Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update 'malware3.pl'

Browse Source
This commit is contained in:
Malin 2016-10-01 12:14:11 +02:00
parent 62dc10d765
commit 19fca46adb
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
malware3.pl
View File

@ -38,6 +38,20 @@ my @regexen = (
qr/<\?php\s+\$([A-z0-9]{1,10})\=.+?\)\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is,
qr/<html>\s+<head>.+?print\s+\'<h1>\#p\@\$c\@\#<\/h1>\'\;\s+echo\s+\"Your\s+IP\:\s+\"\;\s+\/\*\_\*\/.+?\/\*\_\*\/\s+\$var1\s+\=\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\s+touch\(\s+\$var1\s+\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\*\s+PHP\s+Encode\s+by\s+http\:\/\/Www\.PHPJiaMi\.Com\/\s+\*\/.+?\{define\(\'([A-z0-9]{1,10})\'\,\_\_FILE\_\_\)\;if\s+\(function\_exists\(.+?\;/is,
qr/<\?php\s+\@\'\$\s+x1\=([A-z0-9]{1,10})\s+x2\=([A-z0-9]{1,10})\s+x3\=index\.php.+?x4\=.+?\$OOO0OOOO00O\=explode\(.+?\/\/\*\/\?>/is,
qr/<\?php\s+\@set\_time\_limit\(0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+1\)\;\s+if\(isset\(\$\_GET\[\'use\'\]\)\s+\&\&\s+\$\_GET\[\'use\'\]\s+\=\=\s+\'2\'\)\s+define\(\'USEFUNCTION\'\,2\)\;\s+else\s+define\(\'USEFUNCTION\'\,1\)\;\s+if\(isset\(\$\_GET\[\'check\'\]\)\)\{\s+\$file\[\]\s+\=\s+\'id0\.php\'\;.+?\}elseif\(USEFUNCTION\s+\=\=\s+2\)\{\s+\$data\s+\=\s+\@file\_get\_contents\(\$url\)\;\s+\}\s+return\s+\$data\;\s+\}/is,
qr/<\?php.+?\$general\_template\=\'\'\.\'\'\.\'\'\.\'b\'\.\'\'\.\'\'\.\'ase\'\.\'\'\.\(37\+27\)\.\'\'\.\'\'\.\'\_de\'\.\'\'\.\'\c\'\.\'\'\.\'\'\.\'od\'\.\'\'\.\'e\'\;\s+\$generalWPtemplate\s+\=\s+\"as\"\;\s+\$generalWPtemplate\s+\.\=\s+\"sert\"\;\s+\@\$generalWPtemplate\(\$general\_template\(.+?\?>/is,
qr/<\?php\s+error\_reporting\(E\_ALL\)\;\s+ini\_set\(\'display\_errors\'\,\s+\'1\'\)\;\s+\/\/set\_time\_limit\(0\)\;\s+\$remoteUrl\=\".+?\$currentUrl\=GetLocationHome\(\)\;\s+\$queryStr\=\$\_SERVER\[\'QUERY\_STRING\'\]\;\s+if\(strpos\(\$queryStr\,\"google\"\)\!\=\=false\).+?return\s+substr\_replace\(\$haystack\,\s+\$replace\,\s+\$pos\,\s+strlen\(\$needle\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\(\$zad\=\s+\$\_POST\[\'ice\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/ad\/e\'\,\'@\'\.base64\_decode\(\"ZXZhbA\=\=\"\)\.\'\(\$zad\)\'\,\s+\'add\'\)\;\?>/is,
qr/<\?php\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+\$([A-z0-9]{1,10})\=\"wp\_([A-z0-9]{1,10})\"\;if\(\!empty\(\$\_REQUEST\[\$([A-z0-9]{1,10})\]\)\)\{\$([A-z0-9]{1,10})\=\"([A-z0-9]{1,10})\"\.\/\*\;\$([A-z0-9]{1,10})\=\*\/\"([A-z0-9]{1,10})\"\;\@\$([A-z0-9]{1,10})\(stripslashes\(\$\_REQUEST\[\$([A-z0-9]{1,10})\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\);\s+\/\/([A-z0-9]{1,32})\s+\?>/is,
