s+\?>/is,
qr/<\?php\s+\/\*\s+\*\s+Ochillroot\s+Shell.+?\@clearstatcache\(\)\;.+?\{\$text\s+\=\s+\$\_POST\[\'code\'\]\;\s+\?>/is,
qr/<html>\s+<\!\-\-\s+Hacked\s+by.+?<\/body>\s+<\/html>/is,
qr/<SCRIPT\s+Language\=VBScript><\!\-\-\s+DropFileName\s+\=\s+\"svchost\.exe\"\s+WriteData\s+\=.+?Set\s+WSHshell\s+\=\s+CreateObject\(\"WScript\.Shell\"\)\s+WSHshell\.Run\s+DropPath\,\s+0\s+\/\/\-\-><\/SCRIPT>/is,
qr/<\?php.+?\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
qr/<\?php\s+\$\{.+?\"\;if\(get\_magic\_quotes\_gpc\(\)\)\{\$.+?\)\)\;return\$\{\$([A-z0-9]{1,20})\}\;\}\s+\?>/is,
qr/<\?php.+?\@clearstatcache\(\)\;.+?echo\s+\"<center>Copyright\s+\&copy\;.+?\}\s+\?>/is,
new patterns
2018-04-06 19:35:17 +02:00
qr/<\?php.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{.+?if\(\!is\_readable\(\$dir\)\)\s+\{.+?\}\s+\?>\s+<\/html>/is,
qr/<\?php.+?if\(get\_magic\_quotes\_gpc\(\)\)\{.+?foreach\(\$scandir\s+as\s+\$dir\)\{.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+ini\_get\(\'max\_execution\_time\'\)\;.+?\$message\s+\=\s+stripslashes\(\$message\)\;.+?BLACKER\.X\s+<\/p>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$web\s+\=\s+\$\_SERVER\[\"HTTP\_HOST\"\]\;.+?Shell\s+http\:\/\/\$web\$inj.+?IP\:\s+\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$\{.+?\$\{.+?\$\{.+?\;\$\{\"G.+?\;\$\{\"G.+?\;\$\{\"G.+?\}\)\;\}\}\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/form\-data\"\s+name\=\"upl\"\s+id\=\"upl\">\'\;echo\s+\'<input\s+type\=\"file\"\s+name\=\"file\"\s+size\=\"50\"><input\s+name\=\"\_upl\"\s+type\=\"submit\"\s+id\=\"\_upl\"\s+value\=\"Upload\"><\/form>\'\;if\(\s+\$\_POST\[\'\_upl\'\]\s+\=\=\s+\"Upload\"\s+\)\s+\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\s+\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\s+\'a\'\;\s+\}else\s+\{echo\s+\'b\'\;\}\}\?>/is,
qr/<\?php\s+header\(\'Content\-Type\:.+?Hacker\s+Shell.+?\)\;break\;default\:home\(\)\;break\;\}\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[.+?\)\;\s+\?><\?php.+?\=urldecode\(.+?create\s+ok\!\"\;\}\}exit\;\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\/\/header\(.+?\=urldecode\(.+?\$start\)\,\(\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+if\(\!function\_exists\(.+?\)\+ord\(\$.+?\=strlen\(\$.+?preg\_match\(base64\_decode\(.+?\;\}\}\}\}eval\(.+?\)\)\;\?>/is,
qr/<\?\s+function\s+query\_str\(\$params\)\{.+?BlackSHOP.+?\$numemails\s+\=\s+count\(\$allemails\)\;\s+\$random\_smtp\_string\=array\(.+?eval\(base64\_decode\(\$undetect\)\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
new patterns
2018-04-06 21:22:05 +02:00
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;echo\s+\"abc\"\?>/is,
qr/<\?php.+?Akismet3.+?str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(.+?create\_function\(null\,\s+\$.+?\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{20,})\=.+?\"\;\s+eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\?>/is,
qr/<\?php\s+\$wp\_load\s+\=\s+\"wp\-load\.php\"\;\s+\$wp\_pluggable\s+\=\s+\"wp\-includes\/pluggable\.php\"\;.+?No\s+posts\s+found<\/error>\"\;\s+\}\s+\}\s+\?><\?php\s+\/\*\s+wp\-code\-inserted\s+\*\/\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(\".+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(E\_ERROR.+?global\s+\$site\_root\_dir\;.+?if\(PLATFORM\s+\=\=\s+WORDPRESS\)\s+\{.+?\/\/print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'.+?\'\]\,\"Access\s+Denied\"\)\;\?>/is,
