new patterns
This commit is contained in:
Palma Solutions LTD
18
malware.pl
18
malware.pl
@@ -1379,9 +1379,21 @@ my @regexen = (
|
||||
qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is,
|
||||
qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
|
||||
qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
|
||||
|
||||
|
||||
|
||||
qr/<\?php\s+\$([A-z0-9_]{1,20})=\"\\x61\"\.\"\\x75\"\.chr\(116\)\.\"h\"\.\"\\x5f\"\.\"p\"\.\"a\"\.\"\\x73\"\.\"\\x73\";.+?\)\)\);\s+#############################################################################/is,
|
||||
qr/<\?php\s+\$d=\".+?eval\(([A-z0-9_]{1,20})\(base64_decode\(\$d\), 1234567890\)\);.+?return gzinflate\(\$([A-z0-9_]{1,20})\);\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#\s+\?>/is,
|
||||
qr/<\?php\s+\?>/is,
|
||||
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\"\); \?>/is,
|
||||
qr/GIF89A;<\?php if\(!function_exists\(.+?base64_decode.+?\)\);\?>/is,
|
||||
qr/<\?php eval\(\$_REQUEST\[cmd\]\); \?>/is,
|
||||
qr/<\?php\s+system\(\'uname -a\'\);\s+unlink\(__FILE__\);\s+\?>/is,
|
||||
qr/#([A-z0-9_]{1,20})#\s+\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\); \?><\? function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\);return base64_decode\(\$a\[\$i\]\);\} \?>.+?\}\s+#\/([A-z0-9_]{1,20})#/is,
|
||||
qr/<\?php\s+function get_files\(\$dir = \"\.\".+?eval\(base64_decode\(\".+?\"\)\);\s+\?>/is,
|
||||
qr/<\?php\s+\$.+?=\'wp-admin\';\s+\$.+?\]\(\);\?>/is,
|
||||
qr/<\?php\s+\@include_once\(\"tetete\.php\"\);\s+\?>/is,
|
||||
qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
|
||||
qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
|
||||
|
||||
);
|
||||
|
||||
my @base64_decodes = (
|
||||
|
||||
Reference in New Issue
Block a user