new scan
This commit is contained in:
Palma Solutions LTD
@@ -1,4 +1,8 @@
|
||||
#!/usr/bin/perl
|
||||
#
|
||||
# Malware Cleaner Shell Version
|
||||
#
|
||||
#
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
0
patterns/base64.txt
Normal file
0
patterns/base64.txt
Normal file
1
patterns/crypto.txt
Normal file
1
patterns/crypto.txt
Normal file
@@ -0,0 +1 @@
|
||||
User-Agent.*cpuminer
|
||||
0
patterns/mailing.txt
Normal file
0
patterns/mailing.txt
Normal file
0
patterns/phishing.txt
Normal file
0
patterns/phishing.txt
Normal file
54
patterns/polymorphic.txt
Normal file
54
patterns/polymorphic.txt
Normal file
@@ -0,0 +1,54 @@
|
||||
<?php.*strtoupper.*if.*isset.*eval.*?>
|
||||
<?php.*$GLOBALS.*if.*function_exists.*function.*$GLOBALS.*pack.*return.*substr.*?><?php
|
||||
<?php.*strtolower.*[].*[].*[].*[].*[].*[].*strtoupper.*eval.*?>
|
||||
if.*isset.*${$.*}.*eval.*;}.*?>
|
||||
strstr.*implode.*array_map.*function_exists
|
||||
<?php.*!function_exists.*?><?php
|
||||
<?php.*globals.*eval.*?><?php
|
||||
<?php.*if.*isset.*globals.*strtolower.*?>
|
||||
<?php.*isset.*$GLOBALS.*strtolower.*$_SERVER.*strstr.*function_exists.*function.*?><?php
|
||||
<?php.*strtolower.*$GLOBALS.*strstr.*function_exists.*substr.*explode.*?><?php
|
||||
<?php.*$GLOBALS.*isset.*$GLOBALS.*explode.*substr.*function_exists.*function.*?><?php
|
||||
<?php.*strtoupper.*if.*isset.*eval.*?>
|
||||
<?php.*$GLOBALS.*if.*function_exists.*function.*$GLOBALS.*pack.*return.*substr.*?><?php
|
||||
<?php.*preg_replace.*isset.*GLOBALS.*function.*preg_replace.*explode.*chr.*substr.*function_exists.*function.*substr.*?><?php
|
||||
<?php.*if.*isset.*GLOBALS.*strtolower.*SERVER.*if.*strstr.*strstr.*GLOBALS.*?><?php
|
||||
<?php.*return.*chr.*str_split.*GLOBALS.*function_exists.*explode.*substr.*explode.*chr.*?>
|
||||
<?php.*preg_replace.*(.*_REQUEST.*[.*].*).*?>
|
||||
<?php.*function_exists.*explode.*chr.*substr.*function_exists.*function mugvsjx.*NULL.*substr.*?>.*<?php
|
||||
strtoupper.*if.*eval
|
||||
array.*strrev.*implode.*array.*implode.*?>
|
||||
array.*strrev.*strrev.*eval.*implode.*?>
|
||||
php.*function.*Array.*return.*base64_decode.*error_reporting.*mb_internal_encoding.*mb_regex_encoding.*mb_http_output.*mb_http_input.*mb_language.*mb_strtolower.*mb_substr.*function
|
||||
GLOBALS.*GLOBALS.*global.*function.*for.*function.*global.*return.*if.*Array.*else.*eval.*exit.*php
|
||||
function.*for.*strlen.*isset
|
||||
function.*for.*strlen.*++
|
||||
explode.*chr.*if.*function_exists.*function.*NULL.*for.*return.*NULL
|
||||
function.*return.*NULL.*preg_replace
|
||||
php.*if.*isset.*GLOBALS.*strtolower.*strstr.*strstr.*GLOBALS.*php
|
||||
php.*preg_replace.*SERVER.*HTTP.*SERVER.*HTTP.*CURRENT
