diff --git a/malware3.pl b/malware3.pl index 6278230..601b00a 100644 --- a/malware3.pl +++ b/malware3.pl @@ -295,7 +295,7 @@ my @regexen = ( qr/\#\#\#\#\#\#\#\#GET\#\#\#\#\#\#\#\s+RewriteEngine\s+on\s+RewriteRule\s+\\\.\(jpg\|png\|gif\|jpeg\|bmp\)\$\s+\-\s+\[L\]\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+acs\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/.+?\s+\[L\,R\=302\]/is, qr/<\?php\s+\$cookey\s+\=.+?\;\s+preg\_replace\(.+?\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\;\s+\$([A-z0-9]{1,10})\=strtolower\s+\(\$.+?\;if\(isset\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\)\s+\{eval\(\s+\$([A-z0-9]{1,10})\s+\(\s+\$\{\s+\$([A-z0-9]{1,10})\}\s+\[\s+\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\;\}\?>/is, - qr/<\?php\s+\$ver\s+\=\s+\'abcdefghijklmnopqrstuvwxyz\'\;\s+\$check\s+\=.+?\(\$check\(array\(.+?\}\s+\?><\/form>/is, + qr/<\?php\s+\$ver\s+\=\s+\'abcdefghijklmnopqrstuvwxyz\'\;\s+\$check\s+\=.+?\(\$check\(array\(.+?\}\s+\?><\/form>/is, qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\"\s+\;\s+\$([A-z0-9]{1,10})\=\s+strtolower\s+\(\s+\$.+?\=strtoupper\s+\(\$.+?\]\)\s+\)\{eval\s+\(\$([A-z0-9]{1,10})\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\]\)\)\s+\;\}\?>/is, qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$([A-z0-9]{1,10})\=\s+strtolower.+?if\s+\(\s+isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\)\s+\)\{eval\s+\(\$([A-z0-9]{1,10})\(\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\]\)\)\s+\;\}\?>/is, qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_([A-z0-9]{1,10})\".+?if\s+\(\s+isset\s+\(\s+\$\{\$([A-z0-9]{1,10})\}\[\'([A-z0-9]{1,10})\'\s+\]\)\)\s+\{eval\(\s+\$\{\s+\$([A-z0-9]{1,10})\s+\}\s+\[\'([A-z0-9]{1,10})\'\s+\]\s+\)\s+\;\}\?>/is,