new patterns
This commit is contained in:
Palma Solutions LTD
@@ -454,6 +454,14 @@ my @regexen = (
|
||||
qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
|
||||
qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
|
||||
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
|
||||
qr/<\?php.+?c99\s+injektor.+?<\?php\s+chdir\(\$lastdir\)\;\s+c99shexit\(\)\;\s+\?>/is,
|
||||
qr/<\?php.+?\$language\=\'ru\'\;.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\$script\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?function\s+getUniqueCode\(\)\{.+?\$pageURL\.\"osh3\.php\"\;.+?o3\:\$o3<br>\"\;\s+\?>/is,
|
||||
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\?>/is,
|
||||
qr/<\?\s+\$times\=rand\(.+?\$code\=\s+<<<EOD.+?\$encoded\=base64\_encode\(\$code\)\;.+?closedir\(\$dh\)\;\s+\}\s+\}\s+\}\s+\?>/is,
|
||||
qr/<\?.+?if\(isset\(\$\_SERVER\[\'WINDIR\'\]\)\)\{.+?if\(strstr\(\$contents\,\"c99\"\)\)\{\s+return\s+true\;\s+\}\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
|
||||
qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
|
||||
|
||||
);
|
||||
|
||||
|
||||
@@ -937,6 +937,15 @@ my @regexen = (
|
||||
qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
|
||||
qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
|
||||
qr/<\?php\s+if\(\@isset\(\$\_SERVER\[HTTP\_.+?\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[.+?\]\)\)\;\}exit\;\?>.+?sites\/libasset\.php/is,
|
||||
qr/<\?php.+?c99\s+injektor.+?<\?php\s+chdir\(\$lastdir\)\;\s+c99shexit\(\)\;\s+\?>/is,
|
||||
qr/<\?php.+?\$language\=\'ru\'\;.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\$script\s+\=\s+basename\(\_\_FILE\_\_\)\;.+?function\s+getUniqueCode\(\)\{.+?\$pageURL\.\"osh3\.php\"\;.+?o3\:\$o3<br>\"\;\s+\?>/is,
|
||||
qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\?>/is,
|
||||
qr/<\?\s+\$times\=rand\(.+?\$code\=\s+<<<EOD.+?\$encoded\=base64\_encode\(\$code\)\;.+?closedir\(\$dh\)\;\s+\}\s+\}\s+\}\s+\?>/is,
|
||||
qr/<\?.+?if\(isset\(\$\_SERVER\[\'WINDIR\'\]\)\)\{.+?if\(strstr\(\$contents\,\"c99\"\)\)\{\s+return\s+true\;\s+\}\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+\@system\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\@shell\_exec\(\"cd\s+\/tmp\;wget\s+http\:\/\/.+?\?>/is,
|
||||
qr/<\?php.+?array\(\"\.\"\,\"\.\.\"\,\"\.\.\/\.\.\"\,\s+\"\.\.\/\.\.\/\.\.\"\)\;.+?array\(\"index\.html\"\,\s+\"index\.htm\"\,\s+\"index\.shtml\"\,\s+\"default\.asp\"\)\;.+?\]\)\.\"\?domain\=\"\.base64\_encode\(\$\_SERVER\[\'HTTP\_HOST\'\]\)\)\;.+?\"\)\;\s+\?>/is,
|
||||
|
||||
|
||||
);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user