new patterns

malware4.pl

@@ -503,7 +503,6 @@ my @regexen = (
     qr/<script\s+type\=\"text\/javascript\">\s+eval\(function\(p\,a\,c\,k\,e\,d\)\{e\=function\(c\)\{return\s+c\.toString\(.+?\.replace\(new\s+RegExp\(.+?script\|insertBefore\'\.split\(\'\|\'\)\,0\,\{\}\)\)\s+<\/script>/is,
     qr/\/\/([A-z0-9]{32})\s+create\_function\(\'\'\,\s+gzuncompress\(base64_decode\(.+?\)\)\)\;\s+\/\/([A-z0-9]{32})/is,
     qr/<\?php\s+\$\{.+?\;protected\$instance\;protected\$request\;protected\$calls\=array\(\)\;protected\$response\=array\(\)\;protected\$hasCalls\=false\;private\$isBatchCall\=false\;protected\$hiddenMethods\=array\(\'execute\'\,\'\_\_construct\'\).+?\}\s+\?>/is,
-    qr/<Center><h1>Pisher.+?\Z/is,
     qr/<\?php\s+\$\{.+?\]\;\@mail\(.+?\]\}\)\;\$\_SESSION\[.+?\]\}\=curl\_init\(\)\;curl\_setopt\(\$\{\$\{.+?\]\}\,CURLOPT\_RETURNTRANSFER\,1\)\;curl\_setopt\(\$\{\$\{.+?\]\}\}\;\}\}\s+\?>/is,
     qr/<\?php\s+\/\*\s+Plugin\s+Name\:\s+Pisher.+?trojan\.25hack.+?\;\}\)\;\}\)\;\s+\?>/is,
     qr/\s+<\?php\s+echo\(base64\_decode\(.+?\)\)\;eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;echo\s+\"\\x\d\d\\n\"\;\s+\?>/is,
@@ -515,6 +514,35 @@ my @regexen = (
     qr/<\?php\s+\/\*\*\s+\*\s+SAPE\.ru.+?class\s+SAPE\_globals\s+\{.+?\$this\->\_data\[\$this\->\_request\_mode\]\s+\=\s+\$data\;\s+\}\s+\}/is,
     qr/<\?php\s+if\s+\(\!defined\(\'\_SAPE\_USER\'\)\)\{\s+define\(\'\_SAPE\_USER\'\,.+?echo\s+\$sape\->return\_links\(\)\;\s+\?>/is,
     qr/<\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\s+\?>/is,
+    qr/<\?php\s+error\_reporting\(0\)\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?dns\_get\_record\(\$domain\,\s+DNS\_TXT\)\;.+?else\s+header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$\w\,\s+TRUE\,\s+302\)\;\s+\}/is,
+    qr/<\?php\s+\@date\_default\_timezone\_set\(.+?GetPageContent\(.+?EXPLOITOK.+?return\s+\(SASL\_CONTINUE\)\;\s+\}\s+\}/is,
+    qr/<\?php\s+function\s+cURLRequest\(\$url.+?function\s+Display404Page\(\)\s+\{.+?Display404Page\(\)\;\s+\}\s+exit\;\s+\}/is,
+    qr/<\?php\s+\$o0o\=\_\_FILE\_\_\;\$oOo\=\'.+?\'\;eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\?>/is,
+    qr/<\?php\s+\$o0O0\s+=.+?\$oO0\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$oO0o\=\@\$oO0\(.+?\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(.+?\,\$o0O0\)\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;.+?\$([A-z0-9]{1,20})\s+\=\s+\"([A-z0-9]{20,})\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is,
+    qr/<\?php\s+\$\w\_\_\_\w\=\'base\'\.\(128\/2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\=\$\w\_\_\_\w\(str\_replace\(\"\\n\"\,\ \'\'\,.+?<input\s+type\=\"submit\"value\=\"\&gt\;\"\/><\/form>/is,
+    qr/<\?php\s+set\_time\_limit\(0\)\;.+?Mister\s+Spy<\/title>.+?Upload\s+File.+?\?>\s+bypass.+?contact\@elmoujehidin\.net/is,
+    qr/<\?php\s+\@\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\s+\?>/is,
