Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-27 13:37:57 +02:00
parent 89afa2aad7
commit 6c7adf5176
2 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
malware5.pl
View File

@@ -298,7 +298,12 @@ my @regexen = (
qr/<\?php.+?wpsupercache.+?function\s+injectscr\_hide\(\$plugins\)\s+\{.+?add\_filter\(\'all\_plugins\'\,\s+\'injectscr\_hide\'\)\;/is,
qr/<script\s+data\-cfasync\=\'false\'\s+type\=\'text\/javascript\'>\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\(c<a\?\'\'\:e\(parseInt\(c\/a\)\)\).+?split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?if\s+\(move\_uploaded\_file\(\$\_FILES\[\'uploadfile\'\]\[\'tmp\_name\'\]\,\s+\$uploadfile\)\).+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=\".+?\"\;preg\_replace\(\"\/\.\*\/e\"\,\"\\x\d\d.+?\\x3B\"\,\"\.\"\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+\$\{\"\\x47LOB.+?\@ini\_set\(\"\\x65.+?WSOsetcookie\(md5\(\$\_SERVER\[.+?\.\$\_POST\[\"a\"\]\)\;exit\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$buffer\s+\=.+?\$newphrase\=str\_replace\(\$.+?eval\(\$\_b\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?b374k.+?\,\$s\_pass\)\;\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
);

10
malwaresh.pl
View File

@@ -778,8 +778,14 @@ my @regexen = (
qr/<\?php.+?wpsupercache.+?function\s+injectscr\_hide\(\$plugins\)\s+\{.+?add\_filter\(\'all\_plugins\'\,\s+\'injectscr\_hide\'\)\;/is,
qr/<script\s+data\-cfasync\=\'false\'\s+type\=\'text\/javascript\'>\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\(c<a\?\'\'\:e\(parseInt\(c\/a\)\)\).+?split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?if\s+\(move\_uploaded\_file\(\$\_FILES\[\'uploadfile\'\]\[\'tmp\_name\'\]\,\s+\$uploadfile\)\).+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=\".+?\"\;preg\_replace\(\"\/\.\*\/e\"\,\"\\x\d\d.+?\\x3B\"\,\"\.\"\)\;\s+return\;\s+\?>/is,
qr/<\?php\s+\$\{\"\\x47LOB.+?\@ini\_set\(\"\\x65.+?WSOsetcookie\(md5\(\$\_SERVER\[.+?\.\$\_POST\[\"a\"\]\)\;exit\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$buffer\s+\=.+?\$newphrase\=str\_replace\(\$.+?eval\(\$\_b\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$s\_pass\s+\=.+?b374k.+?\,\$s\_pass\)\;\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+\$ver\s+\=\s+\'6\.6\.6\'\;.+?exit\(\'Access\s+Denied\'\)\;.+?if\s+\(\$cracktrack\s+\!\=\s+\$checkworm\)\s+die\(\"\"\)\;\s+\}\s+\?>/is,
qr/<\?php\s+Error\_Reporting\(0\)\;\s+\$([A-z0-9]{1,20})\=.+?\\x3B\"\,\"\.\"\)\;return\;\s+\?>/is,
qr/<\?php\s+echo\s+\"<html><head>.+?echo\s+\"<\!\-\-\s+g\(\'FilesMan\'\,\'c\:\/\'\)\s+\-\-\!>\"\;.+?function\s+wscandir\(\$cwdir\)\s+\{.+?echo\s+\"<\/body><\/html>\"\;/is,
);