From 2b8002f19c19e177a09785a60930b4f466926d4a Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sun, 25 Feb 2018 11:24:23 +0100 Subject: [PATCH] new patterns --- malware4.pl | 2 ++ scan.php | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/malware4.pl b/malware4.pl index f1999a6..e600cf8 100644 --- a/malware4.pl +++ b/malware4.pl @@ -335,6 +335,8 @@ my @regexen = ( qr/<\?php\s+if\s+\(\(isset\(\$\_POST\[\'to\'\]\)\)\s+AND.+?\$\_POST\[\'headers\'\]\)\)\s+\{echo\s+\'ok\'\;\}.+?else\s+\{\s+header\(\'Location\:\s+\/\'\)\;\s+\}\s+\?>/is, qr/<\?php\s+\$\w\d\=\$\_REQUEST\[\'sort\'\]\;\$\w\d\=\'\'\;\$\w\d\=\".+?\"\;\$\w\d\=array\(.+?\)\;foreach\(\$\w\d\s+as\s+\$\w\d\)\{\$\w\d\.\=\$\w\d\[\$\w\d\]\;\}\$\w\d\=strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\$\w\d\=\$\w\d\(\"\"\,\$\w\d\(\$\w\d\)\)\;\$\w\d\(\)\;\?>/is, qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\)\)\;\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\[\d\]\)\)\;exit\(\)\;\}\}\}\s+\?>/is, + ); diff --git a/scan.php b/scan.php index c438f0c..e9aea55 100644 --- a/scan.php +++ b/scan.php @@ -468,7 +468,9 @@ error_reporting(E_ALL); "facebook\.com\/007mrspy", "Skype\:\s*live\:zepek_al", "nerf\.sarcasm007\@gmail\.com", - + "submit\[at\]1337day\.com", + "luan\.hackingpro123\@hotmail\.com", + "facebook\.com\/luan\.santo\.5437", );