From 218dfd837e5078dcb9c5a2979de14090956eed79 Mon Sep 17 00:00:00 2001 From: Malin Date: Wed, 28 Dec 2016 12:59:45 +0100 Subject: [PATCH] Update 'malware3.pl' --- malware3.pl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/malware3.pl b/malware3.pl index 9809a75..df8b661 100644 --- a/malware3.pl +++ b/malware3.pl @@ -23,11 +23,10 @@ my @regexen = ( qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is, qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is, qr//is, - qr/<\?php\s+\$dom\s+=\s+array\(.+?\$url\)\;\s+\}\s+exit\;\s+\?>/is, + qr/<\!\-\-\-\s+Eagle\s+Security\s+Team\-\-\-\->.+?<\!\-\-\-\s+Eagle\s+Security\s+Team\-\-\-\->/is, qr/<\?php\s+if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\s+AND\s+\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if\(isset\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\s+\&\&\s+isset\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\s+\&\&\s+\$\_POST\[\"([A-z0-9]{1,10})\"\]\=\=.+?\)eval\(gzuncompress\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\)\)\;\s+\?>/is, qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\*/is, qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\"\)\)\;\s+\/\*/is, - # qr/<\?php.+?defined\(\'ALREADY\_RUN.+?\{\s+define\(\'ALREADY\_RUN.+?Array\(.+?eval.+?\)\)\;\s+\}/is, qr/<\?php\s+echo\"trest\"\;error\_reporting\(0\)\;.+?val\(base64\_decode\(\$kk\)\)\;\s+echo\"abrval\"\;\s+\?>/is, qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_([A-z0-9]{1,10})\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is, qr/<\?php\s+\/\*\*\s+\*\s+\@version.+?\$b64\s+\=\s+\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\+\/\=\"\;.+?\$o3\s+\=\s+\$bits\s+\&\s+0xff\;.+?new\s+JApplication\(arrays+\(\'UID\'\s+\=>\s+\'.+?\'\)\)\;/is,