Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-31 07:42:58 +02:00
parent 0674cfa30e
commit 52b72d71aa
2 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
malware6.pl
View File

@@ -116,7 +116,15 @@ my @regexen = (
qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is,
qr/GIF([A-z0-9_]{1,20})\s+<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is,
qr/<\?php.+?W3LL M!N! SH3LL.+?\/\/ World.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php.+?\$License = \"([A-z0-9_]{20,})\";.+?\$wpplugin_action = \'WPcheckInstall\';.+?header\(\'HTTP\/1\.0 404 Not Found\'\);\s+exit;/is,
qr/<\?.+?Loader\'z WEB Shell v.+?Coded by Loader and Modify By Zetha\s+<\/center><\/td>\s+<\/tr>\s+<\/table>/is,
qr/<\?php\s+echo \'\$Word\'\.\'Press !\';\s+if \(isset\(\$_POST\[\"wp\"\]\)\) \{\s+\$wp = \$_POST\[\"wp\"\];\s+if \(get_magic_quotes_gpc\(\)\) \$wp=stripslashes\(\$wp\);\s+file_put_contents\(\$_SERVER\[\"SCRIPT_FILENAME\"\],\'<\?php \'\.\$wp\.\' \?>\'\); \}\s+\?>/is,
qr/<\?php if \(isset\(\$_POST\[\"code\"\]\)\) eval\(base64_decode\(\$_POST\[\"code\"\]\)\); \?>/is,
qr/<\?php\s+echo \"\[!\]start\\n\";.+?function make_great_htaccess\(\$path\).+?echo \"\[-\] cant get the MHB client\\n\";\s+\}\s+\}/is,
qr/<\?php eval \(base64_decode \(\"aWY.+?\"\)\); \?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'cmd\'\]\)\) \{\s+eval\(base64_decode\(\$_REQUEST\[\'cmd\'\]\)\);\s+\}\s+\?>/is,
qr/<\?php\s+\/\* Authorization \*\/\s+\$passwordhash = \"([A-z0-9_]{20,})\";.+?if \(isset\(\$_COOKIE\[\'wp_defined\'\]\)\) \{.+?function pnotice \(\$str\) \{.+?<\?php\s+return;\s+\}\s+\?>/is,

10
malwaresh.pl
View File

@@ -1101,7 +1101,15 @@ my @regexen = (
qr/<\?php if \(isset\(\$_GET\[([A-z0-9_]{1,20})\]\)\) \{preg_replace\(\"\\x2F.+?\\x3B\",\"\\x2E\"\);\}\?>/is,
qr/GIF([A-z0-9_]{1,20})\s+<\?php\s+if\( file_exists\(\$_FILES\[\"uploadfile\"\]\[\"tmp_name\"\]\) \).+?<INPUT TYPE=\"submit\" VALUE=\"Send\">\s+<\/FORM>/is,
qr/<\?php.+?W3LL M!N! SH3LL.+?\/\/ World.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php.+?\$License = \"([A-z0-9_]{20,})\";.+?\$wpplugin_action = \'WPcheckInstall\';.+?header\(\'HTTP\/1\.0 404 Not Found\'\);\s+exit;/is,
qr/<\?.+?Loader\'z WEB Shell v.+?Coded by Loader and Modify By Zetha\s+<\/center><\/td>\s+<\/tr>\s+<\/table>/is,
qr/<\?php\s+echo \'\$Word\'\.\'Press !\';\s+if \(isset\(\$_POST\[\"wp\"\]\)\) \{\s+\$wp = \$_POST\[\"wp\"\];\s+if \(get_magic_quotes_gpc\(\)\) \$wp=stripslashes\(\$wp\);\s+file_put_contents\(\$_SERVER\[\"SCRIPT_FILENAME\"\],\'<\?php \'\.\$wp\.\' \?>\'\); \}\s+\?>/is,
qr/<\?php if \(isset\(\$_POST\[\"code\"\]\)\) eval\(base64_decode\(\$_POST\[\"code\"\]\)\); \?>/is,
qr/<\?php\s+echo \"\[!\]start\\n\";.+?function make_great_htaccess\(\$path\).+?echo \"\[-\] cant get the MHB client\\n\";\s+\}\s+\}/is,
qr/<\?php eval \(base64_decode \(\"aWY.+?\"\)\); \?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'cmd\'\]\)\) \{\s+eval\(base64_decode\(\$_REQUEST\[\'cmd\'\]\)\);\s+\}\s+\?>/is,
qr/<\?php\s+\/\* Authorization \*\/\s+\$passwordhash = \"([A-z0-9_]{20,})\";.+?if \(isset\(\$_COOKIE\[\'wp_defined\'\]\)\) \{.+?function pnotice \(\$str\) \{.+?<\?php\s+return;\s+\}\s+\?>/is,
);