From 3bdd094847f19adeef815709ef368a750740fe33 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Mon, 28 May 2018 11:54:33 +0200 Subject: [PATCH] new patterns --- malware6.pl | 9 ++++++++- malwaresh.pl | 10 ++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/malware6.pl b/malware6.pl index 102be30..8fa56d2 100644 --- a/malware6.pl +++ b/malware6.pl @@ -108,7 +108,14 @@ my @regexen = ( qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is, qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is, qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is, - + qr/<\?php \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is, + qr/.+?aDriv4 Here ^^.+?echo \"
Copyright \© \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/html>/is, + qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/is, + qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/is, + qr/
\s+Uploader <\/title>.+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+\<\/FORM>/is, + qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is, + qr/GIF([A-z0-9_]{1,20})<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is, + diff --git a/malwaresh.pl b/malwaresh.pl index c2da3d9..7cba27f 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1093,8 +1093,14 @@ my @regexen = ( qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is, qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is, qr/<\? \/\*\*\/eval\(base64_decode\(\'aWYo.+?\)\); \?>/is, - - + qr/<\?php \/\*\*\/eval\(base64_decode\(\'aWYo.+?\'\)\); \?>/is, + qr/<html>.+?aDriv4 Here ^^.+?echo \"<center>Copyright \© \"\.date\(\"Y\"\)\.\".+?\?>\s+<\/html>/is, + qr/<\?php\s+error_reporting\(.+?echo \"DisablePHP=\"\.\$disable_functions; print \"\\n\";.+?\}\} \} \?>/is, + qr/GIF89a \w<\?php \@copy\(\$_FILES\[file\]\[tmp_name\], \$_FILES\[file\]\[name\]\); exit; \?>/is, + qr/<FORM ENCTYPE=\"multipart\/form-data\" METHOD=\"POST\">\s+<title>Uploader <\/title>.+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+\<\/FORM>/is, + qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is, + qr/GIF([A-z0-9_]{1,20})<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is, +