Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed pattern

Browse Source
This commit is contained in:
Palma Solutions LTD
2017-12-29 21:05:25 +01:00
parent c4f47974f0
commit 0c706512b4
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
malware4.pl
View File

@@ -243,7 +243,7 @@ my @regexen = (
qr/<\?php\s+define\(\'\_JEXEC\'\,\s+1\)\;\s+try\{.+?if\s+\(\s+md5\(getenv\(\'HTTP\_USER\_AGENT\'\)\)\s+\=\=.+?eval\(\$data\_row\->htmlcode\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"ass\".\"ert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+?\?>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"preg\_\"\.\"repla\"\.\"ce\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/*([A-z0-9]{1,20})\*\/exit\;\}.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+\$([A-z0-9]{1,20})\s+\=\s+\'([A-z0-9]{10,})\+([A-z0-9]{20,})\'\..+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;.+\?>/is,
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(\".+?\)\)\)\;\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?\)\)\)\;\Z/is,