new patterns
This commit is contained in:
Palma Solutions LTD
@@ -39,6 +39,8 @@ my @regexen = (
|
||||
qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
|
||||
qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
|
||||
qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
|
||||
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
|
||||
|
||||
);
|
||||
|
||||
|
||||
@@ -1023,6 +1023,8 @@ my @regexen = (
|
||||
qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
|
||||
qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
|
||||
qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
|
||||
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
|
||||
);
|
||||
|
||||
my @base64_decodes = (
|
||||
|
||||
6
scan.py
6
scan.py
@@ -440,7 +440,8 @@ def is_hacked(filename):
|
||||
or (line_num < 4 and "passthru($_POST[" in l) \
|
||||
or (line_num == 1 and '$stg="ba"."se"."64_d"."ecode";eval($stg(' in l) \
|
||||
or '(edoced_46esab(etalfnizg(lave' in l \
|
||||
or "file_put_contents('1.txt', print_r" in l:
|
||||
or "file_put_contents('1.txt', print_r" in l \
|
||||
or 'function wp_cd(' in l:
|
||||
score.append(('PHP_SHELL', ''))
|
||||
|
||||
if 'move_uploaded_file(' in l:
|
||||
@@ -547,7 +548,8 @@ def is_hacked(filename):
|
||||
or 'Wells Fargo Home Page' in l \
|
||||
or 'Chase Online - Logon' in l:
|
||||
score.append(('PHISHING', ''))
|
||||
if re.compile('User-Agent.*cpuminer').match(l):
|
||||
if re.compile('User-Agent.*cpuminer').match(l) \
|
||||
or 'stratum+tcp' in l:
|
||||
score.append(('CRYPTO', ''))
|
||||
previous_line = l
|
||||
|
||||
|
||||
Reference in New Issue
Block a user