Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-30 12:24:23 +02:00
parent 0c06e0ea56
commit 48a31d239b
3 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
malware5.pl
View File

@@ -356,7 +356,21 @@ my @regexen = (
qr/<\?php\s+\$urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\)\;\s+\$URL\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\s+\-\s+1\)\]\;\s+header\s+\(\"Location\:\s+\$URL\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[.+?\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;.+?array\_walk\(.+?\)\;\}\}\s+\?>/is,
qr/<\?php.+?move\_uploaded\_file\(\$file\,\s+\$name\)\;\s+\}else\{\s+\?>.+?action\=\"<\?\$\_SERVER\[\'PHP\_SELF\'\]\?>\">.+?require\_once\(dirname\(\_\_FILE\_\_\)\.DS\.\'index\.php\'\)\;\s+\?>/is,
qr/Goog1e\_analist\_up<\?php\s+\$.+?\)\{eval\(\$.+?\)\{system\(\$.+?\)\{move\_uploaded\_file\(\$\_FILES\[.+?\]\[\'name\'\]\)\;\}\?>/is,
qr/<\?php\s+function\s+d\(\$.+?\$d\.\=chr\(hexdec\(substr\(\$.+?\}\}eval\(d\(\".+?\)\)\;\s+\?>/is,
qr/<style\s+type\=\"text\/css\">.+?Lampungcarding.+?\$currentCMD.+?exit\;\s+\?>.+?<\/title>/is,
qr/<\!\-\-<\?php\s+if\(\@\$\_REQUEST\[.+?Goog1e\_analist\_certs.+?\{eval\(base64\_decode\(\$.+?\)\{move\_uploaded\_file\(\$.+?\?>\-\->/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'.+?Goog1e\_analist\_certs.+?\]\)\)\{eval\(base64\_decode\(\$\_POST\[.+?\]\)\;\}\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\{\s+break\;\s+\}\s+\}\s+return\;\s+\}\s+if\s+\(isset\(\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\(([A-z0-9]{1,20})\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\?><\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\$.+?eval\(\$.+?\/([A-z0-9]{1,20})\=([A-z0-9]{1,20})\Z/is,
qr/<\?php\s+\$f\s+\=\s+fopen\(.+?echo\s+\"HACKED\s+BY.+?\?>/is,
qr/<\?php\s+\/\*.+?\$homedir\s+\=\s+\'\.\/\'\;.+?case\s+\'upload\'\:\s+\$dest\s+\=\s+relative2absolute\(\$file\[\'name\'\]\,\s+\$directory\)\;.+?\.php\_uname\(\)\.\'<br><\/b>\'\;\s+\?>/is,
qr/<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
);
my @base64_decodes = (

17
malwaresh.pl
View File

@@ -839,7 +839,22 @@ my @regexen = (
qr/<\?php\s+\$urls\s+\=\s+array\s+\(\s+\'http\:\/\/.+?\)\;\s+\$URL\s+\=\s+\$urls\[rand\(0\,\s+count\(\$urls\)\s+\-\s+1\)\]\;\s+header\s+\(\"Location\:\s+\$URL\"\)\;\s+\?>/is,
qr/<\?php\s+if\s+\(md5\(\$\_POST\[.+?\'bas\'\.\'e6\'\.\'4\_d\'\.\'ec\'\.\'ode\'\;.+?array\_walk\(.+?\)\;\}\}\s+\?>/is,
qr/<\?php.+?move\_uploaded\_file\(\$file\,\s+\$name\)\;\s+\}else\{\s+\?>.+?action\=\"<\?\$\_SERVER\[\'PHP\_SELF\'\]\?>\">.+?require\_once\(dirname\(\_\_FILE\_\_\)\.DS\.\'index\.php\'\)\;\s+\?>/is,
qr/Goog1e\_analist\_up<\?php\s+\$.+?\)\{eval\(\$.+?\)\{system\(\$.+?\)\{move\_uploaded\_file\(\$\_FILES\[.+?\]\[\'name\'\]\)\;\}\?>/is,
qr/<\?php\s+function\s+d\(\$.+?\$d\.\=chr\(hexdec\(substr\(\$.+?\}\}eval\(d\(\".+?\)\)\;\s+\?>/is,
qr/<style\s+type\=\"text\/css\">.+?Lampungcarding.+?\$currentCMD.+?exit\;\s+\?>.+?<\/title>/is,
qr/<\!\-\-<\?php\s+if\(\@\$\_REQUEST\[.+?Goog1e\_analist\_certs.+?\{eval\(base64\_decode\(\$.+?\)\{move\_uploaded\_file\(\$.+?\?>\-\->/is,
qr/<\?php\s+if\(isset\(\$\_GET\[\'.+?Goog1e\_analist\_certs.+?\]\)\)\{eval\(base64\_decode\(\$\_POST\[.+?\]\)\;\}\}\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\{\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\{\s+break\;\s+\}\s+\}\s+return\;\s+\}\s+if\s+\(isset\(\$GLOBALS\[.+?\{\s+echo\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\(([A-z0-9]{1,20})\)\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\s+\(.+?eval\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20}).+?isset\(.+?eval\s+\(.+?\'([A-z0-9]{1,20})\'.+?\?>/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\s+\=.+?eval\(\"\?>\"\.gzuncompress\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=urldecode\(.+?eval\(\$GLOBALS\[.+?\?><\?php\s+\/\*\s+([A-z0-9]{1,20})\s+\*\/\$.+?eval\(\$.+?\/([A-z0-9]{1,20})\=([A-z0-9]{1,20})\Z/is,
qr/<\?php\s+\$f\s+\=\s+fopen\(.+?echo\s+\"HACKED\s+BY.+?\?>/is,
qr/<\?php\s+\/\*.+?\$homedir\s+\=\s+\'\.\/\'\;.+?case\s+\'upload\'\:\s+\$dest\s+\=\s+relative2absolute\(\$file\[\'name\'\]\,\s+\$directory\)\;.+?\.php\_uname\(\)\.\'<br><\/b>\'\;\s+\?>/is,
qr/<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is,
);
my @base64_decodes = (

2
scan.php
View File

@@ -31,7 +31,7 @@ $counter_warning = 0;
// just in case
set_time_limit(0);
error_reporting(E_ALL);
error_reporting(0);
$pattern = array(
"if\(isset\(\$_REQUEST\[(.*)\{eval\((.*)\$_REQUEST\[(.*)exit",