diff --git a/malware5.pl b/malware5.pl index 52ae10b..4fc8efc 100644 --- a/malware5.pl +++ b/malware5.pl @@ -520,7 +520,7 @@ my @regexen = ( qr/<\/font>/is, qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is, qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is, - + ); diff --git a/malware6.pl b/malware6.pl index a03ec42..2a1a938 100644 --- a/malware6.pl +++ b/malware6.pl @@ -286,6 +286,8 @@ my @regexen = ( qr/<\?php\s+function_exists\(\'date_default_timezone\'\) \? date_default_timezone_set\(\'America\/Los_Angeles\'\) : \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\);/is, qr/<\?PHP\s+define\(\'REAL_SERVER_ROOT\', \'SERVER\'\);.+?define\(\'SYSTEM_SKEL_DIR\', \'skel\'\) \? \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\) : define\(\'SYSTEM_SKEL_PATH\', SYSTEM_CONF_PATH \. \'\/\' \. SYSTEM_SKEL_DIR\);.+?define\(\'WORKGROUPS_META_SETTINGS_FILENAME\', \'settings\.xml\'\);\s+\?>/is, qr/\@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\)/is, + qr/<\?php if\(\$_GET\[\'test\'\]\)\{echo \'success\';\}else\{\(\$www= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\', \'add\'\);\}/is, + qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index 0dce66a..4ed81a3 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -26,6 +26,7 @@ print "Content-type: text/html\n\n"; my $user = $ARGV[0]; my @regexen = ( + qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is, qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is, qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is, qr/<\?php\s+\/\/header\(.+?\$([A-z0_]{1,20})=urldecode\(.+?\]\(\);\?>/is, @@ -1273,8 +1274,8 @@ my @regexen = ( qr/