Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-02-19 09:17:56 +01:00
parent 0d48bcd60d
commit aa5a52d989
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
malware4.pl
View File

@ -333,7 +333,9 @@ my @regexen = (
qr/<\?php\s+if\(md5\(\$\_COOKIE\[\'\_wp\_debugger\'\]\)\=\=\"([A-z0-9]{32})\"\)\{\s+eval\(base64\_decode\(\$\_POST\[\'file\'\]\)\)\;\s+exit\;\s+\}\s+\?>/is, qr/<\?php\s+if\(md5\(\$\_COOKIE\[\'\_wp\_debugger\'\]\)\=\=\"([A-z0-9]{32})\"\)\{\s+eval\(base64\_decode\(\$\_POST\[\'file\'\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?fwrite\(\$fp\,\s+\$\_POST\[\'uploadfile\'\]\)\;.+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is, qr/<\?php\s+if\s+\(isset\(\$\_POST\[\'upload\'\]\)\)\{.+?fwrite\(\$fp\,\s+\$\_POST\[\'uploadfile\'\]\)\;.+?else\s+\{header\(\'Location\:\s+\.\.\/\.\.\/\'\)\;\}\s+\?>/is,
qr/<\?php\s+if\s+\(\(isset\(\$\_POST\[\'to\'\]\)\)\s+AND.+?\$\_POST\[\'headers\'\]\)\)\s+\{echo\s+\'ok\'\;\}.+?else\s+\{\s+header\(\'Location\:\s+\/\'\)\;\s+\}\s+\?>/is, qr/<\?php\s+if\s+\(\(isset\(\$\_POST\[\'to\'\]\)\)\s+AND.+?\$\_POST\[\'headers\'\]\)\)\s+\{echo\s+\'ok\'\;\}.+?else\s+\{\s+header\(\'Location\:\s+\/\'\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$\w\d\=\$\_REQUEST\[\'sort\'\]\;\$\w\d\=\'\'\;\$\w\d\=\".+?\"\;\$\w\d\=array\(.+?\)\;foreach\(\$\w\d\s+as\s+\$\w\d\)\{\$\w\d\.\=\$\w\d\[\$\w\d\]\;\}\$\w\d\=strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;\$\w\d\=\$\w\d\(\"\"\,\$\w\d\(\$\w\d\)\)\;\$\w\d\(\)\;\?>/is,
qr/<\?php\s+eval\(\"\?>\"\s+\.\s+base64\_decode\(\".+?\)\)\;\s+\?>/is,
); );
my @base64_decodes = ( my @base64_decodes = (

6
scan.php
View File

@ -463,6 +463,12 @@ error_reporting(E_ALL);
"RewriteCond %{HTTP_REFERER}\s*\^\.\*\s*\([^\)]*[google|yahoo|bing|ask|wikipedia|youtube][^\)]", "RewriteCond %{HTTP_REFERER}\s*\^\.\*\s*\([^\)]*[google|yahoo|bing|ask|wikipedia|youtube][^\)]",
"^<\?php\s*if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}", "^<\?php\s*if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}",
"<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>", "<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>",
// hacker emails & socials
"b0x\@hotmail\.com",
"facebook\.com\/007mrspy",
"Skype\:\s*live\:zepek_al",
"nerf\.sarcasm007\@gmail\.com",
); );