new patterns

malware5.pl

@@ -94,6 +94,25 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'b\'\s+\,\'a\'\s+\,\'s\'\s+\,\'e\'\s+\,\'6\'\s+\,\'4\'\s+\,\'\_\'\s+\,\'d\'\s+\,\'e\'\s+\,\'c\'\s+\,\'o\'\s+\,\'d\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\=\s+array\(.+?\'esab\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\.\'\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
     qr/\$z\=get\_option\(\"([A-z0-9]{20,})\"\)\;\s+\$z\=base64\_decode\(str\_rot13\(\$z\)\)\;\s+if\(strpos\(\$z\,\"([A-z0-9]{1,20})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\)\;\s+\@\$\_z\(\)\;\s+\}/is,    
+    qr/function\s+add\_js\_scripts\(\)\s+\{\s+wp\_enqueue\_script\(\'js\-rws\'\,\s+\'http\:\/\/cloudflare\.solutions.+?wp\_enqueue\_script\(\'js\-cors\'\,\s+\'http\:\/\/cloudflare\.solutions\/ajax\/libs\/cors\/cors\.js\'\,\s+\'\'\,\s+null\,\s+true\)\;\s+\}.+?add\_action\(\'login\_enqueue\_scripts\'\,\s+\'add\_js\_scripts\'\s+\)\;/is,
+    qr/<html><head><meta.+?Mocus7Shell.+?<\?php\s+echo\s+wordwrap\(php\_uname\(\).+?<\/body><\/html><\?php\s+chdir\(\$lastdir\)\;\s+c79shexit\(\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+session\_start\(\)\;.+?\@clearstatcache\(\)\;.+?\$auth\_pass\s+\=.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$([A-z0-9]{1,20})\)\)\)\)\)\)\)\)\;/is,
+    qr/<\!doctype.+?L0LZ666H05T.+?<\/body>\s+<html>/is,
+    qr/<html>\s+<head>.+?213\_90N6.+?<\/body>\s+<\/html>/is,
+    qr/<iframe\s+width\=0px\s+height\=0px\s+frameborder\=no\s+name\=frame1\s+src\=http\:\/\/.+?\.ru>\s+<\/iframe>/is,
+    qr/<\?php\s+\$\{.+?\"\;eval\(base64\_decode\(\$\{\$\{\"G\\x.+?\"\;eval\(base64\_decode\(\$\{\$.+?\}\,CURLOPT\_CONNECTTIMEOUT\,10\)\;curl\_setopt\(\$\{\$\{.+?>\"\;\s+\?>/is,
+    qr/<\?php.+?x48x\s+Mini\s+Shell\s+Backdoor.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{\s+\?>/is,
+    qr/<\?php\s+\/\*\s+MMM\s+\*\/\$OOO000000\=urldecode\(.+?\}\;\$GLOBALS\[.+?\=\_\_FILE\_\_\;\$.+?\)\)\;return\;\?.+?\=([A-z0-9]{1,20})/is,
+    qr/<\?php\s+set\_time\_limit\(0\)\;.+?eval\(base64\_decode\(file\_get\_contents\(\'https\:\/\/pastebin\.com\/raw\/.+?return\s+\$info\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$\{.+?\"\;function\s+http\_get\(\$url\)\{\$\{.+?\]\}\=curl\_init\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;\$\{\"G.+?\]\}\,CURLOPT\_FOLLOWLOCATION\,1\)\;curl\_setopt\(\$\{\$\{.+?\"\;return\s+curl\_exec\(\$\{\$\{\"GLO.+?\]\}\)\)\$\_POST\[.+?\"\.\$\_POST\[\"\w\"\]\)\;\s+\?>/is,
+    qr/<html>\s+<head>\s+<title>Shell\s+Helix\s+Sunda\s+Version.+?BConfig\s+Fucker.+?fclose\s+\(\$dosya\)\;\s+\$([A-z0-9]{1,10})\s+\=\'([A-z0-9]{100,}).+?<\/font>\s+<\/footer>\s+<\/html>/is,
+    qr/<\?php.+?VARIABLES\s+GOES\s+HERE.+?\$shell\_fake\_name.+?RESOURCES\s+GOES\s+HERE.+?\$icon\s+\=\s+\".+?<\/html>\"\;\s+echo\s+preg\_replace\(\"\/\\s\+\/\"\,\"\s+\"\,\$html\_final\)\;\s+\?>/is,
+    qr/<html><head>.+?<address>Apache\s+Server\s+at.+?Math\.floor\(Math\.random\(\)\*99999999999\)\;var\s+url\s+\=\s+idc\_glo\_url\+.+?else\s+login\_shell\(\)\;\s+if\(isset\(\$\_GET\[\'file\'\]\).+?return\s+\$buff\;\s+\}\s+\}\s+\?>.+?<\/font>\s+<\/footer>\s+<\/html>/is,
+    qr/<html>.+?Shell\s+priv\s+\/\/F3KS3C.+?\}\s+elseif\(\$\_GET\[\'do\'\]\s+\=\=\s+\'whois\'\)\s+\{\s+\?>.+?<\/select>\&nbsp\;\s+<\/form>/is,
+    qr/}\s+\}\s+function\s+login\_shell\(\)\s+\{\s+\?>/is,
+    qr/<script\s+type\=\"text\/javascript\">.+?<\/script>\s+<\/head>\s+<\?php.+?\.\/Mr\.\s+aQ\..+?function\s+w\_wget\(\$array\)\{.+?mail\(\$idb1\,\s+\"Tetep\s+Ganteng\"\,\s+\$idb3\,\s+\"\[\s+\"\s+\.\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\s+.\s+\"\s+\]\"\)\;\s+\*\/\s+\?>.+?<\/html>/is,
+    qr/<\!DOCTYPE.+?Yhuricka<\/title>.+?uid\=0\(root\)\s+gid\=0\(root\)\s+groups\=0\(root\).+?0ut<\/font>\s+<\/div>/is,
+    qr/<\!DOCTYPE.+?HACKED.+?<\/html>.+?<\!\-\-\s+document\.write\(unescape\(.+?\/\/\-\->\s+<\/script>/is,