new patterns

malwaresh.pl

@@ -1339,9 +1339,25 @@ my @regexen = (
     qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42ALS\"\}.+?if\(SERVICEMODE\)echo\$\{\$\{\"\\x47\\x4cO\\x42\\x41\\x4cS\"\}\[\"\\x6f\\x68\\x63\\x6ar\\x72\\x70\\x62di\\x72\"\]\};echo \"<\/\\x62\\x6fd\\x79\\x3e\\n<\/html>\\n\";\$translation->End\(\)\;\s+?>/is,
     qr/<\?php\s+if\(!defined\(\'_NET\'\)\)\s+\{\s+error_reporting\(0\);\s+\$NET=\'shl-ed1\';\s+define\(\'_NET\',\$NET\);.+?\$_SERVER\[\'SERVER_NAME\'\]\)\);echo \$pinj_57;exit;\}\}\}\}\s+\}\s+\/\*,\.\*\/\s+\?>/is,
     qr/<\?php\s+mb_internal_encoding\(\"UTF-8\"\);\s+error_reporting\(0\);\s+\$DS=DIRECTORY_SEPARATOR;\s+if\(!isset\(\$ex_links\)\|\|!isset\(\$ex_redirect\)\).+?if\(!file_exists\(\$MYDIR\)\)\{\@mkdir\(\$MYDIR\);\}.+?\$mp_15=\$mp_15\+1;\}return \$mp_274;\} \?>/is,
+    qr/<\?php eval\(gzuncompress\(base64_decode\(.+?\'\)\)\);\?>/is,
+    qr/<html>\s+<head>.+?<title>utf<\/title>.+?touch\/\*;\*\/\(\$filename, \$time\);\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+if\(get_magic_quotes_gpc\(\)\)\{\s+foreach\(\$_POST as \$key=>\$value\)\{.+?<title>404-server!!<\/title>.+?return \$info;\s+\}\s+\?>/is,
+    qr/<html>\s+<head>\s+<title>SH<\/title>.+?\$perm \.= \(\$mode & 00400\) \? \'r\' : \'-\';.+?print \"<\/table><\/div>\\n\";\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php error_reporting\(0\);\$ev=\$_GET\[\"ev\"\];if\(isset\(\$ev\)\&\&!empty\(\$ev\)\)\{eval\(base64_decode\(\$ev\)\);exit;\}\(\@copy\(\$_FILES\[\"file\"\]\[\"tmp_name\"\], \$_FILES\[\"file\"\]\[\"name\"\]\)\); \?>/is,
+    qr/<\?php\s+\@set_time_limit\(3600\);\s+\@ignore_user_abort\(1\);\s+\$xmlname =.+?return \$smuri;.+?=urldecode\(\"%6E1.+?\)\);\s+\?>/is,
+    qr/<\?php\s+\$password=\'([A-z0-9_]{1,20})\';\s+\$shellname=\'([A-z0-9_]{1,20})\';\s+\$myurl=null;.+?\$debuger \.= pack \(\"C\",hexdec \(substr \(\$string,\$one,2\)\)\);.+?Class_UC_key\(\"273B.+?\)\)\);\';\s+\$PHP=Create_Function\(\'\',\$filename\);\$PHP\(\);\?>/is,
+    qr/<\?php\s+\@ini_set\(\'output_buffering\',0\);\s+\@ini_set\(\'display_errors\', 0\);\s+\$BlackhatCode =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$BlackhatCode\)\)\)\)\)\);/is,
+    qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set.+?unction getDirContents\(\$dir\)\{global \$file.+?file_put_contents\(\$path,base64_decode\(.+?\}else\{getDirContents\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\}\};/is,
+    qr/<\?php error_reporting\(0\);chmod\(basename\(\$_SERVER\[\"PHP_SELF\"\]\), 0444\);echo\(\"\#0x2525\"\);if\(isset\(\$_GET\[\"u\"\]\)\)\{echo\'<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\" name=\"uploader\" id=\"uploader\">\';echo\'<input type=\"file\" name=\"file\" size=\"30\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"><\/form>\';if\(\$_POST\[\'_upl\'\]==\"Upload\"\)\{if\(\@copy\(\$_FILES\[\'file\'\]\[\'tmp_name\'\],\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'Success\';\}else\{echo\'Fail\';\}\};\};/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?return \$\w\[\$\w\];\} \?>/is,
+    qr/\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\)\{\s+\$([A-z0-9_]{1,20}) \.= \$([A-z0-9_]{1,20})\[.+?if\(isset\(\$_REQUEST \/\*.+?\(\'n\'\.\'o\'\.\'\'\.\'\'\.\'\'\.\'i\'\.\'\'\.\'\'\.\'\'\.\'t\'\.\'\'\.\'\'\.\'\'\.\'c\'\.\'n\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'u\'\.\'\'\.\'\'\.\'f\'\.\'\'\.\'_\'\.\'e\'\.\'t\'\.\'\'\.\'\'\.\'a\'\.\'\'\.\'\'\.\'\'\.\'\'\.\'e\'\.\'r\'\.\'c\'\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
+    qr/<\?php\s+\/\/header\(\'Content-Type:text\/html; charset=utf-8\'\);.+?=base64_decode\(\".+?foreach\(\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x4f\\x5f\\x4f\\x5f\"\]\(\);\?>/is,
+    qr/<\?php\s+eval\(gzuncompress\(base64_decode\(.+?\)\)\);\?>/is,
+    qr/<\?php \@error_reporting\(0\);\$.+?=array\(.+?\$payload=.+?\(\"\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x24\\x70\\x61\\x79\\x6c\\x6f\\x61\\x64\\x29\\x2c\\x30\\x29\\x29\\x29\"\);/is,
+    qr/<\?php\s+\/*.+?\$([A-z0-9_]{1,20}) = \"\(.+?\$([A-z0-9_]{1,20}) = \"\";\s+foreach\(\[.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'\'\.\'o\'\.\'i\'.+?\/\*([A-z0-9_]{20,})\*\//is,
+    qr/if\(!class_exists\(\'Ratel\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{if\(is_user_logged_in\(\)\)\{return false;\}\}if\(isset\(\$_REQUEST\[\'xftest\'\]\)\)\{die\(pi\(\)\*6\);\}.+?\$is_bot=0;if\(\@preg_match\(\"\/\(googlebot\|msnbot.+?\{die\(\'suspicious request denied\'\);\}\}class Ratel\{public \$links_url=.+?\$ratel=new Ratel;\$ratel->init\(\$ruri,\$host,\$is_bot\);\}.+?\@include_once\(.+?\.php\'\);/is,
     
 
-
 );
 
 my @base64_decodes = (