Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-28 11:54:33 +02:00
parent 7c8596cfd6
commit 3bdd094847
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
malware6.pl
View File

@@ -108,7 +108,14 @@ my @regexen = (
qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is,
qr/<\?php \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<html>.+?aDriv4 Here ^^.+?echo \"<center>Copyright \&copy; \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/html>/is,
qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/is,
qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/is,
qr/<FORM ENCTYPE=\"multipart\/form-data\" METHOD=\"POST\">\s+<title>Uploader <\/title>.+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+\<\/FORM>/is,
qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is,
qr/GIF([A-z0-9_]{1,20})<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is,

10
malwaresh.pl
View File

@@ -1093,8 +1093,14 @@ my @regexen = (
qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is,
qr/<\?php \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is,
qr/<html>.+?aDriv4 Here ^^.+?echo \"<center>Copyright \&copy; \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/html>/is,
qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/is,
qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/is,
qr/<FORM ENCTYPE=\"multipart\/form-data\" METHOD=\"POST\">\s+<title>Uploader <\/title>.+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+\<\/FORM>/is,
qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is,
qr/GIF([A-z0-9_]{1,20})<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is,