|
||||
GLOBALS.*GLOBALS.*if.*empty.*GLOBALS.*eval.*GLOBALS.*GLOBALS.*echo
|
||||
eval.*gzuncompress.*base64_decode
|
||||
strtolower.*strtoupper.*if.*isset.*eval
|
||||
new.*JApplication.*array.*UID.*
|
||||
function.*for.*strlen.*++.*isset
|
||||
GLOBALS.*Array.*GLOBALS.*function.*return.*echo.*eval.*exit
|
||||
php.*if.*isset.*eval
|
||||
isset.*POST.*POST.*isset.*COOKIE.*COOKIE.*NULL.*if.*NULL.*md5.*substr.*md5.*strrev.*strlen.*for.*chr.*if.*gzinflate.*if.*isset.*setcookie.*POST.*create_function.*unset
|
||||
isset.*POST.*isset.*COOKIE.*NULL.*if.*NULL.*md5.*substr.*md5.*strrev.*strlen.*for.*chr.*if.*gzinflate.*if.*isset.*setcookie.*POST.*create_function.*unset
|
||||
create_function.*base64_decode
|
||||
php.*if.*isset.*REQUEST.*assert.*REQUEST.*exit
|
||||
GLOBALS.*Array.*foreach.*eval.*exit.*php
|
||||
if.*function_exists.*function.*base64_decode.*ord.*ord.*strlen.*preg_match.*base64_decode.*if.*exit.*if.*if.*if.*ord.*for.*else.*for.*else.*if.*return.*eval
|
||||
strtolower.*if.*strstr.*or.*strstr.*if.*function_exists.*or.*strstr.*or.*array_map.*str_split.*function.*GLOBALS.*or.*strstr.*return.*chr.*ord.*error_reporting.*explode.*chr.*substr.*if.*function_exists.*function.*for.*sizeof.*substr.*return.*chr.*chr.*explode.*chr.*preg_replace
|
||||
eval.*gzinflate.*base64_decode
|
||||
MailTo.*base64_decode.*POST.*mailto
|
||||
function.*return.*str_repeat.*ceil.*strlen.*strlen
|
||||
if.*isset.*GLOBALS.*GLOBALS.*&&.*GLOBALS.*GLOBALS
|
||||
<?php.*if.*isset.*REQUEST.*REQUEST.*exit;}?>
|
||||
eval.*str_rot13.*gzinflate.*str_rot13.*base64_decode
|
||||
(.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*/.*)
|
||||
GLOBALS.*Array.*global.*GLOBALS.*NULL.*NULL.*NULL.*function.*return.*function.*global.*Array.*elseif.*eval.*exit
|
||||
if($.*=@fsockopen($.*$this->.*[.*(.*)].*$.*$.*$.*(.*)))
|
||||
@system(.*killall -9 .*.basename(.*/usr/bin/host.*));
|
||||
echo.*eval(urldecode($.*));
|
||||
8
scan.sh
8
scan.sh
@@ -15,11 +15,12 @@ phishing = "patterns/phishing.txt"
|
||||
base64 = "patterns/base64.txt"
|
||||
mailing = "patterns/mailing.txt"
|
||||
polymorphic = "patterns/polymorphic.txt"
|
||||
crypto = "patterns/crypto.txt"
|
||||
|
||||
# Scanning for Phishing
|
||||
for i in $(cat $phishing)
|
||||
do
|
||||
grep -Rl -e $i /home/$user/public_html
|
||||
grep -Rl -e $i --include=*.{php,phtml,js,html,suspected}* /home/$user/public_html
|
||||
done
|
||||
|
||||
|
||||
@@ -35,3 +36,8 @@ for i in $(cat $mailing)
|
||||
grep -Rl -e $i /home/$user/public_html
|
||||
done
|
||||
|
||||
# Scanning for CryptoCurrency Miners
|
||||
for i in $(cat $crypto)
|
||||
do
|
||||
grep -Rl -e $i /home/$user/public_html
|
||||
done
|
||||
Reference in New Issue
Block a user