new patterns added

scan.py

@@ -223,6 +223,10 @@ scoring = {
   'SHELL_COMPACT':            (5, u'2eme ligne louche (shell?)'),
   'CURL_HTTP':                (5, u'téléchargement HTTP'),
   'XXTEA_ENCRYPT':            (20, u'Code source encode avec XXTEA (possible ransomware)'),
+  'ADDED_LATER':              (50, u'Strings added from the rest of the scanners'),
+  'PHISHING':                 (10, u'Phishing patterns'),
+  'MD5':                      (20, u'md5 strings used in malware'),
+  'SOCIALS':                  (50, u'Email addresses, links and social networking'),
 }
 
 
@@ -487,6 +491,60 @@ def is_hacked(filename):
             cleanup_available = True
         if 'eval(xxtea_decrypt(base64_decode(' in l:
             score.append(('XXTEA_ENCRYPT', ''))
+        if 'wp_sysoptions' in l:
+            score.append(('CONCAT_STRING', ''))
+        if '6006014887a2c09ec470f5b676c8f68a' in l:
+            score.append(('MD5'))
+        if 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l:
+            score.append(('MD5'))
+        if '5088db39ad7cc4d4fa9f462f74faccb6' in l:
+            score.append(('MD5'))
+        if 'eb2d3273ac60f499d82d97da0fa44689' in l:
+            score.append(('MD5'))
+        if 'b071e67503e9dcefecafd62e81704ef0' in l:
+            score.append(('MD5'))
+        if 'c7a628cba22e28eb17b5f5c6ae2a266a' in l:
+            score.append(('MD5'))
+        if 'a13756bf1e2bd46921c135232774fc5f' in l:
+            score.append(('MD5'))
+        if '78b45bf662bafae9ac6b66097762c7d5' in l:
+            score.append(('MD5'))
+        if 'b0x@hotmail.com' in l:
+            score.append(('SOCIALS'))
+        if 'botv3@mrspybotv3.com' in l:
+            score.append(('SOCIALS'))
+        if 'sellerolux@gmail.com' in l:
+            score.append(('SOCIALS'))
+        if 'nerf.sarcasm007@gmail.com' in l:
+            score.append(('SOCIALS'))
+        if 'submit[at]1337day.com' in l:
+            score.append(('SOCIALS'))
+        if 'luan.hackingpro123@hotmail.com' in l:
+            score.append(('SOCIALS'))
+        if 'Black-ID@W.Cn' in l:
+            score.append(('SOCIALS'))
+        if 'facebook.com/007mrspy' in l:
+            score.append(('SOCIALS'))
+        if 'Skype: live:zepek_al' in l:
+            score.append(('SOCIALS'))
+        if 'facebook.com/luan.santo.5437' in l:
+            score.append(('SOCIALS'))
+        if 'Mister Spy' in l:
+            score.append(('SOCIALS'))
+        if 'darkshadow-tn' in l:
+            score.append(('SOCIALS'))
+        if 'IndoXploit' in l:
+            score.append(('SOCIALS'))
+        if 'Black-ID' in l:
+            score.append(('SOCIALS'))
+        if 'https://hastebin.com/raw/ifucenaquz' in l:
+            score.append(('SOCIALS'))
+        if 'https://hastebin.com/raw/iracirucad' in l:
+            score.append(('SOCIALS'))
+        if 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l:
+            score.append(('SOCIALS'))
+        if 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
+            score.append(('SOCIALS'))
         previous_line = l
 
     if line_num < 20: