diff --git a/malware5.pl b/malware5.pl index 4b3dce6..75cdf8b 100644 --- a/malware5.pl +++ b/malware5.pl @@ -508,6 +508,7 @@ my @regexen = ( qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is, qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is, + qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index 1a5ea8a..7424d9f 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -991,6 +991,8 @@ my @regexen = ( qr/<\?php\s+\$array\s+=\s+array\(.+?\).+?eval\(\$gzc\(\$b64\(\$r13\(\$.+?\?>/is, qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is, + qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is, + ); diff --git a/scan.py b/scan.py index d30d8e2..993897b 100644 --- a/scan.py +++ b/scan.py @@ -530,7 +530,7 @@ def is_hacked(filename): or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \ or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l: score.append(('SOCIALS', '')) - if "