Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-03-18 11:06:33 +01:00
parent f0482cae26
commit 215aa591dd
2 changed files with 36 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
malware4.pl
View File

@@ -382,7 +382,40 @@ my @regexen = (
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"assert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"assert\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\/\*([A-z0-9]{1,20})\*\/\"as\"\.\"se\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_\"\.\"repla\"\.\"ce\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"asser\"\.\"t\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\_r\"\.\"eplace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\"as\"\.\"se\"\.\"rt\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$.+?\=str\_replace\(\'\s+\'\,\'\'\,\$.+?for\s+\(\s+\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\s+\$.+?\=\@gzinflate\(strrev\(\$.+?create\_function\(\'\$.+?\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'n\.liveupdates\.host\'\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"preg\_re\"\.\"place\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*vsql\*\/exit\;\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"pre\"\.\"g\_r\"\.\"epl\"\.\"ace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asser\"\.\"t\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\_repl\"\.\"ace\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_REQUES\"\.\"T\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}\?>/is,
qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\=\/\*([A-z0-9]{1,20})\*\/\"preg\"\.\"\_rep\"\.\"lace\"\;\$([A-z0-9]{1,20})\(\'\/\/e\'\,\$\{\"\_RE\"\.\"QUE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\/\*([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\/\*([A-z0-9]{1,20})\*\/\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\/\*([A-z0-9]{1,20})\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?error\_reporting\(0\)\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?if\s+\(preg\_match\(\'\/googlebot\|slurp.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/<\?php\s+if\(\$\_GET\[\".+?\(\$\_FILES\[\"uploadedfile\"\].+?<\/form>/is,
qr/<\?php\s+\$\{.+?\=\@unserialize\(decode\(get\_param.+?\]\}\;\}\s+\?>/is,
qr/<\?php.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{100,}).+?<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\/\*\s+DO.+?class\s+ADODB\_Pager.+?\$pager\->render\_pagelinks\(\)\;/is,
);

4
scan.php
View File

@@ -463,8 +463,8 @@ error_reporting(E_ALL);
"RewriteCond %{HTTP_REFERER}\s*\^\.\*\s*\([^\)]*[google|yahoo|bing|ask|wikipedia|youtube][^\)]",
"^<\?php\s*if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}",
"<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>",
"<\?php(.*)if\(isset\(\$\_REQUEST\[(.*)assert(.*)exit(.*)\?>",
"<\?php(.*)if\(isset\(\$\_REQUEST\[(.*)\"asse\"\.\"rt\"(.*)exit(.*)\?>",
"<\?php.*?if\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
"<\?php.*?if\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
// hacker emails & socials
"b0x\@hotmail\.com",
"facebook\.com\/007mrspy",