From 4d81a30c9f3ffb21fc744330097fc2be00c929de Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Thu, 19 Oct 2017 12:23:26 +0200 Subject: [PATCH] new patterns & bug fix --- malware4.pl | 2 +- scan.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/malware4.pl b/malware4.pl index cf3481b..755b1d2 100644 --- a/malware4.pl +++ b/malware4.pl @@ -185,7 +185,7 @@ my @regexen = ( qr/<\?php\s+if\s+\(\s+\$\_REQUEST\[\"array\"\]\s+\)\s+\{\s+\@assert\(base64\_decode\(\$\_REQUEST\[\"array\"\]\)\)\;\s+\/\/debug\s+message\s+echo\s+\"Array\s+sort\s+completed\"\;\s+exit\(\)\;\s+\}\s+echo\'\s+PAGE\s+NOT\s+FOUND\'\;\s+\}\s+\?>/is, qr/<\?php\s+set\_time\_limit\(0\)\;\s+ignore\_user\_abort\(\)\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is, qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require\(\"\$rifilename\"\)\;\s+\/\/installend/is, - + qr/\;\(function\(\)\{var\s+k\=navigator\[b\(\"st\{n\(e4g9A2r\,exs\,u8\"\)\]\;var\s+s\=document\[b\(\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-\)\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\(\)\;/is, ); my @base64_decodes = ( diff --git a/scan.php b/scan.php index 09c3543..d939fbe 100644 --- a/scan.php +++ b/scan.php @@ -79,14 +79,14 @@ error_reporting(E_ALL); "ErrorDocument(\s*)500(\s*)http", "ErrorDocument(\s*)403(\s*)http", "%u0c0c%u0c0c", - "String.fromCharCode(32)", + "String.fromCharCode\(32\)", "HTTP_REFERER(.*)msn(.*)live", "SnIpEr_SA", "php_value(\s*)auto_append_file", "AddType(\s*)application(\s*).jpg", "AddHandler(\s*)php5-script(\s*).jpg", "HTTP_USER_AGENT(.*)google(.*)yahoo", - "HTTP_REFERER(.*)\*search.yahoo\*", + "HTTP_REFERER(.*)search.yahoo\*", "Card(.*)number:", "Mass(.*)Mailer", "<\?php\s*eval\(\"\?>\"\.base64\_decode\(\"(.*)\"\)\)\;\s*\?>",