Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new pattern

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-06-16 13:05:01 +02:00
parent b7e8942eb9
commit 616e2fa4b3
2 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
malware6.pl
View File

@@ -193,6 +193,18 @@ my @regexen = (
qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
qr/<\?php\s+echo \'<img src=.+?\$xSoftware = trim\(getenv\(\"SERVER_SOFTWARE\"\)\);.+?if \(function_exists\(\"posix_getpwuid\"\) && function_exists\(\"posix_getgrgid\"\)\).+?\?> ;-\) <\/div>\s+<\/div>\s+<\/body>\s+<\/html>>/is,
qr/<\? eval\(base64_decode\(\'([A-z0-9_]{1,20}).+?([A-z0-9_=]{1,20})\'\)\); \?>/is,
qr/<\?php \$([A-z]{1,3})=base64_decode\(\'([A-z0-9=]{1,20})\'\)\.\$_GET\[\'([A-z]{1,3})\'\]\.\'([A-z]{1,3})\';\@\$([A-z]{1,3})\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>([A-z0-9_]{1,20})/is,
qr/<\?php\s+\/\*\s+\* hostname\.php\s+\*\/\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\); \/\/Get User Hostname\s+\$blocked_words = array\(.+?foreach\(\$blocked_words as \$word\) \{.+?\}\s+\?>/is,
qr/<\?php\s+require_once \'hostname\.php\';\s+\$praga=rand\(\);\s+\$praga=md5\(\$praga\);\s+header\(\"location: login\.php.+?\$praga\$praga\"\);\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?new MaskedPassword\(document\.getElementById\(.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+if\(\$_POST\[.+?Apple Info.+?header \(\"Location: index\.php\"\);\s+\}\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/sbmit\.png\"><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\" - \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,

18
malwaresh.pl
View File

@@ -26,8 +26,9 @@ print "Content-type: text/html\n\n";
my $user = $ARGV[0];
my @regexen = (
qr/<\?php\s+\/\/header\(.+?\$([A-z0_]{1,20})=urldecode\(.+?\]\(\);\?>/is,
qr/<\?php\s+if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?\?>\s+([A-z0-9_]{50,})\Z/is,
qr/<\?php\s+\$([Oo0_]{1,10})=.+?\$([Oo0_]{1,10})=\'\|hateyou\|\';.+?\$([Oo0_]{1,10})=urldecode\(\"\%.+?\$([Oo0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
qr/<\?php\s+\$([A-z0_]{1,10})=.+?\$([A-z0_]{1,10})=\'\|hateyou\|\';.+?\$([A-z0_]{1,10})=urldecode\(\"\%.+?\$([A-z0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
qr/\/\/\s+([A-z0-9]{31})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{31})/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
@@ -1179,6 +1180,21 @@ my @regexen = (
qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
qr/<\?php\s+echo \'<img src=.+?\$xSoftware = trim\(getenv\(\"SERVER_SOFTWARE\"\)\);.+?if \(function_exists\(\"posix_getpwuid\"\) && function_exists\(\"posix_getgrgid\"\)\).+?\?> ;-\) <\/div>\s+<\/div>\s+<\/body>\s+<\/html>>/is,
qr/<\? eval\(base64_decode\(\'([A-z0-9_]{1,20}).+?([A-z0-9_=]{1,20})\'\)\); \?>/is,
qr/<\?php \$([A-z]{1,3})=base64_decode\(\'([A-z0-9=]{1,20})\'\)\.\$_GET\[\'([A-z]{1,3})\'\]\.\'([A-z]{1,3})\';\@\$([A-z]{1,3})\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);\?>([A-z0-9_]{1,20})/is,
qr/<\?php\s+\/\*\s+\* hostname\.php\s+\*\/\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\); \/\/Get User Hostname\s+\$blocked_words = array\(.+?foreach\(\$blocked_words as \$word\) \{.+?\}\s+\?>/is,
qr/<\?php\s+require_once \'hostname\.php\';\s+\$praga=rand\(\);\s+\$praga=md5\(\$praga\);\s+header\(\"location: login\.php.+?\$praga\$praga\"\);\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?new MaskedPassword\(document\.getElementById\(.+?<\/body>\s+<\/html>/is,
qr/<\?php\s+if\(\$_POST\[.+?Apple Info.+?header \(\"Location: index\.php\"\);\s+\}\s+\?>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/sbmit\.png\"><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\" - \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,
);