Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-11 08:51:07 +02:00
parent 88959d7a59
commit 8bdad75284
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
malwaresh.pl
View File

@@ -988,7 +988,7 @@ my @regexen = (
qr/\/\/istart.+?\/\/iend/is, qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is, qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is,
qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is, qr/<\?php\s+\$array\s+=\s+array\(.+?\).+?eval\(\$gzc\(\$b64\(\$r13\(\$.+?\?>/is,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is, qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,

4
scan.py
View File

@@ -231,6 +231,7 @@ scoring = {
'PHISHING': (10, u'Phishing patterns'), 'PHISHING': (10, u'Phishing patterns'),
'MD5': (20, u'md5 strings used in malware'), 'MD5': (20, u'md5 strings used in malware'),
'SOCIALS': (50, u'Email addresses, links and social networking'), 'SOCIALS': (50, u'Email addresses, links and social networking'),
'EITES': (50, u'Eitest'),
} }
@@ -529,7 +530,8 @@ def is_hacked(filename):
or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \ or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l: or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
score.append(('SOCIALS', '')) score.append(('SOCIALS', ''))
if "<?php $[a-z].* = '" and "$[a-z].*=explode(chr(([0-9].*[-+][0-9].*))" and "$[a-z].*=([0-9].*[-+][0-9].*)" and "if (!function_exists('[a-z].*'))" in l:
score.append(('EITEST', ''))
previous_line = l previous_line = l
if line_num < 20: if line_num < 20: