Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-06-17 06:41:23 +02:00
parent 616e2fa4b3
commit 71ae2b980f
2 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
malware6.pl
View File

@ -204,6 +204,10 @@ my @regexen = (
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\" - \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,
qr/<\?php error_reporting\(0\);\$([A-z0-9_=]{1,20})=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(\"([A-z0-9_=]{1,20}).+?([A-z0-9_=]{1,20})\"\)\); \?>/is,
qr/<\?php\s+\$([A-z0-9_=]{1,3}) = \"([A-z0-9_=]{20,}).+?\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\(\"\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\'\{\$([A-z0-9_=]{1,3})\}\'\)\);\"\);\s+\?>/is,
qr/<form action=\"\" method=\"post\"><input type=\"text\" name=\"_f__f\" value=\"\"\/><input type=\"submit\" value=\"&gt;\"\/><\/form>/is,
qr/<\?php copy\(\'http:\/\/dl\.dropboxusercontent\.com\/s\/([A-z0-9_=]{1,20})\/([A-z0-9_=]{1,20})\.zip\',\'([A-z0-9_=]{1,20})\.php\'\);exit; ?>/is,

7
malwaresh.pl
View File

@ -1191,9 +1191,10 @@ my @regexen = (
qr/<!DOCTYPE HTML PUBLIC \"-\/\/W3C\/\/DTD HTML 4\.01 Transitional\/\/EN\">\s+<html>\s+<head>\s+<title>.+?<body style=\"visibility:hidden\" onload=\"unhideBody\(\)\">.+?src=\"images\/apl\.gif\" alt=\"\" title=\"\" border=0 width=77 height=77><\/div>\s+<\/div>\s+<\/body>\s+<\/html>/is,
qr/<\?\s+include\(\'blocker\.php\'\);\s+\$DIR=md5\(rand\(0,100000000000\)\);.+?fwrite\(\$file,\$ip\.\" - \"\.gmdate \(\"Y-n-d\"\)\.\" \@ \"\.gmdate \(\"H:i:s\"\)\.\"\\n\"\);\s+\?>/is,
qr/<\?php\s+\$hostname = gethostbyaddr\(\$_SERVER\[\'REMOTE_ADDR\'\]\);\s+\$blocked_words = array\(\"above\",\"google\",\"softlayer\",\"amazonaws\",\"cyveillance\",\"phishtank\",\"dreamhost\",\"netpilot\",\"calyxinstitute\",\"tor-exit\", \"paypal\"\);.+?foreach\(\$bannedIP as \$ip\) \{\s+if\(preg_match\(\'\/\' \. \$ip \. \'\/\',\$_SERVER\[\'REMOTE_ADDR\'\]\)\)\{\s+header\(\'HTTP\/1\.0 404 Not Found\'\);.+?\'facebookexternalhit\'\) !== false\) \{ header\(\'HTTP\/1\.0 404 Not Found\'\); exit; \}\s+\?>/is,
qr/<\?php error_reporting\(0\);\$([A-z0-9_=]{1,20})=\"([A-z0-9_=]{1,20})\";eval\(base64_decode\(\"([A-z0-9_=]{1,20}).+?([A-z0-9_=]{1,20})\"\)\); \?>/is,
qr/<\?php\s+\$([A-z0-9_=]{1,3}) = \"([A-z0-9_=]{20,}).+?\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\(\"\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\{\$_REQUEST\[\'([A-z0-9_=]{1,20})\'\]\}\(\'\{\$([A-z0-9_=]{1,3})\}\'\)\);\"\);\s+\?>/is,
qr/<form action=\"\" method=\"post\"><input type=\"text\" name=\"_f__f\" value=\"\"\/><input type=\"submit\" value=\"&gt;\"\/><\/form>/is,
qr/<\?php copy\(\'http:\/\/dl\.dropboxusercontent\.com\/s\/([A-z0-9_=]{1,20})\/([A-z0-9_=]{1,20})\.zip\',\'([A-z0-9_=]{1,20})\.php\'\);exit; ?>/is,
);