Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new malware fingerprint for cleaner

Browse Source
This commit is contained in:
Palma Solutions LTD 2017-06-02 20:10:40 +02:00
parent 661bb6013b
commit 6b965bae92
2 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
malware3.pl
View File

@ -529,7 +529,6 @@ my @regexen = (
qr/<\?php\s+if\(isset\(\$\_GET\[php\]\)\)\{\echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/form\-data\"\s+name\=\"silence\"\s+id\=\"silence\">\';echo\s+\'<input\s+type\=\"file\"\s+name\=\"file\"><input\s+name\=\"golden\"\s+type\=\"submit\"\s+id\=\"golden\"\s+value\=\"Done\"><\/form>\';if\(\$\_POST\[\'golden\'\]\=\=\"Done\"\)\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'\+\';\}else\{echo\'\-\';\}\}\}/is,
qr/<\?php\s+\$root\_path\s+\=\s+get\_root\(\);\s+\$cms\s+\=\s+get\_cms\(\$root\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$\_SERVER\[\'HTTP\_HOST\'\]\.\';;;\';\s+\$domains\s+\=\s+get_domains\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+foreach\s+\(\$domains\s+as\s+\$domain\_path\)\s+\{\s+\$tmp\s+\=\s+explode\(\'\/\'\,\s+\$domain\_path\);\s+\$domain\_name\s+\=\s+\(count\(\$tmp\)\s+\>\s+0\)\?\s+\$tmp\[count\(\$tmp\)\s+\-\s+1\]\:\s+\'\';\s+\$cms\s+=\s+get\_cms\(\$domain\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$domain\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$domain\_name\.\';;;\';\s+\}\s+function\s+do\_backdoor\_jml1\(\$domain\_path\,\s+\$domain\)\s+{\s+change\_content\_of\_file\(\$domain\_path\.\'\/\.htaccess\'\,.+?function\s+get\_cron\(\)\s+\{\s+return.+?\';\s+\}/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$.+?strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(\".+?"\,\s+\$\_([A-z0-9]{1,20}).+?ord\(\$\_([A-z0-9]{1,20})\[\$i\]\)\)\;\$\_([A-z0-9]{1,20}).+?for.+?\*\//is,

1
malware4.pl
View File

@ -92,6 +92,7 @@ my @regexen = (
qr/<\?php\s+preg\_replace\(\"\/\.\/.+?\)\)\)\;\"\,\"\.\"\)\;/is,
qr/<\?php\s+\$file.+?function\s+dwnld\(\$file\)\s+\{.+?header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;\s+exit\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20})\s+\=.+?\;\s+for\s+\(\$i\s+\=\s+0\;\s+\$i\s+<\s+strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]\)\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?explode\(chr\(\(.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,4})\-([0-9]{1,4})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
);
my @base64_decodes = (