new patterns

2018-07-04 20:44:46 +02:00 · 2018-07-04 20:44:46 +02:00 · a3f3182d76
commit a3f3182d76
parent 466d559421
2 changed files with 21 additions and 1 deletions
--- a/malware6.pl
+++ b/malware6.pl
@ -263,7 +263,17 @@ my @regexen = (
    qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x61j\\x76q\\x6c\\x65\\x69\\x66\"\]=\"\\x63\";if\(isset\(\$_GET\[\"a\\x62\\x63\\x311\"\]\)\)\{\$([A-z0-9_]{1,20})="\x63";\$\{\$([A-z0-9_]{1,20})\}=base64_decode\(\".+?\"\)\.\"([A-z0-9_]{1,20})\";\@\$\{\$\{\"GLOB\\x41\\x4c\\x53\"\}\[\"\\x61\\x6a\\x76\\x71l\\x65\\x69\\x66\"\]\}\(\$_POST\[\"\\x78\"\]\);exit\(\);\}\?>/is,
    qr/<\?php.+?<title>pastrulo<\/title>.+?\)\);\?>\'\)\);/is,
    qr/<\?php\s+\$\w=\"\\x62\";\$\w=\"\\x65\".+?eval\( \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(.+?\)\)\);\s+\?>/is,
-
+    qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\@eval\(gzinflate\(base64_decode\(\$code\)\)\);\?>/is,
+    qr/<\?php \@ini_set\(\'display_errors\',0\).+?CPANEL CRACKER.+?s3curity\.tn \"; \?>\s+<\?\(\@copy\(\$_FILES\[\'f\'\]\[\'tmp_name\'\], \$_FILES\[\'f\'\]\[\'name\'\]\)\);\?>/is,
+    qr/<html>\s+<head>\s+<title>\s+Dark Shell.+?<h1>Dark Shell<\/h1>.+?\$items = scandir \(\$file\);.+?echo \"<\/table>\\n\";\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'gzun\'\. \'comp\'\. \'ress\';\$([A-z0-9_]{1,20}) = \'b\' \.\'a\' \.\'s\' \.\'e\' \.\'6\' \.\'4\' \.\'_\' \.\'d\' \.\'e\' \.\'c\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+\$auth_pass.+?\/\/ con7extwebshell\s+\$con7ext2 =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$con7ext2\)\)\)\)\)\);/is,
+    qr/<\?php.+?\$auth_pass =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$([A-z0-9_]{1,20})\)\)\)\)\)\);/is,
+    qr/<\? \$([A-z0-9_]{1,20})=\$_GET\[\'hamza\'\].+?\@move_uploaded_file\(\$userfile_tmp.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
+    qr/<html>\s+<head>\s+<title>Symlink Get Config.+?echo system\(\'ls \/var\/mail\'\);.+?symlink\(\'\/var\/www\/html\/include\/connect\.php\',\'OTHER\.txt\'\);.+?\?>\s+<\/td><\/table><\/body><\/html>/is,    
+    qr/<\?php\s+function query_str\(\$params\)\{.+?Priv8.+?sent successfully\'\); <\/script>\";\}\}\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php print_r\(eval\(\$_POST\[0\]\)\);/is,
+       
 );

 my @base64_decodes = (
--- a/malwaresh.pl
+++ b/malwaresh.pl
@ -1251,6 +1251,16 @@ my @regexen = (
    qr/<\?php \$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x61j\\x76q\\x6c\\x65\\x69\\x66\"\]=\"\\x63\";if\(isset\(\$_GET\[\"a\\x62\\x63\\x311\"\]\)\)\{\$([A-z0-9_]{1,20})="\x63";\$\{\$([A-z0-9_]{1,20})\}=base64_decode\(\".+?\"\)\.\"([A-z0-9_]{1,20})\";\@\$\{\$\{\"GLOB\\x41\\x4c\\x53\"\}\[\"\\x61\\x6a\\x76\\x71l\\x65\\x69\\x66\"\]\}\(\$_POST\[\"\\x78\"\]\);exit\(\);\}\?>/is,
    qr/<\?php.+?<title>pastrulo<\/title>.+?\)\);\?>\'\)\);/is,
    qr/<\?php\s+\$\w=\"\\x62\";\$\w=\"\\x65\".+?eval\( \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(.+?\)\)\);\s+\?>/is,
+    qr/<\?php\s+\@error_reporting\(0\);\s+\@set_time_limit\(0\);\s+\$code = \".+?\@eval\(gzinflate\(base64_decode\(\$code\)\)\);\?>/is,
+    qr/<\?php \@ini_set\(\'display_errors\',0\).+?CPANEL CRACKER.+?s3curity\.tn \"; \?>\s+<\?\(\@copy\(\$_FILES\[\'f\'\]\[\'tmp_name\'\], \$_FILES\[\'f\'\]\[\'name\'\]\)\);\?>/is,
+    qr/<html>\s+<head>\s+<title>\s+Dark Shell.+?<h1>Dark Shell<\/h1>.+?\$items = scandir \(\$file\);.+?echo \"<\/table>\\n\";\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'gzun\'\. \'comp\'\. \'ress\';\$([A-z0-9_]{1,20}) = \'b\' \.\'a\' \.\'s\' \.\'e\' \.\'6\' \.\'4\' \.\'_\' \.\'d\' \.\'e\' \.\'c\' \.\'o\' \.\'d\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php\s+set_time_limit\(0\);\s+error_reporting\(0\);\s+\$auth_pass.+?\/\/ con7extwebshell\s+\$con7ext2 =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$con7ext2\)\)\)\)\)\);/is,
+    qr/<\?php.+?\$auth_pass =.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\(\$([A-z0-9_]{1,20})\)\)\)\)\)\);/is,
+    qr/<\? \$([A-z0-9_]{1,20})=\$_GET\[\'hamza\'\].+?\@move_uploaded_file\(\$userfile_tmp.+?value=\"Submit\"><\/form>\';\}\}\?>/is,
+    qr/<html>\s+<head>\s+<title>Symlink Get Config.+?echo system\(\'ls \/var\/mail\'\);.+?symlink\(\'\/var\/www\/html\/include\/connect\.php\',\'OTHER\.txt\'\);.+?\?>\s+<\/td><\/table><\/body><\/html>/is,
+    
+

 );