Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update malwaresh.pl

Browse Source
This commit is contained in:
Malin 2020-07-02 11:29:24 +02:00
parent d96bee3162
commit 2b57ed8923
1 changed files with 4 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
malwaresh.pl
View File

@ -26,13 +26,8 @@ print "Content-type: text/html\n\n";
my $user = $ARGV[0]; my $user = $ARGV[0];
my @regexen = ( my @regexen = (
qr/<\?php\s+\/\*\*\s+\* WordPress DB Class.+?\$_REQUEST = array_merge\(\$_GET, \$_POST, \$_COOKIE\);\s+\$auth = \"([A-z0-9_]{1,40})\";\s+\$sname = \@session_name\(\);.+?\$method = \"create\" \. \"_\" \. \"function\";\s+\$decode = \"base\" \. \"64_de\" \. \"code\";\s+\$reverse = \"str\" \. \"rev\";\s+\$decompress = \"gzun\" \. \"compress\";.+?\$action = \$method\(\'\'\, \$data\);\s+\$action\(\);\s+\}\s+\}\s+\}/is,
qr/<\?php \/\*([A-z0-9_]{1,50})\*\/ \?><\?php \$([A-z0-9_]{1,20}) = \".+?\'\' \) , \$([A-z0-9_]{1,20}) \)\)\.\"\'.+?\'\"\.([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\],\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\]\.\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\], \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\] \);\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,array\(\'\'\,\'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\)\);/is,
qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/.+?\.js\?.+?\'<\/script>/is,
qr/var gfjfgjk = 1; var d=document;var s=d\.createElement\(\'script\'\); s\.type=\'text\/javascript\'; s\.async=true;\s+var pl = String\.fromCharCode\(.+?if \(document\.currentScript\) \{\s+document\.currentScript\.parentNode\.insertBefore\(s\, document\.currentScript\);\s+\} else \{\s+d\.getElementsByTagName\(\'head\'\)\[0\]\.appendChild\(s\);\s+\}/is, qr/var gfjfgjk = 1; var d=document;var s=d\.createElement\(\'script\'\); s\.type=\'text\/javascript\'; s\.async=true;\s+var pl = String\.fromCharCode\(.+?if \(document\.currentScript\) \{\s+document\.currentScript\.parentNode\.insertBefore\(s\, document\.currentScript\);\s+\} else \{\s+d\.getElementsByTagName\(\'head\'\)\[0\]\.appendChild\(s\);\s+\}/is,
qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/same\.js\'><\/script>/is, qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/same\.js\'><\/script>/is,
qr/<script type=text\/javascript src=\'https:\/\/track\.adsformarket\.com\/t\.js\'><\/script>/is,
qr/<\?php if\(isset\(\$_POST\[chr\(97\)\.chr\(115\)\..+?\@include\(\$a\);\@unlink\(\$a\);die\(\); \} \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is, qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is, qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is, qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is,
@ -1473,14 +1468,6 @@ my @regexen = (
qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is, qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is, qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is, qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$.+?=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt_compiler\(\);aWYo.+?\+fwE=/is,
qr/<\?php\s+error_reporting\(0\);.+?Database Emails Extractor By SparkyDz.+?return \$result;\s+\}\s+\?>/is,
qr/<\?php passthru\(\$_GET\[\'cmd\'\]\); \?>/is,
qr/<\?php.+?\$url = \"\(B\)\/\(C\)\-\(A\)\.html\";.+?0=urldecode\(\"\%6.+?\)\);\s+\?>/is,
qr/<\?php if\(\$_GET\[\'l\'\]\)\{\@move_uploaded_file\(\$_FILES\[\'f\'\]\[\'tmp_name\'.+?<\/form>\'; \?>/is,
qr/<\?php if\(\$_GET\[\"\\x6c\"\]\)\{\@move_uploaded_file\(\$_FILES\[.+?<\/f\\x6frm>\"; \?>/is,
); );
my @base64_decodes = ( my @base64_decodes = (
@ -1491,9 +1478,9 @@ my @base64_decodes = (
my @file_list; my @file_list;
my %possible_list; my %possible_list;
my $start_dir = "$user"; my $start_dir = "/home/";
$start_dir =~ s/\/LP-MSH-Scanner//; $start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//; $start_dir =~ s/\/PS-MAC//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/')); $start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir); dir ($start_dir);
@ -1591,4 +1578,4 @@ sub clean_file {
return ($contents, $cleaned); return ($contents, $cleaned);
} }
1; 1;