Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns added

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-11 07:47:02 +02:00
parent 950faa573e
commit 985dc14691
3 changed files with 66 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
malware5.pl
View File

@@ -502,6 +502,8 @@ my @regexen = (
qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is,
);

9
malwaresh.pl
View File

@@ -26,6 +26,7 @@ print "Content-type: text/html\n\n";
my $user = $ARGV[0];
my @regexen = (
qr/\/\/\s+([A-z0-9]{31})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{31})/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
@@ -979,12 +980,14 @@ my @regexen = (
qr/\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\#\#\#\#\#\#\#\#\#\#\#e\#\#va\#\#\#\#\#\#\#\#l\#\(\#\#b\#\#\#\#\#a\#\#\#\#\#\#\#\#\#\#\#s\#\#\#\#\#e\#\#6\#\#\#\#4\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\_\#\#d\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#e\#\#c\#o\#\#de\#\#\#\#\#\#\#\(\#\#\\\'.+?\$([A-z0-9]{1,20})\=str\_replace\(\'\#\'\,\s+\'\'\,\s+\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=create\_function\(\'\'\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{20,}).+?eval\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+\?>/is,
qr/\/\/\s+([A-z0-9]{20,})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{20,})/is,
qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is,
qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{5,})\s+\?>/is,
qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen.+?clen.+?String\.fromCharCode\(a\.charCodeAt\(.+?unescape.+?document\.write\(\w\)\;<\/script>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is,
);
my @base64_decodes = (

58
scan.py
View File

@@ -223,6 +223,10 @@ scoring = {
'SHELL_COMPACT': (5, u'2eme ligne louche (shell?)'),
'CURL_HTTP': (5, u'téléchargement HTTP'),
'XXTEA_ENCRYPT': (20, u'Code source encode avec XXTEA (possible ransomware)'),
'ADDED_LATER': (50, u'Strings added from the rest of the scanners'),
'PHISHING': (10, u'Phishing patterns'),
'MD5': (20, u'md5 strings used in malware'),
'SOCIALS': (50, u'Email addresses, links and social networking'),
}
@@ -487,6 +491,60 @@ def is_hacked(filename):
cleanup_available = True
if 'eval(xxtea_decrypt(base64_decode(' in l:
score.append(('XXTEA_ENCRYPT', ''))
if 'wp_sysoptions' in l:
score.append(('CONCAT_STRING', ''))
if '6006014887a2c09ec470f5b676c8f68a' in l:
score.append(('MD5'))
if 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l:
score.append(('MD5'))
if '5088db39ad7cc4d4fa9f462f74faccb6' in l:
score.append(('MD5'))
if 'eb2d3273ac60f499d82d97da0fa44689' in l:
score.append(('MD5'))
if 'b071e67503e9dcefecafd62e81704ef0' in l:
score.append(('MD5'))
if 'c7a628cba22e28eb17b5f5c6ae2a266a' in l:
score.append(('MD5'))
if 'a13756bf1e2bd46921c135232774fc5f' in l:
score.append(('MD5'))
if '78b45bf662bafae9ac6b66097762c7d5' in l:
score.append(('MD5'))
if 'b0x@hotmail.com' in l:
score.append(('SOCIALS'))
if 'botv3@mrspybotv3.com' in l:
score.append(('SOCIALS'))
if 'sellerolux@gmail.com' in l:
score.append(('SOCIALS'))
if 'nerf.sarcasm007@gmail.com' in l:
score.append(('SOCIALS'))
if 'submit[at]1337day.com' in l:
score.append(('SOCIALS'))
if 'luan.hackingpro123@hotmail.com' in l:
score.append(('SOCIALS'))
if 'Black-ID@W.Cn' in l:
score.append(('SOCIALS'))
if 'facebook.com/007mrspy' in l:
score.append(('SOCIALS'))
if 'Skype: live:zepek_al' in l:
score.append(('SOCIALS'))
if 'facebook.com/luan.santo.5437' in l:
score.append(('SOCIALS'))
if 'Mister Spy' in l:
score.append(('SOCIALS'))
if 'darkshadow-tn' in l:
score.append(('SOCIALS'))
if 'IndoXploit' in l:
score.append(('SOCIALS'))
if 'Black-ID' in l:
score.append(('SOCIALS'))
if 'https://hastebin.com/raw/ifucenaquz' in l:
score.append(('SOCIALS'))
if 'https://hastebin.com/raw/iracirucad' in l:
score.append(('SOCIALS'))
if 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l:
score.append(('SOCIALS'))
if 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
score.append(('SOCIALS'))
previous_line = l
if line_num < 20: