Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-07-18 08:19:48 +02:00
parent 4b12d02cbb
commit 0afd0be698
2 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
malware6.pl
View File

@@ -280,6 +280,9 @@ my @regexen = (
qr/<\?php \$([A-z0-9_]{1,20}) = \'strr\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php\s+\/\*\*\s+\* Plugin Name: Login Wall.+?if \(!defined\(\'LoginWall\'\)\)\{\s+define\( \'LoginWall\',1\);.+?add_action\(\'login_form\',\'fs_login_session\'\);\s+\}/is,
qr/<\?php if\(\$_POST\[\'([A-z0-9_]{1,20})\'\]==\'\'\)\{echo\(\'->\|OK\|-<\'\);exit\(\);\}eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
qr/<\?php \/\*Packed BLOB icon data\. Corruption may result script execution errors\. Don\'t touch it unless you know what you are doing\.\*\/ eval\(base64_decode\(.+?\)\);\?>/is,
qr/<div class=\"product_listing_descrip\">.+?<a href=\"http\:\/\/.+?generic levitra.+?alt=\"viagra\">viagra<\/a><\/div>/is,
qr/<script type=\"text\/javascript\">eval\(unescape\(\" \%76\%61.+?\%3B\%7D \"\)\)<\/script><\/div>/is,
);

3
malwaresh.pl
View File

@@ -1268,6 +1268,9 @@ my @regexen = (
qr/<\?php \$([A-z0-9_]{1,20}) = \'strr\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php\s+\/\*\*\s+\* Plugin Name: Login Wall.+?if \(!defined\(\'LoginWall\'\)\)\{\s+define\( \'LoginWall\',1\);.+?add_action\(\'login_form\',\'fs_login_session\'\);\s+\}/is,
qr/<\?php if\(\$_POST\[\'([A-z0-9_]{1,20})\'\]==\'\'\)\{echo\(\'->\|OK\|-<\'\);exit\(\);\}eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
qr/<\?php \/\*Packed BLOB icon data\. Corruption may result script execution errors\. Don\'t touch it unless you know what you are doing\.\*\/ eval\(base64_decode\(.+?\)\);\?>/is,
qr/<div class=\"product_listing_descrip\">.+?<a href=\"http\:\/\/.+?generic levitra.+?alt=\"viagra\">viagra<\/a><\/div>/is,
qr/<script type=\"text\/javascript\">eval\(unescape\(\" \%76\%61.+?\%3B\%7D \"\)\)<\/script><\/div>/is,
);
my @base64_decodes = (