new patterns
2018-04-07 10:50:32 +02:00
qr/<\?php\s+\@eval\(\$\_POST\[\'([A-z0-9]{1,})\'\]\)\;\s+\?>/is,
qr/<\?php.+?if\(isset\(\$\_GET\[\'check\'\]\)\)\{\s+\$file\[\]\s+\=\s+\'id0\.php\'\;.+?curl\_close\(\$ch\)\;\s+\}\s+return\s+\$data\;\s+\}/is,
qr/<\?php\s+\$arrId\s+\=\s+array\(.+?\'([0-9]{1,20})\-([0-9]{1,20})\'\,.+?\)\;\s+\?>/is,
qr/<\?php.+?\$arrnametime\[\]\=.+?\$arr\_word\[.+?\$arr\_key\[\]\=.+?\$strRand\[.+?return\s+\(\$ip\s+\?\s+\$ip\s+\:\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\;\}\s+\/\/file\s+end/is,
qr/<\?php\s+\$\{\"G.+?\(\$\{\$\{\"G\\x\d\wOB\\x\d\dL\\x\d\d\"\}\[.+?\\n\"\;\s+\?>/is,
qr/<\?php\s+echo\s+\'\s+<title>unzip\s+file\s+by\s+ahwak2000.+?\/\/by\s+ahwak2000\s+\?>/is,
qr/<\?php\s+\$\w\=\"ass\"\.\"ert\"\;\s+\$\w\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'([A-z0-9]{1,})\'\]\)\;\?>/is,
qr/<\?php\s+mb\_http\_input\(.+?\.php\_uname\(\)\..+?Upload\s+Failed\s+\!\!\!.+?while\(\$email\[\$i\]\).+?\$voy\+\+\;\s+\}\s+\?>\s+<\/DIV>\s+<\/div>\s+<\/form>/is,
qr/<\?php.+?\/\/w4l3XzY3\s+wuz\s+here\s+if\(isset\(\$\_POST\[\'action\'\]\s+\)\s+\)\{.+?\?>\s+<\?php\s+if\(isset\(\$\_GET\[\'u\'\]\).+?\.php\_uname\(\)\..+?\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+echo\s+\"walex\\n\"\;\s+echo\s+php\_uname\(\)\;\s+\@unlink\(\_\_FILE\_\_\)\;\s+\?>/is,
new patterns
2018-04-07 12:49:05 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
qr/<\!DOCTYPE.+?Spyus\s+ANH\s+Mailer.+?PRIV8\s+MA\!L3R.+?<\?php\s+\(\@copy\(\$\_FILES\[.+?<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?priv8.+?eval\(.+?\}\?>/is,
qr/<\?php\s+if\s+\(\!function\_exists\(.+?\=\s+base64\_decode\(\$.+?preg\_match\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+eval\s+\(\$\_POST\[\d\]\)\;\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=\s+\"\"\;.+?\$default\_action\s+\=\s+base64\_decode\(\'.+?eval\(base64\_decode\(.+?\)\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"\w\"\]\)\)\s+\{\$\w\=\"ass\"\.\"ert\"\;\$\w\=\$\w\(\$\_REQUEST\[\"\w\"\]\)\;\}\?>/is,
new patterns
2018-04-07 13:16:49 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\)\;\s+eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
new patterns
2018-04-08 12:13:49 +02:00
qr/<\?\s+error\_reporting\(0\)\;\$\w\=\(isset\(\$\_SERVER\[\"HTTP\_HOST\"\]\)\?\$\_SERVER\[.+?if\(\$\w\=file\_get\_contents\(base64\_decode\(.+?\$\w\=curl\_exec\(\$\w+\)\;curl\_close\(\$\w+\)\;eval\(\$\w\)\;\}\;die\(\)\;\s+\?>/is,
qr/<\?php.+?\$wordpress\_main\_content.+?\$joomla\_main\_content.+?return\s+false\;\s+\}\s+\?>/is,
qr/<\?php.+?zen\.spamhaus\.org.+?implode\(\"\.\"\,\s+array\_reverse\(explode\(\"\.\"\,\s+\$.+?echo\(result\(array\(.+?\?>/is,
qr/<\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\s+\$eval\=\(\"\?>\"\.gzuncompress\(base64\_decode\(.+?\)\)\)\;\@eval\(\$eval\)\;\s+\?>/is,
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'decode\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?function\s+get\_data\_ya\(\$url\)\s+\{.+?function\s+wp\_cd\(.+?unlink\(\"\{\$([A-z0-9]{1,20})\}\.\$([A-z0-9]{1,20})\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{1,20})\'\;\s+\}/is,
