new patterns
This commit is contained in:
Palma Solutions LTD
parent
37733348aa
commit
8e704697ef
@ -498,6 +498,8 @@ my @regexen = (
|
||||
qr/<\?php\s+\/\*\*\s+\*\s+Leaf.+?\$sessioncode\s+\=\s+md5\(\_\_FILE\_\_\)\;.+?Leaf\s+PHPMailer.+?\}\s+print\s+\'<\/body>\'\;\s+\?>/is,
|
||||
qr/<title>Hacked\s+By\s+Dr34mCyb3r.+?<\/style>\s+<div\s+class\=\"video\-background.+?allowfullscreen><\/iframe>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\_dec\'\.\'o\'\.\'d\'\.\'e\'\.\'\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
|
||||
|
||||
|
||||
);
|
||||
|
||||
my @base64_decodes = (
|
||||
|
||||
@ -284,6 +284,11 @@ my @regexen = (
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
|
||||
qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
|
||||
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w\_\wr\we\wpl\wa\wc\we\"\)\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\=\=\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w_d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w\_\wf\wu\wnc\wt\wi\won\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\)\;\s+\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\/\*\*\*\*find\s+config\s+files\*\*\*\*\/.+?if\s+\(\!\$ErrorMsg\)\{.+?\}\s+\?>/is,
|
||||
qr/<\?php\s+\$wphash.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\).+?\$ErrorMsg\s+\=\s+mysql\_error\(\)\;.+?\}\s+\?>/is,
|
||||
qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
|
||||
|
||||
);
|
||||
|
||||
my @base64_decodes = (
|
||||
|
||||
@ -763,7 +763,12 @@ my @regexen = (
|
||||
qr/<\?php\s+\$.+?\=\s+array\(\'.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval.+?\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?64\_d.+?array\(.+?eval.+?\$([A-z0-9]{1,20}).+?\?>/is,
|
||||
qr/<\?php.+?\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?\?>/is,
|
||||
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[\'([A-z0-9]{1,20})\'\]\,\"([A-z0-9]{1,20})\"\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(\"\w\"\,\"\"\,\"s\wtr\w\_\wr\we\wpl\wa\wc\we\"\)\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\=\=\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\"\wb\wa\ws\we6\w4\w_d\we\wco\wde\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\"\w\"\,\"\"\,\"cr\we\wat\we\w\_\wf\wu\wnc\wt\wi\won\"\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\(\'\'\,\s+\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"\w\"\,\s+\"\"\,\s+\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\)\;\s+\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\/\*\*\*\*find\s+config\s+files\*\*\*\*\/.+?if\s+\(\!\$ErrorMsg\)\{.+?\}\s+\?>/is,
|
||||
qr/<\?php\s+\$wphash.+?\$rootpath\s+\=\s+preg\_replace\(\'\/\(htdocs\|httpdocs\|www\).+?\$ErrorMsg\s+\=\s+mysql\_error\(\)\;.+?\}\s+\?>/is,
|
||||
qr/<\?php\s+\$auth\_pass\s+\=.+?\(base64\_decode\(.+?\)\;\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is,
|
||||
|
||||
|
||||
|
||||
);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user