+    qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$\_REQUEST\[\"([A-z0-9]{1,20})\"\]\)\;\}\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\"ass\"\.\"ert\"\;\s+\$([A-z0-9]{1,20})\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\"([A-z0-9]{1,20})\"\]\)\;\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{20,})\=.+?eval\(base64\_decode\(gzuncompress\(base64\_decode\(\$([A-z0-9]{20,})\)\)\)\)\;\s+\?>/is,
+    qr/<\!DOCTYPE.+?libraries\/joomla\/document\/json\/a\.txt\s+was\s+not\s+found.+?<\/html>/is,
+    qr/<\?php\s+session\_start\(\)\;.+?\$auth\_pass.+?IndoXploit.+?IndoXploit<\/font><\/a><\/center>\"\;\s+\}\s+\?>\s+<\/html>/is,
+    qr/<\?php.+?FOPO.+?\$([A-z0-9]{1,20})\=.+?\@eval\(\$([A-z0-9]{1,20})\(\s+\"([A-z0-9]{50,}).+?\"\)\)\;\s+\?>/is,
+    qr/<SCRIPT\s+SRC\=http\:\/\/w0rms\.com\/sayac\.js><\/SCRIPT>\s+<\?php.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
+    qr/<\?php\s+if\s+\(isset\s+\(\$\_GET\[\'.+?\'\]\)\).+?\$default\_use\_ajax\s+\=\s+true\;.+?preg\_replace\(\"\/\.\*\/e\"\,\".+?\"\,\"\.\"\)\;\s+\}\s+else\s+\{\s+echo\s+\"<div\s+style\=display\:none>.+?<\/div>\"\;\s+\}\s+\?>/is,
+    qr/<\?php\s+WSOCheckUA\(\)\;.+?\$disable\_functions\s+\=\s+\@ini\_get\(.+?if\(\s+\!empty\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+function\_exists\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\s+\)\s+\{\s+call\_user\_func\(\'action\'\s+\.\s+\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\}/is,
+    qr/<\?php.+?Bypass\s+\.\/Config\s+\.\/User\s+\.\/Domain.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+function\s+wsoHeader\(\)\s+\{.+?\$drives\s+\=\s+\"\"\;.+?<div\s+style\=\"margin\:5\">\'\;\s+\}/is,
+    qr/<\?php\s+function\s+getBot\(\$url\)\s+.+?echo\s+\"<b>Namesis<br>.+?exit\(\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$\_F\=\_\_FILE\_\_\;\$\_X\=.+?eval\(base64\_decode\(.+?\)\)\;\?>/is,
+    qr/<\?php\s+error\_reporting\(0\)\;.+?File\s+Manager<\/title>.+?\$pathen\s+\=\s+base64\_encode\(\$path\)\;.+?return\s+\$info\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\_\w\s+\=\s+\'\'\.chr\(([0-9]{1,5})\)\.\'\'\.chr\(([0-9]{1,5})\)\.\'([A-z0-9]{1,20})\'\.chr\(([0-9]{1,5})\)\.\'de\'\s+\;\$([A-z0-9]{1,20})\s+\=\s+\$([A-z0-9]{1,20})\_\w\(\'\'\,array\(.+?\)\)\;\$([A-z0-9]{1,20})\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;.+?array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\).+?eval.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
+    qr/<\?php.+?\'\'\.chr\(.+?\'\.chr\(.+?\(\'\'\,array\(.+?\)\.\'e64\_deco\'\.chr\(.+?\(\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\?>/is,
+    qr/<\?php\s+header\(\'Content\-Type\:text\/.+?define\(\'SHELL\_PASSWORD\'\,.+?API\_VERSION\,\s+2\)\)\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\/\*a\,b\,c\,d\,e\,f\,g\,h\,i\,j\,k\,l\,m\,n\,o\,p\,q\,r\,s\,t.+?\*\/\s+\?>/is,
+
 
 
 );