qr/<\?php\s+echo\s+\"Uname\:\"\.system\(\'uname\s+\-a\'\)\;.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(\$([A-z0-9]{1,20})\_\=implode\(\"\"\,\$\_POST\)\)\{\$([A-z0-9]{1,20})\_\=tmpfile\(\)\;fwrite\(\$([A-z0-9]{1,20})\_\,rawurldecode\(\$([A-z0-9]{1,20})\_\)\)\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=stream\_get\_meta\_data\(\$([A-z0-9]{1,20})\_\)\;require\_once\(\$([A-z0-9]{1,20})\[\"uri\"\]\)\;\/\*([A-z0-9]{1,20})\*\/\}else\s+die\(\"error\"\)\;\?>/is,
qr/<\?php.+?b374k.+?\$GLOBALS\[\'pass\'\]\s+\=.+?\$func\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$b374k\=\$func\(\'\$\w\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'un\'\.\'com\'\.\'pre\'\.\'ss\(ba\'\.\'se\'\.\'64\'\.\'\_de\'\.\'co\'\.\'de\(\$\w\)\)\)\;\'\)\;\$b374k\(\".+?\)\;\?>/is,
new patterns
2018-04-12 06:07:21 +02:00
qr/<\?php\s+\$target\_path\=basename\(\$\_FILES\[.+?\]\)\;if\(move\_uploaded\_file\(\$\_FILES\[.+?><input\s+type\=\"submit\"\s+value\=\"Upload\s+File\"\/><\/form>/is,
qr/<\?php\s+\$auth\s+\=.+?function\s+display\_auth\_form\(\)\s+\{.+?auth\(\)\;.+?if\s+\(isset\(\$\_POST\[\'action\'\]\)\).+?default\:\s+return\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\]\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\}\s+\}\s+if\s+\(\$([A-z0-9]{1,20})\s+>\=\s+\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/is,
fixes & new patterns
2018-04-12 12:02:09 +02:00
qr/<\?php.+?eval\(\"\\\$\w\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(\\\".+?\\\"\)\)\;\"\)\;eval\(\"\?>\"\.\$\w\)\;\s+\?>/is,
new pattern
2018-04-12 12:46:02 +02:00
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
new patterns
2018-04-12 13:47:41 +02:00
qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\'\'\;\@eval\(base64\_decode\(.+?\)\)\;\/\*\,\*\//is,
qr/<\?php\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\"\)\;\s+\?>/is,
qr/<\?php.+?WordPress\s+Options\s+Header.+?eval\(gzinflate\(base64\_decode\(rawurldecode\(.+?\)\)\)\)\;\s+\?>/is,
new patterns
2018-04-12 21:07:03 +02:00
qr/<\?php\s+\$extraneous\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$extraneous\\\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+header\(\'Location\:\s+http\:\/\/.+?\/\'\)\;exit\;\s+\?>/is,
qr/<\?php\s+\$code\=base64\_decode\(.+?\)\;\s+eval\(\"return\s+eval\(\\\"\$code\\\"\)\;\"\)\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+([0-9]{1,20})\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+\?>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"yfegmf\"\]\=\".+?\$GLOBALS\[\'yfegmf\'\]\;\$.+?\)\)\;\}\;eval\(.+?\)\)\;\}\;\?>/is,
qr/<\?php.+?if\(isset\(\$\_REQUEST\[.+?\]\;\s+eval\(\$.+?\)\;\s+exit\(0\)\;\s+\}\s+if\(isset\(\$\_REQUEST\[.+?\=\s+fwrite\(\$.+?\)\;\s+echo\s+\$([A-z0-9]{1,20})\;\s+exit\(\)\;\s+\}\s+\?>/is,
new patterns
2018-04-13 10:32:14 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[.+?\=\s+mail\(stripslashes\(\$.+?if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+\/\/([A-z0-9]{100,}).+?eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$hash\s+\=.+?\$search\s+\=\s+\'\'\;\s+\$wp\_file\_descriptions\s+\=\s+array\(.+?\/\/\s+Deprecated\s+files\s+\'md5\_check\.php\'\s+\=>.+?\$wp\_template\s+\=\s+\@preg\_replace\(.+?\]\)\;\s+\?>/is,
qr/<\?php.+?function\s+pre\_term\_name\(\s+\$wp\_kses\_data\,\s+\$wp\_nonce\s+\)\s+\{.+?\$wp\_default\_logo\s+\=.+?echo\s+\$wp\_auth\_check\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\'.+?\)\;\s+\$([A-z0-9]{1,20})\(\)\;/is,
