Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns added

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-11 07:47:02 +02:00
parent 950faa573e
commit 985dc14691
3 changed files with 66 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
malwaresh.pl
View File

@@ -26,6 +26,7 @@ print "Content-type: text/html\n\n";
my $user = $ARGV[0];
my @regexen = (
qr/\/\/\s+([A-z0-9]{31})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{31})/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)\)\=\=\$([A-z0-9]{1,20})\)eval\(\$.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\|.+?\)die\;\$.+?\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
@@ -979,12 +980,14 @@ my @regexen = (
qr/\?\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\#\#\#\#\#\#\#\#\#\#\#e\#\#va\#\#\#\#\#\#\#\#l\#\(\#\#b\#\#\#\#\#a\#\#\#\#\#\#\#\#\#\#\#s\#\#\#\#\#e\#\#6\#\#\#\#4\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\_\#\#d\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#e\#\#c\#o\#\#de\#\#\#\#\#\#\#\(\#\#\\\'.+?\$([A-z0-9]{1,20})\=str\_replace\(\'\#\'\,\s+\'\'\,\s+\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=create\_function\(\'\'\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{20,}).+?eval\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+\?>/is,
qr/\/\/\s+([A-z0-9]{20,})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{20,})/is,
qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is,
qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{5,})\s+\?>/is,
qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen.+?clen.+?String\.fromCharCode\(a\.charCodeAt\(.+?unescape.+?document\.write\(\w\)\;<\/script>/is,
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is,
);
my @base64_decodes = (