Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-03-25 12:51:29 +02:00
parent 0c4e1042b3
commit 1ea23e9e47
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
malware4.pl
View File

@@ -488,6 +488,19 @@ my @regexen = (
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;\s+if\s+\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=\'1\'\)\{echo\s+\'200\'\;\s+exit\;\}.+?if\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+if\(md5\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\=\=.+?\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+class\s+\_([A-z0-9]{1,20})\{static\s+private\s+\$.+?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789.+?\(\)\;exit\(\)\;/is,
qr/<\?php\s+include\(\'wp\-access\-plugin\.php\'\)\;\s+\/\/Email\s+sending\s+function\s+sending\_email\(\$email\,\$id\=\'1\'\)\{.+?<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+session\_start\(\)\;.+?function\s+sanitizer\(\$check\)\{.+?function\s+validate\_email\(\$email\)\{.+?return\s+\$status\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Net\s+Scrap\s+Shop\s+v3\*\/.+?\=str\_rot13\(gzinflate\(str\_rot13\(base64\_decode\(\$.+?\)\;\s+\?>/is,
qr/bgeteam\s+<\?php.+?B\s+Ge\s+Team\s+File\s+Manager.+?value\=\"upload\"\s+\/>.+?\?>\s+B\s+Ge\s+Team\s+File\s+Manager\s+Version\s+1\.0\,\s+Coded\s+By\s+lin\s+Email\:\s+null/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\?>\s+Upload\s+is\s+<b><color>WORKING.+?<\?php\s+if\s+\(\!empty\(\$\_POST\[.+?\}\s+\?>/is,
qr/<\?php\s+\/\*\*.+?\$auth\_pass\s+\=\s+\".+?echo\s+\'changepassword\'\;.+?echo\s+\'Yeahhh\'\;.+?\*\/\s+\}\s+\?>/is,
qr/<\?php.+?Mr\.N00B\s+Mini\s+Shell.+?\$auth\_pass\s+\=.+?eval\(\$st\(\$gz\(\$st2\(\$bs\(\(\$con7ext\)\)\)\)\)\)\;/is,
qr/<\?php\s+\/\*\*\s+\*\s+Leaf.+?\$sessioncode\s+\=\s+md5\(\_\_FILE\_\_\)\;.+?Leaf\s+PHPMailer.+?\}\s+print\s+\'<\/body>\'\;\s+\?>/is,
qr/<title>Hacked\s+By\s+Dr34mCyb3r.+?<\/style>\s+<div\s+class\=\"video\-background.+?allowfullscreen><\/iframe>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+spamdetectvr.+?add\_filter\(\'all\_plugins\'\,\s+\'SPAMDETECTVR\_hide\'\)\;.+?\/\/\s+\}\s+\/\/\}\)\;/is,
qr/<script\s+type\=\"text\/javascript\">\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\s+c\.toString\(.+?\.replace\(new\s+RegExp\(.+?script\|insertBefore\'\.split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,