From 0c4e1042b38194e6a01916396e5effea6838cb3e Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Fri, 23 Mar 2018 10:02:57 +0100 Subject: [PATCH] new patterns --- malware4.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/malware4.pl b/malware4.pl index 8cbf0d0..6832cb7 100644 --- a/malware4.pl +++ b/malware4.pl @@ -486,7 +486,8 @@ my @regexen = ( qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"preg\_r\"\.\"eplace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}/is, qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is, - + qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+if\s+\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=\'1\'\)\{echo\s+\'200\'\;\s+exit\;\}.+?if\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+if\(md5\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is, + qr/<\?php\s+class\s+\_([A-z0-9]{1,20})\{static\s+private\s+\$.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\(\)\;exit\(\)\;/is,