From 27907d6fbebc9bf60a55659a6e58463b1b1770ad Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sun, 17 Jun 2018 07:34:19 +0200 Subject: [PATCH] new patterns --- malware6.pl | 6 +++++- malwaresh.pl | 8 ++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/malware6.pl b/malware6.pl index 1107dda..c1bad38 100644 --- a/malware6.pl +++ b/malware6.pl @@ -208,7 +208,11 @@ my @regexen = ( qr/<\?php\s+\$([A-z0-9_=]{1,3}) = \"([A-z0-9_=]{20,}).+?\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\(\"\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\'\{\$([A-z0-9_=]{1,3})\}\'\)\);\"\);\s+\?>/is, qr/
<\/form>/is, qr/<\?php copy\(\'http:\/\/dl\.dropboxusercontent\.com\/s\/([A-z0-9_=]{1,20})\/([A-z0-9_=]{1,20})\.zip\',\'([A-z0-9_=]{1,20})\.php\'\);exit; ?>/is, - + qr/<\?php error_reporting\(0\);\$\w=\"\w\";\$\w=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(.+?\)\); \?>/is, + qr/<\?php error_reporting\(0\);if\(isset\(\$_POST\[\"\w\"\]\) and isset\(\$_POST\[\"\w\"\]\)\)\{if\(isset\(\$_POST\[\"input\"\]\)\)\{\$user_auth=\"&l=\"\.base64_encode\(\$_POST\[\"\w\"\]\).+?\{print \"sys_active\"\.\`uname -a\`;\}\} \?>/is, + qr/<\?php \$([A-z0-9_]{1,20})=\'base\'\.\(32*2\)\.\'_de\'\.\'code\';\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(str_replace\(\"\\n\", \'\', \'([A-z0-9_]{20,}).+?<\/form>/is, + qr/<\?php.+?\$xml = \$\w->response->asXML\(\);\s+echo base64_encode\(\$xml\);.+?\$xml_str = base64_decode\(\$str\);.+?echo \" error num: \"\.\$errno\.\' : \'\.\$errstr;\s+\}\s+\}\s+\}\s+\?>/is, + qr/\/\/([A-z0-9_+/]{500,})\Z/is, diff --git a/malwaresh.pl b/malwaresh.pl index 180f12c..83e1a73 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1194,8 +1194,12 @@ my @regexen = ( qr/<\?php error_reporting\(0\);\$([A-z0-9_=]{1,20})=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(\"([A-z0-9_=]{1,20}).+?([A-z0-9_=]{1,20})\"\)\); \?>/is, qr/<\?php\s+\$([A-z0-9_=]{1,3}) = \"([A-z0-9_=]{20,}).+?\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\(\"\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\'\{\$([A-z0-9_=]{1,3})\}\'\)\);\"\);\s+\?>/is, qr/<\/form>/is, - qr/<\?php copy\(\'http:\/\/dl\.dropboxusercontent\.com\/s\/([A-z0-9_=]{1,20})\/([A-z0-9_=]{1,20})\.zip\',\'([A-z0-9_=]{1,20})\.php\'\);exit; ?>/is, - + qr/<\?php copy\(\'http:\/\/dl\.dropboxusercontent\.com\/s\/([A-z0-9]{1,20})\/([A-z0-9]{1,20})\.zip\',\'([A-z0-9]{1,20})\.php\'\);exit; \?>/is, + qr/<\?php error_reporting\(0\);\$\w=\"\w\";\$\w=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(.+?\)\); \?>/is, + qr/<\?php error_reporting\(0\);if\(isset\(\$_POST\[\"\w\"\]\) and isset\(\$_POST\[\"\w\"\]\)\)\{if\(isset\(\$_POST\[\"input\"\]\)\)\{\$user_auth=\"&l=\"\.base64_encode\(\$_POST\[\"\w\"\]\).+?\{print \"sys_active\"\.\`uname -a\`;\}\} \?>/is, + qr/<\?php \$([A-z0-9_]{1,20})=\'base\'\.\(32*2\)\.\'_de\'\.\'code\';\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(str_replace\(\"\\n\", \'\', \'([A-z0-9_]{20,}).+?<\/form>/is, + qr/<\?php.+?\$xml = \$\w->response->asXML\(\);\s+echo base64_encode\(\$xml\);.+?\$xml_str = base64_decode\(\$str\);.+?echo \" error num: \"\.\$errno\.\' : \'\.\$errstr;\s+\}\s+\}\s+\}\s+\?>/is, + qr/\/\/([A-z0-9_+/]{500,})\Z/is, );