From 3569facff4ccc425ef2cd58d4d5d486e1628d2f2 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Thu, 18 Jan 2018 13:22:23 +0100 Subject: [PATCH] new pattern --- malware4.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/malware4.pl b/malware4.pl index c55081c..eddfd10 100644 --- a/malware4.pl +++ b/malware4.pl @@ -271,7 +271,7 @@ my @regexen = ( qr/<\?php\s+\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admins\'\]\)\;\?>No\.1\s+<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'sss\'\]\,\"Access\s+Denied\"\)\;\?>/is, qr/<\?php\s+\/\*\s+WSO\s+\[2\.6\]\s+\*\/\$OOO000000\=urldecode\(.+?\=\_\_FILE\_\_\;\$.+?([A-z0-9]{1,20})\Z/is, qr/<\?php\+\$c\=base64\_decode\(\'([A-z0-9]{1,20})\=\'\)\.\$\_GET\[\'n\'\]\.\'t\'\;\@\$c\(\$\_POST\[\'x\'\]\)\;\?>abcabcabc/is, - + qr/<\?php\s+ if\s+\(\$\_REQUEST\[\'action\'\]\s+\=\=\s+\'([A-z0-9]{1,10})\'\)\s+\{\s+\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;\s+\$fr\s+\=\s+explode\(\'\|\'\,\s+\$in\_data\)\;\s+if\s+\(mail\(stripslashes\(base64\_decode\(\$fr\[0\]\)\)\,\s+stripslashes\(base64\_decode\(\$fr\[1\]\)\)\,\s+base64\_decode\(\$fr\[2\]\)\,\s+stripslashes\(base64\_decode\(\$fr\[3\]\)\)\)\)\s+\{echo\s+\'query\'\;\}\s+else\s+\{echo\s+\'bad\s+request\'\;\}\s+\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is, ); my @base64_decodes = (