Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-26 09:45:17 +02:00
parent 4ddac3fc32
commit 0e176c851a
4 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cms-ver.php
View File

@@ -173,6 +173,7 @@
array("MediaWiki", "/includes/DefaultSettings.php", "\$wgVersion", "Maintained"),
array("YapGB", "/gbconfig.php", "\$cfgYapGBVersion", "EOL"),
array("PowerPhlogger", "/main.php", "\$curr_ver", "EOL"),
array("Invision Power Board", "/index.php", " * IP.Board v", "EOL"),
// still need to work on these
array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review

1
cms-vss.php
View File

@@ -180,6 +180,7 @@
array("MediaWiki", "/includes/DefaultSettings.php", "\$wgVersion", "Maintained"),
array("YapGB", "/gbconfig.php", "\$cfgYapGBVersion", "EOL"),
array("PowerPhlogger", "/main.php", "\$curr_ver", "EOL"),
array("Invision Power Board", "/index.php", " * IP.Board v", "EOL"),
// still need to work on these

3
malware6.pl
View File

@@ -89,7 +89,8 @@ my @regexen = (
qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,

1
malwaresh.pl
View File

@@ -1074,6 +1074,7 @@ my @regexen = (
qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
);