new patterns
This commit is contained in:
Palma Solutions LTD
33
malware6.pl
33
malware6.pl
@@ -338,7 +338,38 @@ my @regexen = (
|
||||
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
|
||||
qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,
|
||||
qr/<script language=javascript>var _0xfcc4=\[\"\\x66.+?true\)\{a\(\)\}\}<\/script>/is,
|
||||
|
||||
qr/<\?php if\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\{ if\(md5\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\) === \"([A-z0-9_]{20,})\"\) \{ eval\(base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\); \}\} \?>/is,
|
||||
qr/<\?php\s+set_time_limit\(300\);\s+function getRoot\(\$urlPath, \$scriptPath\) \{.+?foreach\(\$dirs as \$dir\) \{\s+\$f = \"\$dir\/index\.php\";\s+if \(is_writable\(\$f\)\) \{\s+echo \"<kuku>\$f<\/kuku>\";\s+\}\s+\}\s+\?>/is,
|
||||
qr/<\?php \$a=base64_decode\(.+?\);\@eval\(\$a\); \?>/is,
|
||||
qr/<\?php\s+if \(\!isset\(\$_COOKIE\[\'([A-z0-9_]{20,})\'\]\)\) \{header\(\'HTTP\/1\.0 404 Not Found\'\);exit;\} \?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9_]{1,20})=\'1\';\s+\$([A-z0-9_]{1,20})=base64_decode\(.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x7a\\x72\\x5f\\x7a\\x5f\\x7a\\x72\\x5f\\x7a\\x72\"\]\(\);\?>/is,
|
||||
qr/<\?php \$([A-z0-9_]{1,20}) = \"\/.+?\";function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\}\$.+?\(\"o\\x64e\",chr\(40\),\"\"\);\$.+?\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
|
||||
qr/<\?php\s+\/\*\*\s+\* SAPE\.ru.+?class SAPE_base.+?function get_sape\(\) \{\s+\$ne = new SAPE_client\(\);\s+return \'<div style=\"position\:absolute;overflow\:auto;width\:0\">\'\.\$ne->return_links\(3\)\.\'<\/div>\';\s+\}/is,
|
||||
qr/<\?php\s+\/\/Bksmile \*\*\(RooTTN\)\*\*.+?\@\$passwd = file_get_contents\(\'\/home\/\'\.\$user\.\'\/etc\/\'\.\$t\.\'\/shadow\'\);.+?fclose\(\$connection\);\s+\}\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+\$testa = \$_POST\[\'veio\'\];\s+if\(\$testa \!= \"\"\) \{.+?<\?php echo \$OS = \@PHP_OS; \?><\/span><\/p><\/td>\s+<\/tr>\s+<\/table>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php\s+\/\*\s+\* webadmin\.php - a simple Web-based file manager.+?<td colspan=\"\' \. \$cols \. \'\">\' \. phrase\(\$phrase, \$args\) \. \'<\/td>\s+<\/tr>\s+\';\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+\@set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'send\'\]\)\)\s+\{.+?OYA PUT YOUR LETTER BEFORE YOU SPAM.+?\$voy\+\+;\s+\}\s+\?><\/DIV>\s+<\/div>\s+<\/form>/is,
|
||||
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42ALS\"\}.+?if\(SERVICEMODE\)echo\$\{\$\{\"\\x47\\x4cO\\x42\\x41\\x4cS\"\}\[\"\\x6f\\x68\\x63\\x6ar\\x72\\x70\\x62di\\x72\"\]\};echo \"<\/\\x62\\x6fd\\x79\\x3e\\n<\/html>\\n\";\$translation->End\(\)\;\s+?>/is,
|
||||
qr/<\?php\s+if\(!defined\(\'_NET\'\)\)\s+\{\s+error_reporting\(0\);\s+\$NET=\'shl-ed1\';\s+define\(\'_NET\',\$NET\);.+?\$_SERVER\[\'SERVER_NAME\'\]\)\);echo \$pinj_57;exit;\}\}\}\}\s+\}\s+\/\*,\.\*\/\s+\?>/is,
