Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-30 08:02:29 +02:00
parent 68f3765c26
commit 2e90b729d8
2 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
malware5.pl
View File

@@ -351,6 +351,10 @@ my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$.+?\$([A-z0-9]{1,20})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}.+\$([A-z0-9]{1,20})\s+\=\s+Array\(\'.+?\)\;\s+eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\(\$([A-z0-9]{1,20})\=\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/([A-z0-9]{1,20})\/\w\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$([A-z0-9]{1,20})\)\'\,\s+\'([A-z0-9]{1,20})\'\)\;/is,
qr/<\?php\s+if\(isset\(\$\_GET\[.+?\]\)\?base64\_decode\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\:\'\'\;.+?foreach\(array\(\$([A-z0-9]{1,20})\)\s+as\s+\$([A-z0-9]{1,20})\)\{.+?ob\_end\_flush\(\)\;\s+\}/is,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\=\=\=\'.+?if\(isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\&\&isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\s+\=\s+array\(\$([A-z0-9]{1,20})\.\$\_POST\[\'([A-z0-9]{1,20})\'\]\.\'\\\'\)\)\'\s+\=>\s+\'\|\.\*\|e\'\,\)\;array\_walk\(\$([A-z0-9]{1,20})\,\s+strval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\,s+\'\'\)\;\}\}\s+\?>/is,
qr/function\s+stripDangerousValues\(\$input\)\s+\{.+?\$\_POST\s+\=\s+stripDangerousValues\(\$\_POST\)\;/is,
qr/<\?php.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\)\(\.\*\)\/\'\,\'\$1\'\,dirname\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\)\)\;.+?return\s+\$result\;\s+\}\s+\?>/is,
);

3
malwaresh.pl
View File

@@ -833,6 +833,9 @@ my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0\;\s+\$i\s+<\s+strlen\(\$([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\{\$([A-z0-9]{1,20})\s+\.\=\s+isset\(\$.+?\$([A-z0-9]{1,20})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}.+\$([A-z0-9]{1,20})\s+\=\s+Array\(\'.+?\)\;\s+eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
qr/<\?php\s+isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\(\$([A-z0-9]{1,20})\=\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+\@preg\_replace\(\'\/([A-z0-9]{1,20})\/\w\'\,\'\@\'\.str\_rot13\(\'riny\'\)\.\'\(\$([A-z0-9]{1,20})\)\'\,\s+\'([A-z0-9]{1,20})\'\)\;/is,
qr/<\?php\s+if\(isset\(\$\_GET\[.+?\]\)\?base64\_decode\(\$\_GET\[\'([A-z0-9]{1,20})\'\]\)\:\'\'\;.+?foreach\(array\(\$([A-z0-9]{1,20})\)\s+as\s+\$([A-z0-9]{1,20})\)\{.+?ob\_end\_flush\(\)\;\s+\}/is,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\=\=\=\'.+?if\(isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\&\&isset\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\s+\=\s+array\(\$([A-z0-9]{1,20})\.\$\_POST\[\'([A-z0-9]{1,20})\'\]\.\'\\\'\)\)\'\s+\=>\s+\'\|\.\*\|e\'\,\)\;array\_walk\(\$([A-z0-9]{1,20})\,\s+strval\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\,s+\'\'\)\;\}\}\s+\?>/is,
qr/function\s+stripDangerousValues\(\$input\)\s+\{.+?\$\_POST\s+\=\s+stripDangerousValues\(\$\_POST\)\;/is,
qr/<\?php.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\)\(\.\*\)\/\'\,\'\$1\'\,dirname\(\$\_SERVER\[\"SCRIPT\_FILENAME\"\]\)\)\;.+?return\s+\$result\;\s+\}\s+\?>/is,
);