Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-10-01 10:44:35 +02:00
parent dbb45ddce8
commit 953b4dc786
2 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
malware6.pl
View File

@@ -331,6 +331,13 @@ my @regexen = (
qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'t\'\.chr\(114\)\.\'r\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'ced_46\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$.+?\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'ev\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'edo\'\.\'ced\'\.\'_46\'\.\'esa\'\.\'b\'\);\$.+?\$([A-z0-9_]{1,20})\(\'eta\'\.\'lfn\'\.\'izg\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/\" \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/index\.php\" \&\& \!empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\.\"\\\(\/\",\"II\"\.randStringfrpernames\(\)\.\"\(\",\$.+?\};\s+\?>/is,
qr/<\?php.+?\*\/\s+\$lyrics3size=\'\'\.\'b\'\.\'\'\.\'a\'\.\'\'\.\'se\'\.\(8768\/137\)\.\'_de\'\.\'\'\.\'c\'\.\'\'\.\'ode\';\s+\$lyrics3sizeV2 = \"ass\"; \$lyrics3sizeV2 \.= \"ert\"; \@\$lyrics3sizeV2\(\$lyrics3size\(.+?\} \*\//is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,

8
malwaresh.pl
View File

@@ -1318,7 +1318,13 @@ my @regexen = (
qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'t\'\.chr\(114\)\.\'r\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'ced_46\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$.+?\)\)\)\); \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'ev\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'edo\'\.\'ced\'\.\'_46\'\.\'esa\'\.\'b\'\);\$.+?\$([A-z0-9_]{1,20})\(\'eta\'\.\'lfn\'\.\'izg\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/\" \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/index\.php\" \&\& \!empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\.\"\\\(\/\",\"II\"\.randStringfrpernames\(\)\.\"\(\",\$.+?\};\s+\?>/is,
qr/<\?php.+?\*\/\s+\$lyrics3size=\'\'\.\'b\'\.\'\'\.\'a\'\.\'\'\.\'se\'\.\(8768\/137\)\.\'_de\'\.\'\'\.\'c\'\.\'\'\.\'ode\';\s+\$lyrics3sizeV2 = \"ass\"; \$lyrics3sizeV2 \.= \"ert\"; \@\$lyrics3sizeV2\(\$lyrics3size\(.+?\} \*\//is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,