Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2019-03-04 09:07:18 +01:00
parent 487cb125c8
commit 4b2dee33cd
5 changed files with 32 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cms-ver.php
View File

@@ -199,6 +199,7 @@
array("Dolibarr", "/filefunc.inc.php", "define('DOL_VERSION',", "EOL"), // needs to be checked
array("Mambo", "/version.php", "DEFINE( '_RELEASE',", "EOL"),
array("ViArt Shop", "/index.php", "*** ViArt Shop", "EOL"),
array("PHPMyList", "/readme.txt", "PHPMyList V", "EOL"),
// still need to work on these

1
cms-vss.php
View File

@@ -213,6 +213,7 @@
array("Dolibarr", "/filefunc.inc.php", "if (! defined('DOL_VERSION')) define('DOL_VERSION',", "EOL"),
array("Mambo", "/version.php", "DEFINE( '_RELEASE',", "EOL"),
array("ViArt Shop", "/index.php", "*** ViArt Shop", "EOL"),
array("PHPMyList", "/readme.txt", "PHPMyList V", "EOL"),
// still need to work on these

18
malware.pl
View File

@@ -1379,9 +1379,21 @@ my @regexen = (
qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is,
qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\"\\x61\"\.\"\\x75\"\.chr\(116\)\.\"h\"\.\"\\x5f\"\.\"p\"\.\"a\"\.\"\\x73\"\.\"\\x73\";.+?\)\)\);\s+#############################################################################/is,
qr/<\?php\s+\$d=\".+?eval\(([A-z0-9_]{1,20})\(base64_decode\(\$d\), 1234567890\)\);.+?return gzinflate\(\$([A-z0-9_]{1,20})\);\s+\}\s+\?>/is,
qr/<\?php\s+#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#\s+\?>/is,
qr/<\?php\s+\?>/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\"\); \?>/is,
qr/GIF89A;<\?php if\(!function_exists\(.+?base64_decode.+?\)\);\?>/is,
qr/<\?php eval\(\$_REQUEST\[cmd\]\); \?>/is,
qr/<\?php\s+system\(\'uname -a\'\);\s+unlink\(__FILE__\);\s+\?>/is,
qr/#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#/is,
qr/<\?php\s+function get_files\(\$dir = \"\.\".+?eval\(base64_decode\(\".+?\"\)\);\s+\?>/is,
qr/<\?php\s+\$.+?=\'wp-admin\';\s+\$.+?\]\(\);\?>/is,
qr/<\?php\s+\@include_once\(\"tetete\.php\"\);\s+\?>/is,
qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
);
my @base64_decodes = (

13
malwaresh.pl
View File

@@ -1390,6 +1390,19 @@ my @regexen = (
qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
qr/<\?php\s+\$([A-z0-9_]{1,20})=\"\\x61\"\.\"\\x75\"\.chr\(116\)\.\"h\"\.\"\\x5f\"\.\"p\"\.\"a\"\.\"\\x73\"\.\"\\x73\";.+?\)\)\);\s+#############################################################################/is,
qr/<\?php\s+\$d=\".+?eval\(([A-z0-9_]{1,20})\(base64_decode\(\$d\), 1234567890\)\);.+?return gzinflate\(\$([A-z0-9_]{1,20})\);\s+\}\s+\?>/is,
qr/<\?php\s+#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#\s+\?>/is,
qr/<\?php\s+\?>/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\"\); \?>/is,
qr/GIF89A;<\?php if\(!function_exists\(.+?base64_decode.+?\)\);\?>/is,
qr/<\?php eval\(\$_REQUEST\[cmd\]\); \?>/is,
qr/<\?php\s+system\(\'uname -a\'\);\s+unlink\(__FILE__\);\s+\?>/is,
qr/#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#/is,
qr/<\?php\s+function get_files\(\$dir = \"\.\".+?eval\(base64_decode\(\".+?\"\)\);\s+\?>/is,
qr/<\?php\s+\$.+?=\'wp-admin\';\s+\$.+?\]\(\);\?>/is,
qr/<\?php\s+\@include_once\(\"tetete\.php\"\);\s+\?>/is,
qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
);

4
scan.py
View File

@@ -679,7 +679,7 @@ if __name__ == '__main__':
for root, dirnames, filenames in os.walk(basedir):
for filename in filenames:
if fnmatch.fnmatch(filename, '*.php') or \
fnmatch.fnmatch(filename, '*.txt') or \
fnmatch.fnmatch(filename, '*.phtml') or \
fnmatch.fnmatch(filename, '*.js'):
hacked = is_hacked(os.path.join(root, filename))
if hacked is not False and hacked['score'] >= MIN_SCORE:
@@ -688,7 +688,7 @@ if __name__ == '__main__':
filename = basedir
root = os.getcwd()
if fnmatch.fnmatch(filename, '*.php') or \
fnmatch.fnmatch(filename, '*.txt') or \
fnmatch.fnmatch(filename, '*.phtml') or \
fnmatch.fnmatch(filename, '*.js'):
hacked = is_hacked(os.path.join(root, filename))
if hacked is not False and hacked['score'] >= MIN_SCORE: