new patterns
This commit is contained in:
Palma Solutions LTD
@@ -273,6 +273,13 @@ my @regexen = (
|
||||
qr/<html>\s+<head>\s+<title>Symlink Get Config.+?echo system\(\'ls \/var\/mail\'\);.+?symlink\(\'\/var\/www\/html\/include\/connect\.php\',\'OTHER\.txt\'\);.+?\?>\s+<\/td><\/table><\/body><\/html>/is,
|
||||
qr/<\?php\s+function query_str\(\$params\)\{.+?Priv8.+?sent successfully\'\); <\/script>\";\}\}\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php print_r\(eval\(\$_POST\[0\]\)\);/is,
|
||||
qr/<\?php if\(\$_GET\[\"login\"\].+?\$([A-z0-9_]{1,20})=base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\); \@eval\(\"\\\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20});\"\);\}.+?value=\"submit\"\/><\/form>/is,
|
||||
qr/<\?php\s+error_reporting\(0\);\s+if\(array_keys\(\$_GET\)\[0\] == \'([A-z0-9_]{1,20})\'\)\{\s+\$spacer_open\s+\{\$\{eval\(base64_decode\(.+?\'\)\)\}\}\{\$\{exit\(\)\}\}&\s+\$_phpinclude_output;/is,
|
||||
qr/<\?php.+?\$auth_pass =.+?eval\(gzinflate\(str_rot13\(base64_decode\(.+?\)\)\)\);\s+\?>/is,
|
||||
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/\" && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/index\.php\" && !empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?;\};\s+\/\/item->alias\s+\?>/is,
|
||||
qr/<\?php \$([A-z0-9_]{1,20}) = \'strr\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
|
||||
qr/<\?php\s+\/\*\*\s+\* Plugin Name: Login Wall.+?if \(!defined\(\'LoginWall\'\)\)\{\s+define\( \'LoginWall\',1\);.+?add_action\(\'login_form\',\'fs_login_session\'\);\s+\}/is,
|
||||
qr/<\?php if\(\$_POST\[\'([A-z0-9_]{1,20})\'\]==\'\'\)\{echo\(\'->\|OK\|-<\'\);exit\(\);\}eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
|
||||
|
||||
);
|
||||
|
||||
|
||||
12
malwaresh.pl
12
malwaresh.pl
@@ -1259,9 +1259,15 @@ my @regexen = (
|
||||
qr/<\?php.+?\$auth_pass =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$([A-z0-9_]{1,20})\)\)\)\)\)\);/is,
|
||||
qr/<\? \$([A-z0-9_]{1,20})=\$_GET\[\'hamza\'\].+?\@move_uploaded_file\(\$userfile_tmp.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
|
||||
qr/<html>\s+<head>\s+<title>Symlink Get Config.+?echo system\(\'ls \/var\/mail\'\);.+?symlink\(\'\/var\/www\/html\/include\/connect\.php\',\'OTHER\.txt\'\);.+?\?>\s+<\/td><\/table><\/body><\/html>/is,
|
||||
|
||||
|
||||
|
||||
qr/<\?php\s+function query_str\(\$params\)\{.+?Priv8.+?sent successfully\'\); <\/script>\";\}\}\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php print_r\(eval\(\$_POST\[0\]\)\);/is,
|
||||
qr/<\?php if\(\$_GET\[\"login\"\].+?\$([A-z0-9_]{1,20})=base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\); \@eval\(\"\\\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20});\"\);\}.+?value=\"submit\"\/><\/form>/is,
|
||||
qr/<\?php\s+error_reporting\(0\);\s+if\(array_keys\(\$_GET\)\[0\] == \'([A-z0-9_]{1,20})\'\)\{\s+\$spacer_open\s+\{\$\{eval\(base64_decode\(.+?\'\)\)\}\}\{\$\{exit\(\)\}\}&\s+\$_phpinclude_output;/is,
|
||||
qr/<\?php.+?\$auth_pass =.+?eval\(gzinflate\(str_rot13\(base64_decode\(.+?\)\)\)\);\s+\?>/is,
|
||||
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/\" && \$_SERVER\[\'REQUEST_URI\'\]!=\"\/index\.php\" && !empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?;\};\s+\/\/item->alias\s+\?>/is,
|
||||
qr/<\?php \$([A-z0-9_]{1,20}) = \'strr\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
|
||||
qr/<\?php\s+\/\*\*\s+\* Plugin Name: Login Wall.+?if \(!defined\(\'LoginWall\'\)\)\{\s+define\( \'LoginWall\',1\);.+?add_action\(\'login_form\',\'fs_login_session\'\);\s+\}/is,
|
||||
qr/<\?php if\(\$_POST\[\'([A-z0-9_]{1,20})\'\]==\'\'\)\{echo\(\'->\|OK\|-<\'\);exit\(\);\}eval\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>/is,
|
||||
);
|
||||
|
||||
my @base64_decodes = (
|
||||
|
||||
Reference in New Issue
Block a user