Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-01-26 12:54:21 +01:00
parent 8b02938f66
commit 0282b1862a
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
malware4.pl
View File

@@ -290,7 +290,18 @@ my @regexen = (
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+if\(isset\(\$\_POST\[\'Enoc\'\]\)\).+?<script>\s+alert\(\'\-\-\-Todos\s+Spammed\-\-\-\'\)\;\s+<\/script>.+?<\/html>/is,
qr/<\?php\s+\@date\_default\_timezone\_set\(\'UTC\'\)\;\$\_\_\_\_\=base64\_decode\(.+?\=create\_function\(\'\'\,\'\?>.+?\'\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\$host\=base64\_decode.+?\$bot\=urlencode.+?\$ident\)eval\(stripslashes\(\$\_REQUEST\[base64\_decode\(.+?\)\]\)\)\;\?>/is,
qr/<\?php\s+\$payload\=.+?\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+base64\_decode\(\$\_([A-z0-9]{1,20})\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+gzinflate\(\$\_([A-z0-9]{1,20})\,0\)\;\}\s+function\s+\_([A-z0-9]{1,20})\(\$\_([A-z0-9]{1,20})\)\{\s+return\s+eval\(\$\_([A-z0-9]{1,20})\)\;\}.+?\"\;preg\_replace\(\'\/\.\*\/e\'\,\".+?\"\,\'\.\'\)\;\s+\?>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=.+?\"\;\$\_([A-z0-9]{1,20})\=array\(.+?\)\;\$payload\=\".+?\"\"\;for\s+\(\$i\=.+?\Wx\d\d\"\)\;/is,
qr/<\?php\s+\$\{.+?set\_magic\_quotes\_runtime\(0\)\;if\(strtolower\(substr\(PHP\_OS\,0\,3\)\)\=\=.+?\{function\s+scandir\(\$dir\)\{\$\{.+?\"\;\}exit\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;.+?str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w+r\we\wpl\wa\wc\we\"\)\;.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w+d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w+f\wu\wnc\wt\wi\won\"\)\;.+?\?>/is,
qr/<\?php\s+\/\*\s+WSO.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\=\=([A-z0-9]{1,20})/is,
qr/<\?php\s+set\_time\_limit\(0\)\;\s+header\(\"Content\-Type.+?function\s+listDir\(\$dir\)echo\s+\"ok\"\;\s+\?>/is,
qr/<\?php\s+\$\w\=base64\_decode\(\'.+?\'\)\.\$\_GET\[\'\w\'\]\.\'\w\'\;\@\$\w\(\$\_POST\[\'\w\'\]\)\;\?>abcabcabc/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\{\$\w\=\"ass\"\.\"ert\"\;\$\w\(\$\{\"\_REQUEST\"\}\[\'.+?\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}\/\*.+?\*\//is,
qr/<script>\$\=\~\[\]\;\$\=\{\_\_\_\:\+\+\$\,\$\$\$\$\:\(\!\[\].+?\+\$\.\$\$\$\_\+\(\!\[\]\+\"\"\)\[\$\.\_\$\_\]\+\"\)\;\"\+\"\W\"\"\)\(\)\)\(\)\;<\/script>/is,
);
my @base64_decodes = (