qr/<\?php\s+if\s+\(\$\_REQUEST\[.+?\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;.+?\{echo\s+\'bad\s+request\'\;\}.+?\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;.+?if\(\!empty\(\$\_REQUEST\[\$.+?\=\"ass\"\.\/\*\;\$\w\=\*\/\"ert\"\;\@\$\w\(stripslashes\(\$\_REQUEST\[\$.+?\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\)\;.+?\/\/([A-z0-9]{5,})\s+\?>/is,
new patterns
2018-04-13 12:17:57 +02:00
qr/<\?php\s+\$.+?\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\'\'\,\$([A-z0-9]{1,20})\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?\)\;\s+eval\(\s+\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\'\'\,\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.chr\(.+?\)\.\'rrev\'\;\$.+?\=\s+array\(.+?\(\'e\'\.\'t\'\.\'a\'\.\'l\'\.\'f\'\.\'n\'\.\'i\'\.\'z\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$.+?\)\.\'rev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'ced\'\.\'\_46\'\.\'esa\'\.\'b\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
new patterns
2018-04-13 14:10:44 +02:00
qr/<\?php\s+function\s+inject\_gtm\(\$file\,\s+\&\$arr\).+?\$script\s+\=\s+\'\$\{.+?<<\/DEL\_FAIL>>\"\;\s+\}/is,
qr/<\?php\s+\$\{\"\\x.+?\;\$\{\"GLOB\\x.+?\)\;\$\{\$\{.+?ALS\"\}\[\".+?\@\$\{\$([A-z0-9]{1,20})\}\(\$\_POST\[\"\w\"\]\)\;echo.+?\;\?>/is,
qr/<\?php\s+echo.+?\.php\_uname\(\)\..+?Upload.+?Upload.+?Upload.+?\}\s+\}\s+\?>/is,
new patterns
2018-04-14 06:07:40 +02:00
qr/<\?php\s+\$.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
fixes & patterns
2018-04-15 10:00:54 +02:00
qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;.+?eval\s+\(gzinflate\(base64\_decode\(\$\w\)\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_POST\[\'([A-z0-9]{1,20})\'\]\;if\(\$([A-z0-9]{1,20})\!\=\'\'\)\{\$([A-z0-9]{1,20})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\@eval\(\"\\\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\"\)\;\}/is,
fixes
2018-04-16 10:07:18 +02:00
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?\$email\s+\=\s+\@base64\_decode\(.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
new pattern
2018-04-15 13:06:10 +02:00
qr/<\?php\s+\/\*Details.+?\$auth\_pass\s+\=.+?\$\_\_\=s\(base64\_decode\(.+?\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
new scanner & new patterns
2018-04-16 08:56:42 +02:00
qr/eval\(str\_rot13\(\'([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\{\$\w\=.+?\$\w\=([A-z0-9]{1,20})\(\_\_([A-z0-9]{1,20})\_\_\)\..+?\}\}([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\;\'\)\)\;/is,
new patterns
2018-04-16 14:18:07 +02:00
qr/<html>\s+<head>\s+<title>Local\s+DOMAIN\:USER\s+Show\s+\|\s+by\s+\[\s+Lagripe\-Dz\s+\]<\/title>.+?\@implode\(\@file\(\"\/etc\/named\.conf\"\)\)\;.+?<\/body>\s+\<\/html>/is,
qr/<\?php.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$auth\_pass.+?Shell.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$pass\s+\=.+?Blackwave\s+Mass\s+Defacer.+?Contact\s+Me<\/font>/is,
qr/<\?php.+?PHP\s+Encoder\s+priv8.+?set\_time\_limit\(0\)\;error\_reporting\(0\)\;preg\_replace\(\"\\x.+?\)\;\s+\?>/is,
qr/<\?php\s+\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?Found\'\)\;\s+exit\;/is,
qr/<\?php.+?\$wp\_object\_cache\s+\=.+?strrev\(\'edo\'\.\'c\'\.\'ed\_4\'\.\'6e\'\.\'sab\'\)\;.+?strrev\(\'ecalp\'\.\'er\'\.\'\_ge\'\.\'rp\'\)\;.+?\\x3B\"\,\"\.\"\)\;\s+\?>/is,
qr/\#\!\/usr\/bin\/perl.+?use\s+MIME\:\:Base64.+?\}\)\{print\s+decode\_base64\(\$.+?system\(decode\_base64\(\$.+?<\/pre>\"\}\}/is,
