diff --git a/malware5.pl b/malware5.pl index 5c20912..22fe55c 100644 --- a/malware5.pl +++ b/malware5.pl @@ -72,7 +72,22 @@ my @regexen = ( qr/<\?php\s+assert\_options\(ASSERT\_WARNING\,0\)\;.+?function\s+hex2ascii\(\$.+?\'e\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'.+?\.\'\'\.\'\'\.\'\'\.\'v\'\.\'a\'\.\'l\'\.\'\(\$.+?assert\(\$\w\)\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$([A-z0-9]{1,20})\s+\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval.+?\)\)\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'g\'\.\s+\'z\'\.\s+\'u\'\.\s+\'n\'\.\s+\'c\'.\s+\'o\'\.\s+\'m\'\.\s+\'p\'\.\s+\'r\'\.\s+\'e\'\.\s+\'s\'\.\s+\'s\'\;\$([A-z0-9]{1,20})\s+\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is, - + qr/<\?php\s+\@session\_start\(\)\;.+?if\(\$chk\_login\).+?echo\s+\$buff\;\s+\}\s+\?>\s+<\/div>\s+<\/body>\s+<\/html>/is, + qr/GIF89a\?<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is, + qr/MCL<\/title><form\s+enctype\=multipart\/form\-data\s+method\=post>.+?<\?\s+echo\s+base64\_decode\(.+?\$fp\=fopen\(base64\_decode\(\$\_REQUEST\[.+?\@copy\(\$\_FILES\[.+?\}\}\;\s+\?>/is, + qr/<\?php\s+\$a\=\"4\"\;\s+\$b\=\"0\"\;\s+\$c\=\"4\"\;\s+echo\s+\$a\.\$b\.\$c\.\"\#\"\;\s+\?>\s+<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\s+\$\w\_File\=fopen\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\.\"\/1\.txt\"\,\"w\"\)\;\s+if\(\!\$\w\_File\)\s+echo\s+\"writewrong\"\;\s+else\s+echo\s+\"writeok\"\;\s+\?>/is, + qr/GIF89a\s+<\%\s+eval\s+request\(\"([A-z0-9]{1,20})\"\)\%>\s+abcabcabc/is, + qr/GIF89a<\?php\s+\@eval\(\$\_POST\[.+?\$response\s+\=\s+curl\(\$shell\_url\)\;.+?function\s+getcontent\(\$file\)\{.+?return\s+\$tmp\_content\;\s+\}/is, + qr/GIF89a.+?<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>/is, + qr/GIF89a<\?PHP\s+fputs\(fopen\(\'([A-z0-9]{1,20})\.php\'\,\'w\'\)\,\'<\?php\s+eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\?>abcabcabc\'\)\;\?>/is, + qr/<\?php\s+echo\s+\'<form\s+action\=\"\".+?\$\_POST\[\'\_\'\]\=\=\"GO\"\)\{if\(\@copy\(\$\_FILES\[.+?Err<\/b>\'\;\}\}\?>/is, + qr/GIF89a\?\s+<\?php.+?\$get\.\=chr\(.+?\$undecode\=.+?\$ecode\.\=\s+\$\_REQUEST\[.+?\@eval\(\$undecode\(\$.+?\?>/is, + qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?<title>\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/title>.+?print\s+\$footer\;.+?exit\(\)\;\s+\?>/is, + qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/is, + # qr/GIF89a.+?<\?php.+?\?>/is, + + + ); my @base64_decodes = (