Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new pattern

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-05-11 09:49:53 +02:00
parent 8bdad75284
commit 1bf6c21579
3 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
malware5.pl
View File

@ -508,6 +508,7 @@ my @regexen = (
qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
);

2
malwaresh.pl
View File

@ -991,6 +991,8 @@ my @regexen = (
qr/<\?php\s+\$array\s+=\s+array\(.+?\).+?eval\(\$gzc\(\$b64\(\$r13\(\$.+?\?>/is,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
);

2
scan.py
View File

@ -530,7 +530,7 @@ def is_hacked(filename):
or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
score.append(('SOCIALS', ''))
if "<?php $[a-z].* = '" and "$[a-z].*=explode(chr(([0-9].*[-+][0-9].*))" and "$[a-z].*=([0-9].*[-+][0-9].*)" and "if (!function_exists('[a-z].*'))" in l:
if re.compile("<?php\s*\$[a-z]{1,10}\s*=.*\$[a-z]{1,10}=explode\(chr\(\([0-9]{1,10}.*[0-9]{1,10}\)\).*\$[a-z]{1,10}=\([0-9].*[0-9]{1,10}\).*if\s*\(!function_exists\('[a-z]{1,10}'\)\)").match(l):
score.append(('EITEST', ''))
previous_line = l