Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-06-17 12:53:49 +02:00
parent eec03eca92
commit 28bdd2d2c8
2 changed files with 9 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
malware6.pl
View File

@@ -222,6 +222,10 @@ my @regexen = (
qr/<\?php \/\* WARNING: This file is protected by copyright law\. To reverse engineer or decode this file is strictly prohibited\. \*\/\s+\$\w=\"([A-z0-9]{20,}).+?\";eval\(base64_decode\(\".+?\"\)\);return;\?>/is,
qr/<\?php error_reporting\(0\);\$\w=\"eval\(base64_decode\(.+?\"\)\); \?>/is,
qr/<\?php if\(isset\(\$_POST\[([A-z0-9_]{1,20})\]\)\)\{passthru\(\$_POST\[([A-z0-9_]{1,20})\]\); die\(\);\} include\(\"\.\.\/includes\/configure\.php\"\); passthru\(\"mysqldump -u\"\.DB_SERVER_USERNAME\s+\. \" --password=\" \. DB_SERVER_PASSWORD \. \" --all-databases\"\); \?>/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,

17
malwaresh.pl
View File

@@ -1209,10 +1209,11 @@ my @regexen = (
qr/<\?php \/\* WARNING: This file is protected by copyright law\. To reverse engineer or decode this file is strictly prohibited\. \*\/\s+\$\w=\"([A-z0-9]{20,}).+?\";eval\(base64_decode\(\".+?\"\)\);return;\?>/is,
qr/<\?php error_reporting\(0\);\$\w=\"eval\(base64_decode\(.+?\"\)\); \?>/is,
qr/<\?php if\(isset\(\$_POST\[([A-z0-9_]{1,20})\]\)\)\{passthru\(\$_POST\[([A-z0-9_]{1,20})\]\); die\(\);\} include\(\"\.\.\/includes\/configure\.php\"\); passthru\(\"mysqldump -u\"\.DB_SERVER_USERNAME\s+\. \" --password=\" \. DB_SERVER_PASSWORD \. \" --all-databases\"\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"b\"\.\"ase\"\.\"64_de\"\.\"code\";eval\(\$([A-z0-9_]{1,20})\(\".+?\)\);/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,
);
my @base64_decodes = (
@@ -1257,14 +1258,6 @@ sub dir {
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'youtube.php';
next if $file eq 'FMModelForm_maker_fmc.php';
next if $file eq 'menu_scan.php';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {