Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-28 19:49:38 +02:00
parent 1818d82bef
commit 367db6afda
2 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
malware5.pl
View File

@@ -20,8 +20,8 @@ our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
qr/<\?php.+?\;\$\{\"G.+?\;global\$mysqli\;global\$dbHost\;global\$dbUser\;\$.+?\;else\s+return\;break\;\}\}\s+\?>/is,
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
@@ -337,7 +337,8 @@ my @regexen = (
qr/<\?php\s+\$.+?\'gzu\'.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$.+?\'bas\'.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\@eval\(base64\_decode\(([A-z0-9]{20,})\)\)\;\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\@ini\_set\(.+?\{eval\(mcrypt\_decrypt\(MCRYPT\_RIJNDAEL\_256.+?\]\)\,MCRYPT\_MODE\_ECB\)\)\;\}exit\;\?>/is,
qr/<\?php.+?eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\$\_POST\[\'.+?\'\]\)\)\)\)\)\)\;.+?print\s+\$pageData\;\s+\}\s+curl\_close\(\$ch\)\;\s+\?>/is,
);

5
malwaresh.pl
View File

@@ -26,8 +26,8 @@ print "Content-type: text/html\n\n";
my $user = $ARGV[0];
my @regexen = (
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+antisp.+?add\_filter\(\'all\_plugins\'\,\s+\'ANTISP\_hide\'\)\;/is,
qr/<\?php.+?\;\$\{\"G.+?\;global\$mysqli\;global\$dbHost\;global\$dbUser\;\$.+?\;else\s+return\;break\;\}\}\s+\?>/is,
qr/<script>\s+var\s+\_0xa7af\=\[.+?\]\;eval\(function\(\_0xaddfx1\,\_0xaddfx2\,\_0xaddfx3\,\_0xaddfx4\,\_0xaddfx5\,\_0xaddfx6\)\{.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
@@ -819,6 +819,9 @@ my @regexen = (
qr/<\?php\s+\$.+?\'bas\'.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\@eval\(base64\_decode\(([A-z0-9]{20,})\)\)\;\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\@ini\_set\(.+?\{eval\(mcrypt\_decrypt\(MCRYPT\_RIJNDAEL\_256.+?\]\)\,MCRYPT\_MODE\_ECB\)\)\;\}exit\;\?>/is,
qr/<\?php.+?eval\(base64\_decode\(str\_rot13\(strrev\(base64\_decode\(str\_rot13\(\$\_POST\[\'.+?\'\]\)\)\)\)\)\)\;.+?print\s+\$pageData\;\s+\}\s+curl\_close\(\$ch\)\;\s+\?>/is,
);
my @base64_decodes = (