Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added working Eitest Regex

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-11 11:49:40 +02:00
parent 1194604cc0
commit 448e75c083
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
scan.py
View File

@@ -231,7 +231,7 @@ scoring = {
'PHISHING': (10, u'Phishing patterns'),
'MD5': (20, u'md5 strings used in malware'),
'SOCIALS': (50, u'Email addresses, links and social networking'),
'EITEST': (50, u'Eitest'),
'EITEST': (65, u'Eitest'),
}
@@ -325,6 +325,8 @@ def is_hacked(filename):
score.append(('ACCESS_DENIED', ''))
if l.find('/bin/host') >= 0:
score.append(('BIN_HOST', ''))
if re.compile('<\?php\s*\$([a-z]){1,10}\s*=\s*\'.*\$([a-z]){1,10}=explode\(chr\(\(([0-9]){1,4}[-+]([0-9]){1,4}\)\).*\$([a-z]){1,10}=\(([0-9]){1,4}[-+]([0-9]){1,10}\).*-1;\s*\?>').match(l):
score.append(('EITEST', ''))
if ('if( !isset($gCms) ) exit;' in l or
"if( !defined( '_VALID_MOS' )" in l or
"if (!defined('IN_PHPBB')" in l or
@@ -530,8 +532,7 @@ def is_hacked(filename):
or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
score.append(('SOCIALS', ''))
if re.compile("<\?php \$([a-z]){1,10} = \'.*\$([a-z]){1,10}=explode\(chr\(\(([0-9]){1,4}[-+]([0-9]){1,4}\)\).*\$([a-z]){1,10}=\(([0-9]){1,4}[-+]([0-9]){1,10}\).*-1; \?>") in l:
score.append(('EITEST', ''))
previous_line = l
if line_num < 20: