Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-09-07 11:52:49 +02:00
parent 980fb812b8
commit 4d5013ecf6
2 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
malware6.pl
View File

@@ -288,7 +288,15 @@ my @regexen = (
qr/\@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\)/is,
qr/<\?php if\(\$_GET\[\'test\'\]\)\{echo \'success\';\}else\{\(\$www= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\', \'add\'\);\}/is,
qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
qr/<script type=\"text\/javascript\"><\/script><script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\(_0x2515\[0\]\)\);<\/script>/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/\s+\@include \"\\057ho.+?ic\\157\";\s+\/\*([A-z0-9_]{1,20})\*\/\s+echo \@file_get_contents\(\'index\.html\.bak\.bak\'\);/is,
qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"H*\"\);return \$a\[\$i\];\} \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\{return isset\(\$_COOKIE\[\$([A-z0-9_]{1,20})\]\)\?\$_COOKIE\[\$([A-z0-9_]{1,20})\].+?if\(\!empty\(\$([A-z0-9_]{1,20})\)\)\{\$([A-z0-9_]{1,20})=\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[0\]\(\@\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[1\]\(.+?if\(isset\(\$([A-z0-9_]{1,20})\)\)\{\@eval\(\$([A-z0-9_]{1,20})\);exit\(\);\}\}/is,
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
);
my @base64_decodes = (

8
malwaresh.pl
View File

@@ -1275,8 +1275,16 @@ my @regexen = (
qr/<\?php\s+function_exists\(\'date_default_timezone\'\) \? date_default_timezone_set\(\'America\/Los_Angeles\'\) : \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\);/is,
qr/<\?PHP\s+define\(\'REAL_SERVER_ROOT\', \'SERVER\'\);.+?define\(\'SYSTEM_SKEL_DIR\', \'skel\'\) \? \@eval\(base64_decode\(\$_REQUEST\[\'c_id\'\]\)\) : define\(\'SYSTEM_SKEL_PATH\', SYSTEM_CONF_PATH \. \'\/\' \. SYSTEM_SKEL_DIR\);.+?define\(\'WORKGROUPS_META_SETTINGS_FILENAME\', \'settings\.xml\'\);\s+\?>/is,
qr/<\?php if\(\$_GET\[\'test\'\]\)\{echo \'success\';\}else\{\(\$www= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\', \'add\'\);\}/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/ error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); \@ini_set\(\'display_errors\',\'Off\'\); \@eval\( base64_decode\(\'aWYo.+?\)\); \@ini_restore\(\'error_log\'\); \@ini_restore\(\'display_errors\'\); \/\*([A-z0-9_]{1,20})\*\/ \?>/is,
qr/<script type=\"text\/javascript\"><\/script><script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\(_0x2515\[0\]\)\);<\/script>/is,
qr/<\?php\s+\/\*([A-z0-9_]{1,20})\*\/\s+\@include \"\\057ho.+?ic\\157\";\s+\/\*([A-z0-9_]{1,20})\*\/\s+echo \@file_get_contents\(\'index\.html\.bak\.bak\'\);/is,
qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"H*\"\);return \$a\[\$i\];\} \?>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\)\{return isset\(\$_COOKIE\[\$([A-z0-9_]{1,20})\]\)\?\$_COOKIE\[\$([A-z0-9_]{1,20})\].+?if\(\!empty\(\$([A-z0-9_]{1,20})\)\)\{\$([A-z0-9_]{1,20})=\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[0\]\(\@\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[1\]\(.+?if\(isset\(\$([A-z0-9_]{1,20})\)\)\{\@eval\(\$([A-z0-9_]{1,20})\);exit\(\);\}\}/is,
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
);
my @base64_decodes = (