qr/<\?php\s+\$a\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+eval\(gzinflate\(\$a\(.+?\=\=\'\)\)\)\;/is,
qr/<\?php.+?\_create\_initial\_settings\(\)\;\s+\$user\_agents\_to\_filter\s+\=\s+array\(\s+\'\#google\#i\'\s+\)\;.+?return\s+FALSE\;\s+\}\s+\}\s+\}\s+\}/is,
qr/<\?php\s+if\s+\(\!isset\(\$\_COOKIE\[\'([A-z0-9]{1,32})\'\]\)\)\s+\{header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;exit\;\}\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;.+?\$hash\s+\=\s+\"([A-z0-9]{1,32})\"\;\s+\$search\s+\=\s+\'\'\;\s+\$wp\_file\_descriptions\s+\=\s+array\(.+?\/\/\s+Deprecated\s+files\s+\'md5\_check\.php\'\s+\=>.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+\)\.\(\[a\-z\-\@\]\+\)\.\(\[a\-z\]\+\)\/.+?\$2\(\$3\(urldecode\(\'\$1\'\)\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is,
qr/<\?php\s+\/\/([A-z0-9]{1,10})\s+if\(\!extension\_loaded\(\'ionCube\s+Loader\'\)\)\{\$\_\_oc\=strtolower\(substr\(php\_uname\(\)\,0\,3\)\)\;\s+\}\s+function\s+encode\(\$str\,\s+\$p\s+\,\$s\)\s+\{\s+\$G\s+\=\s+\'\'\;\s+while\s+\(strlen\(\$G\)<\$l\=strlen\(\$str\)\)\{\s+\$p\s+\=\s+pack\(\"H\*\"\,sha1\(\$G\.\$p\.\$s\)\)\;\s+\$G\.\=substr\(\$p\,0\,100\)\;\s+\}\s+return\s+\$str\^\$G\;\s+\}\s+\$acces\s+\=\s+\$\_SESSION\[\"pass\"\]\;\s+\$c\s+\=\s+base64\_decode\(\$acces\)\;\s+\$c\=\@split\(\"\-\"\,\$c\)\;\s+\$x\s+\=.+?\@preg\_replace\(.+?\)\"\,\"\"\)\;/is,
qr/<\?php\s+header\(\"Content\-type\:text\/html\;charset\=utf\-8\"\)\;\s+\$pagecode\s+\=\s+trim\(\$\_REQUEST\[\"PageCode\"\]\).+?\$script\_url\s+\=\s+"http\:\/\/\"\.\$host\.\$script\_name\;.+?echo\s+\$cnt\;\s+\}\s+\?>/is,
qr/<\?php\s+\$a\s+\=.+?\.\/\*1\*\/.+?\.\/\*1\*\/.+?\$c\s+\=.+?\.\/\*1\*\/.+?\/\*1\*\/\..+?\$b\s+\=.+?\$a.+?\,\$c\(\$b\).+?\)\)\;/is,
qr/<\?php\s+\$m\=.+?\)\;\$m\=\$m\(\$\_REQUEST\[.+?\]\)\;\@file\_put\_contents\(.+?\,\"<\?php\s+\"\.\$m\)\;\@include\(.+?\)\;\@unlink\(.+?\)\;/is,
qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(\s+\'\#Ask.+?if\(\s+FALSE\s+\!\=\=\s+strpos\(\s+gethostbyaddr\(\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\,\s+\'google\'\)\)\s+\{\s+\$isbot\s+\=\s+1\;\s+\}\s+if\(\@\$isbot\)\{.+?curl\_close\s+\(\$ch\)\;\s+echo\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;set\_time\_limit\(150\)\;ignore\_user\_abort\(true\)\;.+?print\s+\'\*send\:ok\*\'\;\s+exit\;.+?imagedestroy\(\$image\_p\)\;return\s+\$out\;\}\s+?>/is,