Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-27 19:19:36 +02:00
parent 6c7adf5176
commit 217cbd931c
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
malware5.pl
View File

@@ -304,6 +304,11 @@ my @regexen = (
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?b374k.+?\,\$s\_pass\)\;\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
qr/\/\/eAccelerate\s+Caching\s+System.+?\!preg\_match\(\"\/\(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer\)\/i\".+?base64\_decode\(.+?\)\:\(\'\'\)\)\.\$output\;\}/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(.+?array\_unshift\(\$data.+?\$words\_idx\=array\_rand\(\$words\,rand\(\$min\,\$max\)\)\;.+?\"h\"\.\"tac\"\.\"c\"\.\"es\"\.\"s\"\;\$.+?header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;echo\(html\(array\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+for\(\$o\=0\,\$e\=\'.+?\'\,\$d\=\'\'\;\@ord\(\$e\[\$o\]\)\;\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]\=\$o\;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\)\;\}\}eval\(\$d\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
);

5
malwaresh.pl
View File

@@ -785,6 +785,11 @@ my @regexen = (
qr/<\?php\s+error\_reporting\(0\)\;\s+\$ver\s+\=\s+\'6\.6\.6\'\;.+?exit\(\'Access\s+Denied\'\)\;.+?if\s+\(\$cracktrack\s+\!\=\s+\$checkworm\)\s+die\(\"\"\)\;\s+\}\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
qr/\/\/eAccelerate\s+Caching\s+System.+?\!preg\_match\(\"\/\(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer\)\/i\".+?base64\_decode\(.+?\)\:\(\'\'\)\)\.\$output\;\}/is,
qr/<\?php\s+function\s+html\(\$data\)\s+\{\s+\$html\=implode\(.+?array\_unshift\(\$data.+?\$words\_idx\=array\_rand\(\$words\,rand\(\$min\,\$max\)\)\;.+?\"h\"\.\"tac\"\.\"c\"\.\"es\"\.\"s\"\;\$.+?header\(\"HTTP\/1\.1\s+404\s+Not\s+Found\"\)\;echo\(html\(array\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+for\(\$o\=0\,\$e\=\'.+?\'\,\$d\=\'\'\;\@ord\(\$e\[\$o\]\)\;\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]\=\$o\;\}else\{\$d\.\=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\)\;\}\}eval\(\$d\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
);