Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-08-23 13:05:55 +02:00
parent bc21b7da0f
commit 1cf1a1b734
3 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
malware5.pl
View File

@ -520,7 +520,7 @@ my @regexen = (
qr/<font\s+id=\"([A-z0-9]{1,20})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a><\/font>/is,
qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is,
);

2
malware6.pl
View File

@ -286,6 +286,8 @@ my @regexen = (
qr/<\?php\s+function_exists\(\'date_default_timezone\'\) \? date_default_timezone_set\(\'America\/Los_Angeles\'\) : \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\);/is,
qr/<\?PHP\s+define\(\'REAL_SERVER_ROOT\', \'SERVER\'\);.+?define\(\'SYSTEM_SKEL_DIR\', \'skel\'\) \? \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\) : define\(\'SYSTEM_SKEL_PATH\', SYSTEM_CONF_PATH \. \'\/\' \. SYSTEM_SKEL_DIR\);.+?define\(\'WORKGROUPS_META_SETTINGS_FILENAME\', \'settings\.xml\'\);\s+\?>/is,
qr/\@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\)/is,
qr/<\?php if\(\$_GET\[\'test\'\]\)\{echo \'success\';\}else\{\(\$www= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\', \'add\'\);\}/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
);

5
malwaresh.pl
View File

@ -26,6 +26,7 @@ print "Content-type: text/html\n\n";
my $user = $ARGV[0];
my @regexen = (
qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is,
qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is,
qr/<\?php\s+\/\/header\(.+?\$([A-z0_]{1,20})=urldecode\(.+?\]\(\);\?>/is,
@ -1273,8 +1274,8 @@ my @regexen = (
qr/<script type=\"text\/javascript\">eval\(unescape\(\" \%76\%61.+?\%3B\%7D \"\)\)<\/script><\/div>/is,
qr/<\?php\s+function_exists\(\'date_default_timezone\'\) \? date_default_timezone_set\(\'America\/Los_Angeles\'\) : \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\);/is,
qr/<\?PHP\s+define\(\'REAL_SERVER_ROOT\', \'SERVER\'\);.+?define\(\'SYSTEM_SKEL_DIR\', \'skel\'\) \? \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\) : define\(\'SYSTEM_SKEL_PATH\', SYSTEM_CONF_PATH \. \'\/\' \. SYSTEM_SKEL_DIR\);.+?define\(\'WORKGROUPS_META_SETTINGS_FILENAME\', \'settings\.xml\'\);\s+\?>/is,
qr/\@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\)/is,
qr/<\?php if\(\$_GET\[\'test\'\]\)\{echo \'success\';\}else\{\(\$www= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\', \'add\'\);\}/is,
);