Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-05-13 07:29:49 +02:00
parent 74ad4a4e7b
commit 954bb8da3b
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
malware5.pl
View File

@ -514,6 +514,10 @@ my @regexen = (
qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is, qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
); );
my @base64_decodes = ( my @base64_decodes = (

2
malwaresh.pl
View File

@ -997,6 +997,8 @@ my @regexen = (
qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is, qr/<\?PHP\s+\#\s+Web\s+Shell\s+by\s+oRb.+?\\x3B\"\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?([A-z0-9]{1,20})\|.+?\;\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d\}\.\$([A-z0-9]{1,20})\{\d\d\}\.\$.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\;\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\=\_\_FILE\_\_\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\{\d.+?eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\'([A-z0-9]{1,20}).+?\)\)\)\;return\;.+?([A-z0-9]{1,20})\=\=\'\;/is,
qr/<\?php\s+\$login\_successful\s+\=\s+false\;.+?function\s+selfURL\(\)\s+\{.+?if\(eregi\(\"Linux\"\,\$OSV\)\).+?\$proxy\_shit\=.+?\$([A-z0-9]{1,20})\s+\=\s+urlencode\(\$\w\)\;\s+\?>/is,
qr/<script>\s+var\s+\_0x([A-z0-9]{1,10})\=\[.+?\(\)\;\"\,\"\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\\x([A-z0-9]{2})\"\,\"\\x([A-z0-9]{2}).+?\]\;eval\(function\(\_0x.+?\]\)\,0\,\{\}\)\)\s+<\/script>/is,
); );