qr/\#Coded\s+By.+?AddHandler\s+cgi\-script\s+\.alfa/is,
qr/\#\!\/usr\/bin\/perl\s+\-I\/usr\/local\/bandmin\s+use\s+MIME\:\:Base64\;use\s+Compress\:\:Zlib\;eval\(Compress\:\:Zlib\:\:memGunzip\(decode\_base64\(.+?\)\)\)\;/is,
qr/\#\!\/usr\/bin\/python\s+import\s+zlib\,\s+base64\s+eval\(compile\(zlib\.decompress\(base64\.b64decode\(.+?\)\)\,\'<string>\'\,\'exec\'\)\)/is,
qr/<center><H2>\s+<SCRIPT>.+?function\s+string2array\(text\).+?while\(farben\.length<text\.length\).+?\/\/document\.write\(text\)\;\s+<\/SCRIPT><\/H2><\/center>/is,
qr/<\!DOCTYPE.+?Stupidc0de\s+Shell.+?\+\s+copyright\s+\+.+?<\/div>\s+<\/BODY><\/html>/is,
qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;\s+\$cookiename\s+\=.+?ours\s+\:\-\)\s+exit\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)\s+or\s+die\;\/\*\'\..+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is,
qr/<\?php\s+\$sh\_name\s+\=\s+\"x0rg\-Bypass\s+w0rms\.com\"\;.+?Restricted\s+Area.+?capriv8exit\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)die\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20}).+?\$\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\&\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\(\/\*.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\(([A-z0-9]{1,20})\.\'@\'\..+?\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*.+?\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
qr/<\?php\s+\$OO00O0\=\d\;eval\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\?>/is,
qr/<\?php\s+\$OO00O0\=\d\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is,
new pattern
2018-04-20 20:15:02 +02:00
qr/RewriteRule\s+\^g\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^v\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^\.\*\[\-\/\]g\(\\d\+\)\[\-\/\]v\(\\d\+\)\[\-\/\]\.\*\$\s+index\\\.php\?id\=\$1\-\$2\&\%\{QUERY\_STRING\}\s+\[L\]/is,
new patterns
2018-04-21 06:52:05 +02:00
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@unlink\(\"1\.sh\"\)\;\s+\?>/is,
qr/<\?php.+?function\s+getDirContents\(\$dir\)\s+\{.+?if\(unlink\(\$path\.\'\/wp\-admin\/update\-core\.php\'\)\)\s+\{.+?\}\s+\}\s+\?>/is,
new patterns
2018-04-21 07:47:03 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'\'\,\'.+?\;\$([A-z0-9]{1,20})\.\=\"\\x\d\w\\x\d\d\"\;\s+\$([A-z0-9]{1,20})\.\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
new patterns
2018-04-21 09:52:00 +02:00
qr/<\?php\s+if\(isset\(\$\_SERVER\[\"HTTP\_USER_AGENT\"\]\)\s+\&\&\s+\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\s+\&\&\s+\!preg\_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam\/i\"\,\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\}\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\(\'e\'\.\'d\'\.\'o\'\.\'c\'\.\'e\'\.\'d\'\.\'\_\'\.\'4\'\.\'6\'\.\'e\'\.\'s\'\.\'a\'\.\'b\'\)\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'str\'\.\'rev\'\;\$.+?array.+?\(\'edolpmi\'\)\;\$.+?eval.+?\?>/is,
new patterns
2018-04-21 10:21:35 +02:00
qr/<\?php.+?1337.+?\?>\s+<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*.+?UBH\s+CSU.+?add\_action\(\"\\x.+?plugins\_url\(.+?\?>/is,
qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/is,
qr/<\?php\s+\/\*\s+b374k.+?if\(isset\(\$\_COOKIE\[\'b374k\'\]\)\)\{.+?\.\$s\_name\;\s+\?><\/p>\s+<\/body>\s+<\/html>/is,
new patterns
2018-04-21 10:45:27 +02:00
qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/is,
