diff --git a/malware6.pl b/malware6.pl index c1bad38..663402c 100644 --- a/malware6.pl +++ b/malware6.pl @@ -212,7 +212,13 @@ my @regexen = ( qr/<\?php error_reporting\(0\);if\(isset\(\$_POST\[\"\w\"\]\) and isset\(\$_POST\[\"\w\"\]\)\)\{if\(isset\(\$_POST\[\"input\"\]\)\)\{\$user_auth=\"&l=\"\.base64_encode\(\$_POST\[\"\w\"\]\).+?\{print \"sys_active\"\.\`uname -a\`;\}\} \?>/is, qr/<\?php \$([A-z0-9_]{1,20})=\'base\'\.\(32*2\)\.\'_de\'\.\'code\';\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(str_replace\(\"\\n\", \'\', \'([A-z0-9_]{20,}).+?
<\/form>/is, qr/<\?php.+?\$xml = \$\w->response->asXML\(\);\s+echo base64_encode\(\$xml\);.+?\$xml_str = base64_decode\(\$str\);.+?echo \" error num: \"\.\$errno\.\' : \'\.\$errstr;\s+\}\s+\}\s+\}\s+\?>/is, - qr/\/\/([A-z0-9_+/]{500,})\Z/is, + qr/\/\/([A-z0-9+\/]{500,})\Z/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20}).+?([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20});([A-z0-9_]{1,20})\';/is, + qr/<\?php.+?\$login=\"([A-z0-9_]{1,20})\";\s+\$md=str_rot13\(\"([A-z0-9_]{1,20})\"\);\s+\$mdh = str_rot13\(\'([A-z0-9_]{1,20})\'\);\s+\$md5_pass=\"([A-z0-9]{32})\";.+?eval\(\$mdh\(\$md\(strrev\(.+?\s+\?>/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?exit,\$([A-z0-9_]{1,20})\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20})\)\';/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\$([A-z0-9_]{1,20})\)\)die;eval\(\$([A-z0-9_]{1,20})\(\/\*([A-z0-9_]{1,20})\'\..+?\(([A-z0-9_]{1,20})\)\';/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?if\(!\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\),\$([A-z0-9_]{1,20})\)\)eval\(\$([A-z0-9_]{1,20})\(\$.+?\(([A-z0-9_]{1,20});([A-z0-9_]{1,20}),([A-z0-9_]{1,20})\';/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\);.+?([A-z0-9_]{1,20})\';/is, diff --git a/malwaresh.pl b/malwaresh.pl index 83e1a73..d11cfca 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1199,7 +1199,13 @@ my @regexen = ( qr/<\?php error_reporting\(0\);if\(isset\(\$_POST\[\"\w\"\]\) and isset\(\$_POST\[\"\w\"\]\)\)\{if\(isset\(\$_POST\[\"input\"\]\)\)\{\$user_auth=\"&l=\"\.base64_encode\(\$_POST\[\"\w\"\]\).+?\{print \"sys_active\"\.\`uname -a\`;\}\} \?>/is, qr/<\?php \$([A-z0-9_]{1,20})=\'base\'\.\(32*2\)\.\'_de\'\.\'code\';\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(str_replace\(\"\\n\", \'\', \'([A-z0-9_]{20,}).+?<\/form>/is, qr/<\?php.+?\$xml = \$\w->response->asXML\(\);\s+echo base64_encode\(\$xml\);.+?\$xml_str = base64_decode\(\$str\);.+?echo \" error num: \"\.\$errno\.\' : \'\.\$errstr;\s+\}\s+\}\s+\}\s+\?>/is, - qr/\/\/([A-z0-9_+/]{500,})\Z/is, + qr/\/\/([A-z0-9+\/]{500,})\Z/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20}).+?([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20});([A-z0-9_]{1,20})\';/is, + qr/<\?php.+?\$login=\"([A-z0-9_]{1,20})\";\s+\$md=str_rot13\(\"([A-z0-9_]{1,20})\"\);\s+\$mdh = str_rot13\(\'([A-z0-9_]{1,20})\'\);\s+\$md5_pass=\"([A-z0-9]{32})\";.+?eval\(\$mdh\(\$md\(strrev\(.+?\s+\?>/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?exit,\$([A-z0-9_]{1,20})\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\).+?([A-z0-9_]{1,20})\)\';/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\$([A-z0-9_]{1,20})\)\)die;eval\(\$([A-z0-9_]{1,20})\(\/\*([A-z0-9_]{1,20})\'\..+?\(([A-z0-9_]{1,20})\)\';/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?if\(!\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\),\$([A-z0-9_]{1,20})\)\)eval\(\$([A-z0-9_]{1,20})\(\$.+?\(([A-z0-9_]{1,20});([A-z0-9_]{1,20}),([A-z0-9_]{1,20})\';/is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\'.+?\)eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\);.+?([A-z0-9_]{1,20})\';/is, );