|
||||
qr/<\?php\s+mb_internal_encoding\(\"UTF-8\"\);\s+error_reporting\(0\);\s+\$DS=DIRECTORY_SEPARATOR;\s+if\(!isset\(\$ex_links\)\|\|!isset\(\$ex_redirect\)\).+?if\(!file_exists\(\$MYDIR\)\)\{\@mkdir\(\$MYDIR\);\}.+?\$mp_15=\$mp_15\+1;\}return \$mp_274;\} \?>/is,
|
||||
qr/<\?php eval\(gzuncompress\(base64_decode\(.+?\'\)\)\);\?>/is,
|
||||
qr/<html>\s+<head>.+?<title>utf<\/title>.+?touch\/\*;\*\/\(\$filename, \$time\);\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+if\(get_magic_quotes_gpc\(\)\)\{\s+foreach\(\$_POST as \$key=>\$value\)\{.+?<title>404-server!!<\/title>.+?return \$info;\s+\}\s+\?>/is,
|
||||
qr/<html>\s+<head>\s+<title>SH<\/title>.+?\$perm \.= \(\$mode & 00400\) \? \'r\' : \'-\';.+?print \"<\/table><\/div>\\n\";\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php error_reporting\(0\);\$ev=\$_GET\[\"ev\"\];if\(isset\(\$ev\)\&\&!empty\(\$ev\)\)\{eval\(base64_decode\(\$ev\)\);exit;\}\(\@copy\(\$_FILES\[\"file\"\]\[\"tmp_name\"\], \$_FILES\[\"file\"\]\[\"name\"\]\)\); \?>/is,
|
||||
qr/<\?php\s+\@set_time_limit\(3600\);\s+\@ignore_user_abort\(1\);\s+\$xmlname =.+?return \$smuri;.+?=urldecode\(\"%6E1.+?\)\);\s+\?>/is,
|
||||
qr/<\?php\s+\$password=\'([A-z0-9_]{1,20})\';\s+\$shellname=\'([A-z0-9_]{1,20})\';\s+\$myurl=null;.+?\$debuger \.= pack \(\"C\",hexdec \(substr \(\$string,\$one,2\)\)\);.+?Class_UC_key\(\"273B.+?\)\)\);\';\s+\$PHP=Create_Function\(\'\',\$filename\);\$PHP\(\);\?>/is,
|
||||
qr/<\?php\s+\@ini_set\(\'output_buffering\',0\);\s+\@ini_set\(\'display_errors\', 0\);\s+\$BlackhatCode =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$BlackhatCode\)\)\)\)\)\);/is,
|
||||
qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set.+?unction getDirContents\(\$dir\)\{global \$file.+?file_put_contents\(\$path,base64_decode\(.+?\}else\{getDirContents\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\}\};/is,
|
||||
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
|
||||
qr/<\?php\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?return \$\w\[\$\w\];\} \?>/is,
|
||||
qr/\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
|
||||
qr/<\?php\s+\/\/header\(\'Content-Type:text\/html; charset=utf-8\'\);.+?=base64_decode\(\".+?foreach\(\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x4f\\x5f\\x4f\\x5f\"\]\(\);\?>/is,
|
||||
qr/<\?php\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\);\?>/is,
|
||||
qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
|
||||
qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
|
||||
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
18
malwaresh.pl
18
malwaresh.pl
@@ -1339,9 +1339,25 @@ my @regexen = (
|
||||
qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42ALS\"\}.+?if\(SERVICEMODE\)echo\$\{\$\{\"\\x47\\x4cO\\x42\\x41\\x4cS\"\}\[\"\\x6f\\x68\\x63\\x6ar\\x72\\x70\\x62di\\x72\"\]\};echo \"<\/\\x62\\x6fd\\x79\\x3e\\n<\/html>\\n\";\$translation->End\(\)\;\s+?>/is,