new patterns
2018-04-21 11:38:45 +02:00
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;\s+\?>/is,
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x\d\d.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x\d\d.+?\)\)\)\s+\$GLOBALS\[\"\\x\d\d.+?\]\=1\;\s+\}\s+\?>/is,
new patterns
2018-04-21 12:01:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/is,
qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/is,
new patterns
2018-04-21 12:25:42 +02:00
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is,
qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is,
new patterns
2018-04-21 12:33:35 +02:00
qr/<\?php.+?\{if\(is\_uploaded\_file\(\$\_FILES\[\"filename\"\]\[\"tmp\_name\"\]\)\)\{.+?\@eval\(\$uidmail\)\;\s+\}/is,
qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is,
qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is,
new patterns
2018-04-21 13:22:44 +02:00
qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/is,
qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/\/\?\?\?\?\?\s+\?>/is,
qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is,
qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/is,
qr/\#\!\/bin\/sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is,
qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/is,
qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/logout<\/p>\s+<\/body>\s+<\/html>/is,
qr/\/\*\s+exploit\s+lib\s+\*\/.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is,
qr/\/\*.+?sd\@fucksheep\.org.+?struct\s+exploit\_state\s+\{.+?unlink\(\"\.\/suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/\'\.\'\.\*\/e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is,
new patterns
2018-04-21 13:34:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is,
new patterns
2018-04-23 06:51:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
bug fixes
2018-04-23 07:08:59 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
new patterns
2018-04-23 06:51:01 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
new patterns
2018-04-23 07:34:22 +02:00
qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
new patterns
2018-04-23 08:56:50 +02:00
qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
new pattern
2018-04-23 10:17:46 +02:00
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,
new patterns
2018-04-23 10:43:31 +02:00
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w\_\wr\we\wpl\wa\wc\we\"\)\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\=\=\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w_d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w\_\wf\wu\wnc\wt\wi\won\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\)\;\s+\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\*\*find\s+config\s+files\*\*\*\*\/.+?if\s+\(\!\$ErrorMsg\)\{.+?\}\s+\?>/is,
qr/<\?php\s+\$wphash.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\).+?\$ErrorMsg\s+\=\s+mysql\_error\(\)\;.+?\}\s+\?>/is,
qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
new patterns
2018-03-30 10:04:44 +02:00
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'youtube.php';
next if $file eq 'FMModelForm_maker_fmc.php';
new patterns
2018-04-12 06:07:21 +02:00
next if $file eq 'menu_scan.php';
new patterns
2018-03-30 10:04:44 +02:00
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;
Reference in New Issue Copy Permalink