Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-13 12:17:57 +02:00
parent 6f48a647a5
commit 81ae301a89
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
malware5.pl
View File

@@ -192,7 +192,14 @@ my @regexen = (
qr/<\?php\s+if\s+\(\$\_REQUEST\[.+?\$in\_data\s+\=\s+base64\_decode\(\$\_REQUEST\[\'query\'\]\)\;.+?\{echo\s+\'bad\s+request\'\;\}.+?\}\s+else\s+\{echo\s+\'not\s+found\'\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\=\s+stripslashes\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;.+?\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}/is,
qr/<\?php\s+header\(\"HTTP\/1\.0\s+404\s+Not\s+Found\"\)\;.+?if\(\!empty\(\$\_REQUEST\[\$.+?\=\"ass\"\.\/\*\;\$\w\=\*\/\"ert\"\;\@\$\w\(stripslashes\(\$\_REQUEST\[\$.+?\]\)\)\;\}else\@unlink\(\_\_FILE\_\_\)\;.+?\/\/([A-z0-9]{5,})\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$.+?\(\'\'\,\$([A-z0-9]{1,20})\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?\)\;\s+eval\(\s+\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\s+\(\'\'\,\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$([A-z0-9]{1,20})\s+\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\)\;\s+eval\(\s+\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.chr\(.+?\)\.\'rrev\'\;\$.+?\=\s+array\(.+?\(\'e\'\.\'t\'\.\'a\'\.\'l\'\.\'f\'\.\'n\'\.\'i\'\.\'z\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\$.+?\)\.\'rev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'ced\'\.\'\_46\'\.\'esa\'\.\'b\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
);