|
||||
qr/<\?php\s+if\(!defined\(\'_NET\'\)\)\s+\{\s+error_reporting\(0\);\s+\$NET=\'shl-ed1\';\s+define\(\'_NET\',\$NET\);.+?\$_SERVER\[\'SERVER_NAME\'\]\)\);echo \$pinj_57;exit;\}\}\}\}\s+\}\s+\/\*,\.\*\/\s+\?>/is,
|
||||
qr/<\?php\s+mb_internal_encoding\(\"UTF-8\"\);\s+error_reporting\(0\);\s+\$DS=DIRECTORY_SEPARATOR;\s+if\(!isset\(\$ex_links\)\|\|!isset\(\$ex_redirect\)\).+?if\(!file_exists\(\$MYDIR\)\)\{\@mkdir\(\$MYDIR\);\}.+?\$mp_15=\$mp_15\+1;\}return \$mp_274;\} \?>/is,
|
||||
qr/<\?php eval\(gzuncompress\(base64_decode\(.+?\'\)\)\);\?>/is,
|
||||
qr/<html>\s+<head>.+?<title>utf<\/title>.+?touch\/\*;\*\/\(\$filename, \$time\);\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+if\(get_magic_quotes_gpc\(\)\)\{\s+foreach\(\$_POST as \$key=>\$value\)\{.+?<title>404-server!!<\/title>.+?return \$info;\s+\}\s+\?>/is,
|
||||
qr/<html>\s+<head>\s+<title>SH<\/title>.+?\$perm \.= \(\$mode & 00400\) \? \'r\' : \'-\';.+?print \"<\/table><\/div>\\n\";\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php error_reporting\(0\);\$ev=\$_GET\[\"ev\"\];if\(isset\(\$ev\)\&\&!empty\(\$ev\)\)\{eval\(base64_decode\(\$ev\)\);exit;\}\(\@copy\(\$_FILES\[\"file\"\]\[\"tmp_name\"\], \$_FILES\[\"file\"\]\[\"name\"\]\)\); \?>/is,
|
||||
qr/<\?php\s+\@set_time_limit\(3600\);\s+\@ignore_user_abort\(1\);\s+\$xmlname =.+?return \$smuri;.+?=urldecode\(\"%6E1.+?\)\);\s+\?>/is,
|
||||
qr/<\?php\s+\$password=\'([A-z0-9_]{1,20})\';\s+\$shellname=\'([A-z0-9_]{1,20})\';\s+\$myurl=null;.+?\$debuger \.= pack \(\"C\",hexdec \(substr \(\$string,\$one,2\)\)\);.+?Class_UC_key\(\"273B.+?\)\)\);\';\s+\$PHP=Create_Function\(\'\',\$filename\);\$PHP\(\);\?>/is,
|
||||
qr/<\?php\s+\@ini_set\(\'output_buffering\',0\);\s+\@ini_set\(\'display_errors\', 0\);\s+\$BlackhatCode =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$BlackhatCode\)\)\)\)\)\);/is,
|
||||
qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set.+?unction getDirContents\(\$dir\)\{global \$file.+?file_put_contents\(\$path,base64_decode\(.+?\}else\{getDirContents\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\}\};/is,
|
||||
qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
|
||||
qr/<\?php\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?return \$\w\[\$\w\];\} \?>/is,
|
||||
qr/\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
|
||||
qr/<\?php\s+\/\/header\(\'Content-Type:text\/html; charset=utf-8\'\);.+?=base64_decode\(\".+?foreach\(\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x4f\\x5f\\x4f\\x5f\"\]\(\);\?>/is,
|
||||
qr/<\?php\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\);\?>/is,
|
||||
qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
|
||||
qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
|
||||
qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
|
||||
|
||||
|
||||
|
||||
);
|
||||
|
||||
my @base64_decodes = (
|
||||
|
||||
Reference in New Issue
Block a user