Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-03 13:57:14 +02:00
parent ad965a8dcc
commit 4688bac84f
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
malware5.pl
View File

@@ -20,6 +20,7 @@ our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/<\?php\s+\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?exit\(\)\;\s+\}\Z/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
@@ -391,6 +392,17 @@ my @regexen = (
qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+ignore\_user\_abort\(1\)\;.+?echo\s+ex\(\"cd\s+\/dev\/shm\;rm\s+([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+\"test\"\;\s+\?>/is,
qr/<\?php\s+print\s+\"\_\_code\_\_\"\;\s+\?>/is,
qr/<\?php\s+system\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
qr/<\?php\s+system\(\$\_SERVER\[\"HTTP\_SHELL\"\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(stripslashes\(\$\_REQUEST\[\".+?\"\]\)\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/pastie\.org\/([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?\.txt\"\)\;\s+\?>/is,
);

11
malwaresh.pl
View File

@@ -26,6 +26,7 @@ print "Content-type: text/html\n\n";
my $user = $ARGV[0];
my @regexen = (
qr/<\?php\s+\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?exit\(\)\;\s+\}\Z/is,
qr/<\?php\s+\/\/header\(\'Content\-Type\:text\/html\;.+?\=array\(.+?\=urldecode\(.+?\)\;exit\(\)\;\}\'\)\;\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\)\;\?>/is,
qr/<\?php.+?\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}.+?\?>/is,
qr/<\?php\s+\$\{\"\\x.+?\$\{\"G\\x.+?\$\{\"\\x.+?\$\{\$\{\"G\\x.+?\}\;\}\s+\?>/is,
@@ -874,7 +875,15 @@ my @regexen = (
qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
qr/<\?php\s+ignore\_user\_abort\(1\)\;.+?echo\s+ex\(\"cd\s+\/dev\/shm\;rm\s+([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+echo\s+\"test\"\;\s+\?>/is,
qr/<\?php\s+print\s+\"\_\_code\_\_\"\;\s+\?>/is,
qr/<\?php\s+system\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
qr/<\?php\s+system\(\$\_SERVER\[\"HTTP\_SHELL\"\]\)\;\s+\?>/is,
qr/<\?php\s+eval\(stripslashes\(\$\_REQUEST\[\".+?\"\]\)\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/pastie\.org\/([A-z0-9]{1,20})\.txt\"\)\;\s+\?>/is,
qr/<\?php\s+\@include\(\"http\:\/\/.+?\.txt\"\)\;\s+\?>/is,
);
my @base64_decodes = (