Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns added

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-02-04 11:31:31 +01:00
parent f2a1e1c5b8
commit 27c0dbd5a2
1 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
malware4.pl
View File

@@ -302,6 +302,18 @@ my @regexen = (
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}\/\*.+?\*\//is,
qr/<script>\$\=\~\[\]\;\$\=\{\_\_\_\:\+\+\$\,\$\$\$\$\:\(\!\[\].+?\+\$\.\$\$\$\_\+\(\!\[\]\+\"\"\)\[\$\.\_\$\_\]\+\"\)\;\"\+\"\W\"\"\)\(\)\)\(\)\;<\/script>/is,
qr/<script\s+type\=\'text\/javascript\'>\s+var\s+\_([A-z0-9]{1,20})\=.+?\]\]\(\/\^\/\,String\)\)\{while\(.+?\]\]\(\s+new\s+RegExp\(.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\(isset\(\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"preg\"\.\"\_rep\"\.\"lace\"\;\/\*.+?\*\/\$\w\(\'\/\/e\'\,\$\{\"\_REQUE\"\.\"ST\"\}\[\'.+?\'\]\,\'\'\)\;exit\;\}/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\{\/\*.+?\*\/\$\w\/\*.+?\*\/\=\/\*.+?\*\/\"asse\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\/\*.+?\*\/\}\?>/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\/\*.+?\*\/\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;\/\*.+?\*\/exit\;\}/is,
qr/<\?php\s+if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\$\w\/\*.+?\*\/\=\"as\"\.\"se\"\.\"rt\"\;\/\*.+?\*\/\$\w\=\$\w\/\*.+?\*\/\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\/\*.+?\*\/\;exit\;\}\?>/is,
qr/<\?php\s+\/\*.+?\*\/if\/\*.+?\*\/\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;\/\*.+?\*\/exit\;\}\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{eval\(\/\*.+?\*\/\$\_REQUEST\[\'.+?\'\]\)\;exit\;\}\?>/is,
qr/<\?php\s+\/\/00023f\s+if\s+\(\!extension\_loaded\(\'IonCube\_loader\'\)\).+?return\s+0\;\s+\?>.+?\Z/is,
qr/<html><body>.+?<\?php\s+error\_reporting\s+\(0\)\;.+?\&mode\=upload\'\s+method\s+\=\s+\'POST\'.+?clearstatcache\s+\(\)\;.+?echo\s+\"<\/table><br>\"\;/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'xftest\'\]\)\)die\(pi\(\)\*6\)\;\$\{.+?\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?eval\/\*([A-z0-9]{1,20})\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\s+\}/is,
);
my @base64_decodes = (