Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-07-02 10:26:07 +02:00
parent 93e00773c4
commit 466d559421
3 changed files with 29 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
malware5.pl
View File

@ -576,6 +576,7 @@ foreach my $file (sort @files) {
next if $file eq 'menu_scan.php';
next if $file eq 'style_dynamic.php';
next if $file eq 'sitepress.class.php';
next if $file eq 'slider-main-options.php';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {

16
malware6.pl
View File

@ -249,8 +249,20 @@ my @regexen = (
qr/<\?php.+?\[uname\]\"\.php_uname\(\)\.\"\[\/uname\]\".+?Go Xsender.+?<\/html>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'base6\'\.\'4\'\.\'_d\'\.\'eco\'\.\'de\'\.\'\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?\'\.\'\'\)\);/is,
qr/<\?php if\(!function_exists\(.+?\.\'\/scopbin\';clearstatcache\(\);if\(!is_dir\(\$.+?\'; eval\(.+?\)\);\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'e\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'c\'\.chr\(101\)\.\'\'\.chr\(100\)\.\'_4\'\.chr\(54\)\.\'\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'edolpmi\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
qr/<\? session_start\(\);\?> <html> <head><title>PHP Unzipper Spammer Tn Dz Maroc ! All Arabs<\/title>.+?\} \} \} echo \"<\/div>\";\} \?> <\/body> <\/html>\s+\/\* Mister Spy \*\//is,
qr/<\?php.+?\$d0mains = \@file\(\'\/etc\/named\.conf\'\);\s+\$domains = scandir\(\"\/var\/named\"\);.+?3xp1r3 Cyber Army\";\s+echo \"<\/body><\/html>\";\s+\?>/is,
qr/<\?php \$username = \"admin\"; \$password =.+?<h3> Safe Mode Fucker <\/h3>.+?Masspass\.php Done !<\/font><\/center>\"; \} break; \} \}\}\s+\?>/is,
qr/<link rel=\'shortcut icon\' href=\'http:\/\/www\.dz-streaming\.eu\/favicon\.ico\'>.+?eval\(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65\\x28.+?\\x29\\x29\\x29\\x3B\"\);\s+\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php.+?Carding Argentina.+?\$wso =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$wso\)\)\)\)\)\);.+?\?>\?><\?.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x61j\\x76q\\x6c\\x65\\x69\\x66\"\]=\"\\x63\";if\(isset\(\$_GET\[\"a\\x62\\x63\\x311\"\]\)\)\{\$([A-z0-9_]{1,20})="\x63";\$\{\$([A-z0-9_]{1,20})\}=base64_decode\(\".+?\"\)\.\"([A-z0-9_]{1,20})\";\@\$\{\$\{\"GLOB\\x41\\x4c\\x53\"\}\[\"\\x61\\x6a\\x76\\x71l\\x65\\x69\\x66\"\]\}\(\$_POST\[\"\\x78\"\]\);exit\(\);\}\?>/is,
qr/<\?php.+?<title>pastrulo<\/title>.+?\)\);\?>\'\)\);/is,
qr/<\?php\s+\$\w=\"\\x62\";\$\w=\"\\x65\".+?eval\( \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(.+?\)\)\);\s+\?>/is,
);

14
malwaresh.pl
View File

@ -1237,6 +1237,20 @@ my @regexen = (
qr/<\?php.+?\[uname\]\"\.php_uname\(\)\.\"\[\/uname\]\".+?Go Xsender.+?<\/html>/is,
qr/<\?php \$([A-z0-9_]{1,20})=\'base6\'\.\'4\'\.\'_d\'\.\'eco\'\.\'de\'\.\'\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?\'\.\'\'\)\);/is,
qr/<\?php if\(!function_exists\(.+?\.\'\/scopbin\';clearstatcache\(\);if\(!is_dir\(\$.+?\'; eval\(.+?\)\);\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'i\' \.\'m\' \.\'p\' \.\'l\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'e\'\.chr\(118\)\.\'\';\$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'c\'\.chr\(101\)\.\'\'\.chr\(100\)\.\'_4\'\.chr\(54\)\.\'\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'edolpmi\'\);\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$([A-z0-9_]{1,20}) = \'\'\.chr\(105\)\.\'\'\.chr\(109\)\.\'\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'de\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\', \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\', \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
qr/<\? session_start\(\);\?> <html> <head><title>PHP Unzipper Spammer Tn Dz Maroc ! All Arabs<\/title>.+?\} \} \} echo \"<\/div>\";\} \?> <\/body> <\/html>\s+\/\* Mister Spy \*\//is,
qr/<\?php.+?\$d0mains = \@file\(\'\/etc\/named\.conf\'\);\s+\$domains = scandir\(\"\/var\/named\"\);.+?3xp1r3 Cyber Army\";\s+echo \"<\/body><\/html>\";\s+\?>/is,
qr/<\?php \$username = \"admin\"; \$password =.+?<h3> Safe Mode Fucker <\/h3>.+?Masspass\.php Done !<\/font><\/center>\"; \} break; \} \}\}\s+\?>/is,
qr/<link rel=\'shortcut icon\' href=\'http:\/\/www\.dz-streaming\.eu\/favicon\.ico\'>.+?eval\(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65\\x28.+?\\x29\\x29\\x29\\x3B\"\);\s+\?>/is,
qr/<\?php \/\*([0-9]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([0-9]{1,20})\*\/ \?>/is,
qr/<\?php.+?Carding Argentina.+?\$wso =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$wso\)\)\)\)\)\);.+?\?>\?><\?.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x61j\\x76q\\x6c\\x65\\x69\\x66\"\]=\"\\x63\";if\(isset\(\$_GET\[\"a\\x62\\x63\\x311\"\]\)\)\{\$([A-z0-9_]{1,20})="\x63";\$\{\$([A-z0-9_]{1,20})\}=base64_decode\(\".+?\"\)\.\"([A-z0-9_]{1,20})\";\@\$\{\$\{\"GLOB\\x41\\x4c\\x53\"\}\[\"\\x61\\x6a\\x76\\x71l\\x65\\x69\\x66\"\]\}\(\$_POST\[\"\\x78\"\]\);exit\(\);\}\?>/is,
qr/<\?php.+?<title>pastrulo<\/title>.+?\)\);\?>\'\)\);/is,
qr/<\?php\s+\$\w=\"\\x62\";\$\w=\"\\x65\".+?eval\( \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(.+?\)\)\);\s+\?>/is,
);