Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-14 07:30:24 +02:00
parent 743c931fe6
commit 7fde429cfe
2 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
malware5.pl
View File

@@ -517,12 +517,19 @@ my @regexen = (
qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\/3Turr\~C0nfig\s+public\s+edition.+?\@symlink\(\'\/\'\,\s+\'Turr\/root\'\)\;.+?<\/html>\'\;\s+\}\s+\?>/is,
qr/<font\s+id=\"([A-z0-9]{1,10})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is,
qr/<font\s+id=\"([A-z0-9]{1,20})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is,
qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is,
qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is,
qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/is,
qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/is,
qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/is,
qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/is,
qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/bing\|msn.+?urldecode\(.+?\\x\w\w\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/is,
);

10
malwaresh.pl
View File

@@ -1000,11 +1000,19 @@ my @regexen = (
qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
qr/<\?php\s+\/\/3Turr\~C0nfig\s+public\s+edition.+?\@symlink\(\'\/\'\,\s+\'Turr\/root\'\)\;.+?<\/html>\'\;\s+\}\s+\?>/is,
qr/<font\s+id=\"([A-z0-9]{1,10})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is,
qr/<font\s+id=\"([A-z0-9]{1,20})\"\s+color=\"\#00FFFF\"\s+style=\"width:\s+0;\s+height:\s+0;overflow:\s+hidden;\s+font-family:courier;\s+position:\s+absolute;\s+font-size:\d\dpx\"><a\s+href=http:\/\/.+?(viagra|pharmacy|cialis|levitra).+?<\/a><\/font>/is,
qr/<\?php.+?--==\[\[BSKH Auto Symlink\]\]==--.+?gzinflate\(base64\_decode\(\$.+?\}eval\(.+?\)\);\s+\?>/is,
qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\";\s+\@\s+\?>/is,
qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is,
qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/is,
qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/is,
qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/is,
qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/is,
qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/bing\|msn.+?urldecode\(.+?\\x\w\w\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/is,