Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-11-26 13:39:57 +01:00
parent 5a4d5a29ec
commit 2742353ad0
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
malware6.pl
View File

@@ -373,12 +373,10 @@ my @regexen = (
qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\$b=base64_decode\(\$html\);\s+\}\s+if\(strlen\(\$b\)<300\)\{echo \'indexcode not ok\';exit;\};\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$b\);echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php\s+\@session_start\(\);.+?\$default_use_ajax = true;\s+\$_F=__FILE__;\$_X=.+?eval\(base64_decode\(.+?\)\);\?>/is,
qr/<\?php eval\(gzinflate\(gzinflate\(base64_decode\(\".+?\"\)\)\)\); \?>/is,
);

4
malwaresh.pl
View File

@@ -1360,8 +1360,10 @@ my @regexen = (
qr/<\?php \/\*\s+GNU GENERAL PUBLIC.+?\*\/extract\(\$_COOKIE\);\/\*.+?\*\/\@\$([A-z0-9_]{1,20})&&\@\$W\(\$X\(\$Y,\$Z\)\);\/\*.+?\*\/ \?>/is,
qr/<\?php\s+if \(\@\$_SERVER\[\'HTTP_X_([A-z0-9_]{1,20})\'\]\) \{\s+echo \"YES_YES\";\s+if \(\@\$_SERVER\[\'HTTP_X_TO\'\]\) \{\s+file_put_contents\(\@\$_SERVER\[\'HTTP_X_TO\'\], \@\$_SERVER\[\'HTTP_X_DATA\'\]\);\s+\}\s+\}\s+\?>/is,
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'.+?\$b=base64_decode\(\$html\);\s+\}\s+if\(strlen\(\$b\)<300\)\{echo \'indexcode not ok\';exit;\};\s+if\(file_exists\(\$index\)\)\{\@chmod\(\$index,0755\);\@unlink\(\$index\);\}\@file_put_contents\(\$index,\$b\);echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php\s+\@session_start\(\);.+?\$default_use_ajax = true;\s+\$_F=__FILE__;\$_X=.+?eval\(base64_decode\(.+?\)\);\?>/is,
qr/<\?php eval\(gzinflate\(gzinflate\(base64_decode\(\".+?\"\)\)\)\); \?>/is,
);
my @base64_decodes = (