Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns & bugfix

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-06-21 08:26:50 +02:00
parent b827e5cfd1
commit ab7030a744
3 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
malware6.pl
View File

@ -226,6 +226,7 @@ my @regexen = (
qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'rrev\';\$([A-z0-9_]{1,20}) = array\(\'.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,

6
malwaresh.pl
View File

@ -1214,6 +1214,12 @@ my @regexen = (
qr/<\?php\s+\/\/Starting calls\s+if \(!function_exists\(\"getmicrotime\"\)\).+?<\/body><\/html><\?php chdir\(\$lastdir\); N3tshexit\(\); \?>/is,
qr/<\?\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{.+?move_uploaded_file\(\$_FILES\[.+?fotTKL\(\$gaza_text,\$gaza_text1,\$dir\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' ,\'se\' ,\'64\' ,\'_d\' ,\'ec\' ,\'od\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\', \'comp\', \'ress\'\) ;\$([A-z0-9_]{1,20}) = .+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'rrev\';\$([A-z0-9_]{1,20}) = array\(\'.+?\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
);
my @base64_decodes = (

4
scan.py
View File

@ -502,8 +502,8 @@ def is_hacked(filename):
score.append(('SET_ERRORREPORTING_0', ''))
if 'ignore_user_abort(' in l or 'ignore_user_abort (' in l:
score.append(('SET_IGNOREUSERABORT_0', ''))
if 'memory_limit","-1"' in l or 'memory_limit",-1' in l:
score.append(('SET_MEMORYLIMIT_0', ''))
# if 'memory_limit","-1"' in l or 'memory_limit",-1' in l:
# score.append(('SET_MEMORYLIMIT_0', ''))
if ('system(' in l or 'system (' in l or 'shell_exec(' in l or 'shell_exec (' in l or 'passthru(' in l) and not 'filesystem' in l.lower():
score.append(('EXEC_SHELL', ''))
if 'PCT4BA6ODSE_' in l or 'eval($s21($s22))' in l or '$qV="stop_"' in l: