added 3 new patterns

2019-01-17 06:54:59 +01:00 · 2019-01-17 06:54:59 +01:00 · 25fd577c47
commit 25fd577c47
parent dd426d89eb
2 changed files with 9 additions and 1 deletions
--- a/malware6.pl
+++ b/malware6.pl
@ -384,7 +384,12 @@ my @regexen = (
    qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'base\' \.\'64_d\' \.\'ecod\' \.\'e\';\$([A-z0-9_]{1,20}) = \'im\' \.\'pl\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\)\)\)\); \?>/is,
    qr/<center><\? echo \'<b>Mailer<\/b><br>.+?<input type=hidden name=a value=\'FilesMan\'>.+?\$data=curl_exec\(\$ch\);if\(\!\$data\)\{return false;\}return \$data;\}exit;/is,
    qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is,
-        
+    qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is,
    qr/<\?php echo \'2018\'\.\'2019\'; if \(isset\(\$_REQUEST\[\'e\'\]\)\) \{ \$e = \$_REQUEST\[\'e\'\]; \$arr = array\(\$_POST\[\'w0w\'\],\); array_filter\(\$arr, \$e\); \}\?>/is,
    qr/<\?php\s+error_reporting\(0\);\s+set_time_limit\(0\);\s+if \(\$_GET\[\'q\'\]==\'1\'\)\{echo \'200\'; exit;\}\s+if\(\$_GET\[\'key\'\]==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+if\(md5\(\$_GET\[\'key\'\]\)==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+\?> /is,
    qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?\(\$_1\)\)\);if\(isset\(\$_1\)\)\{\@eval\(\$_1\);exit\(\);\}\}/is,
 );
--- a/malwaresh.pl
+++ b/malwaresh.pl
@ -1373,6 +1373,9 @@ my @regexen = (
    qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'base\' \.\'64_d\' \.\'ecod\' \.\'e\';\$([A-z0-9_]{1,20}) = \'im\' \.\'pl\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\)\)\)\); \?>/is,
    qr/<center><\? echo \'<b>Mailer<\/b><br>.+?<input type=hidden name=a value=\'FilesMan\'>.+?\$data=curl_exec\(\$ch\);if\(\!\$data\)\{return false;\}return \$data;\}exit;/is,
    qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is,
    qr/<\?php echo \'2018\'\.\'2019\'; if \(isset\(\$_REQUEST\[\'e\'\]\)\) \{ \$e = \$_REQUEST\[\'e\'\]; \$arr = array\(\$_POST\[\'w0w\'\],\); array_filter\(\$arr, \$e\); \}\?>/is,
    qr/<\?php\s+error_reporting\(0\);\s+set_time_limit\(0\);\s+if \(\$_GET\[\'q\'\]==\'1\'\)\{echo \'200\'; exit;\}\s+if\(\$_GET\[\'key\'\]==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+if\(md5\(\$_GET\[\'key\'\]\)==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+\?> /is,
    qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?\(\$_1\)\)\);if\(isset\(\$_1\)\)\{\@eval\(\$_1\);exit\(\);\}\}/is,