new patterns
This commit is contained in:
Palma Solutions LTD
16
malware4.pl
16
malware4.pl
@@ -501,8 +501,20 @@ my @regexen = (
|
||||
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
|
||||
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+spamdetectvr.+?add\_filter\(\'all\_plugins\'\,\s+\'SPAMDETECTVR\_hide\'\)\;.+?\/\/\s+\}\s+\/\/\}\)\;/is,
|
||||
qr/<script\s+type\=\"text\/javascript\">\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\s+c\.toString\(.+?\.replace\(new\s+RegExp\(.+?script\|insertBefore\'\.split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
|
||||
|
||||
|
||||
qr/\/\/([A-z0-9]{32})\s+create\_function\(\'\'\,\s+gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\/([A-z0-9]{32})/is,
|
||||
qr/<\?php\s+\$\{.+?\;protected\$instance\;protected\$request\;protected\$calls\=array\(\)\;protected\$response\=array\(\)\;protected\$hasCalls\=false\;private\$isBatchCall\=false\;protected\$hiddenMethods\=array\(\'execute\'\,\'\_\_construct\'\).+?\}\s+\?>/is,
|
||||
qr/<Center><h1>Pisher.+?\Z/is,
|
||||
qr/<\?php\s+\$\{.+?\]\;\@mail\(.+?\]\}\)\;\$\_SESSION\[.+?\]\}\=curl\_init\(\)\;curl\_setopt\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;curl\_setopt\(\$\{\$\{.+?\]\}\}\;\}\}\s+\?>/is,
|
||||
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+Pisher.+?trojan\.25hack.+?\;\}\)\;\}\)\;\s+\?>/is,
|
||||
qr/\s+<\?php\s+echo\(base64\_decode\(.+?\)\)\;eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;echo\s+\"\\x\d\d\\n\"\;\s+\?>/is,
|
||||
qr/<\?php\s+echo\s+\"<div\s+align\=\\\"center\\\">.+?if\(isset\(\$\_POST\[\"submit\"\]\)\)\{if\(\$\_FILES\[\"file\"\]\[\"error\"\]>0\)\{echo.+?Go\s+here\s+\:\s+\"\.\$path\.\"<br>\"\;\}\}\s+\?>/is,
|
||||
qr/<\?php\s+session\_start\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+?>.+?IndoXploit.+?serverinfo\(\)\;\s+action\(\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?.+?Aldwiry\s+Hack3r.+?\$usrp\s+\=\s+\"jo\/usr\.pl\"\;.+?Error\s+CHMOD\s+\!\"\;\s+\}\s+\?>/is,
|
||||
qr/<\/br>\"\;\s+session\_start\(\)\;.+?Moshkela\s+Hacker<\/title>.+?\}\/\/\s+end\s+if\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+\$GLOBALS\[\'DB\_NAME\'\]\s+\=\s+array\(.+?if\(\!function\_exists\(\'bas\'\.\'e\'\.\'64\_\'\.\'en\'\.\'code\'\)\)\{.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\)\;\?>/is,
|
||||
qr/<\?php\s+\/\*\*\s+\*\s+SAPE\.ru.+?class\s+SAPE\_globals\s+\{.+?\$this\->\_data\[\$this\->\_request\_mode\]\s+\=\s+\$data\;\s+\}\s+\}/is,
|
||||
qr/<\?php\s+if\s+\(\!defined\(\'\_SAPE\_USER\'\)\)\{\s+define\(\'\_SAPE\_USER\'\,.+?echo\s+\$sape\->return\_links\(\)\;\s+\?>/is,
|
||||
qr/<\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\s+\?>/is,
|
||||
|
||||
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user