From 8f9e3331cc6ead868fa0bb9cf520c67b927852af Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Fri, 11 Aug 2017 11:40:48 +0200 Subject: [PATCH] new pattern --- malware4.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/malware4.pl b/malware4.pl index 7bda7ba..50b00fd 100644 --- a/malware4.pl +++ b/malware4.pl @@ -163,10 +163,10 @@ my @regexen = ( qr/<\!DOCTYPE\s+HTML\s+PUBLIC.+?Hacked\s+By\s+Dr\.Shap7\-Nine.+?<\/html>/is, qr/<\?php\s+\/\/([A-z0-9]{1,20})\s+\$\{.+?\}\=\=\=\"\"\|\|strrpos\(\$\{\$.+?\}\;exit\(\)\;\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is, qr/<\!DOCTYPE.+?

Index\s+of\s+\/<\/h1>.+?<\/html>/is, - # not working qr/<\?php\s\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+mail\(stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\,\s+stripslashes\(\$([A-z0-9]{1,20})\)\)\;\s+if\(\$([A-z0-9]{1,20})\)\{echo\s+\'([A-z0-9]{1,20})\'\;\}\s+else\s+\{echo\s+\'([A-z0-9]{1,20})\s+\:\s+\'\s+\.\s+\$([A-z0-9]{1,20})\;\}\s+\?>/is, qr/<\?php\s+\$password\s+\=\s+\"([A-z0-9]{1,20})\".+?function\s+TestWriteable\(\).+?HtmlFoot\(\)\;\s+exit\;\s+\}\s+\?>/is, qr/<\?php\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\s+\?>/is, - + qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+stripslashes\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;.+?\}\s+\?>/is, + qr/GIF89a\@\s+<\?php.+?MulCiShell.+?ob\_end\_flush\(\)\;\s+\?>/is,