Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-06-15 10:19:28 +02:00
parent d89f4c6c92
commit b7e8942eb9
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
malware6.pl
View File

@ -182,8 +182,18 @@ my @regexen = (
qr/<\?php.+?\$id = \"([A-z0-9_]{1,20})\";\s+\$slow = array\(.+?\$wp2wp=\'str_r\'\.\'ot\'\.\'1\'\.\'3\';.+?if\(isset\(\$_GET\[1\]\)\)\{\$_=\$_GET;\$_\[1\]\(\$_\[2\]\);exit;\}/is,
qr/<\?php\s+\/\/die\(\"Temporary Under Maintenance\"\);.+?if\(is_uploaded_file\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\]\)\) \{ \@copy\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\],\$_FILES\[([A-z0-9_]{1,20})\]\[name\]\); \}\};\}.+?404 Not Found<\/h1>\";\s+exit\(\);\s+\}\?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' \,\'se\' \,\'64\' \,\'_d\' \,\'ec\' \,\'od\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\'\, \'z\'\, \'u\'\, \'n\'\, \'c\'\, \'o\'\, \'m\'\, \'p\'\, \'r\'\, \'e\'\, \'s\'\, \'s\'\) ;\$.+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array.+? array\(\'bas\' \,\'e64\' \,\'_de\' \,\'cod\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\'\, \'nco\'\, \'mpr\'\, \'ess\'\) ;\$([A-z0-9_]{1,20}).+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\)\) \{\s+eval\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\);\s+\};\s+\?>/is,
qr/<\?php.+?\*\/\$([O0o]{1,20})=urldecode\(\'\%\d\d.+?\$GLOBALS\[\'([O0o]{1,20})\'\]=\$([O0o]{1,20})\{\d\}.+?eval\(\$GLOBALS\[\'([O0o]{1,20})\'\]\(.+?([A-z0-9]{1,20})\Z/is,
qr/<\?php if\(isset\(\$_POST\[\"cod\\x65\"\]\)\)\{eval\(base64_decode\(\$_POST\[\"co\\x64e\"\]\)\);\}\s+\?>/is,
qr/<\?php if \(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\{eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\);exit;\} \?>/is,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"2; url=http:\/\/.+?\">\s+<\/head>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>/is,
qr/<\?php\s+\@error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); if \(count\(\$_POST\) < 2\) \{ die\(PHP_OS\.chr\(.+?preg_split\(\'\/;\/\',strtolower\(\$.+?next\(explode\(\'\@\', \$.+?return \$([A-z0-9]{1,20}); \} \?>/is,
qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
);

14
malwaresh.pl
View File

@ -1168,9 +1168,19 @@ my @regexen = (
qr/<\?php.+?\$id = \"([A-z0-9_]{1,20})\";\s+\$slow = array\(.+?\$wp2wp=\'str_r\'\.\'ot\'\.\'1\'\.\'3\';.+?if\(isset\(\$_GET\[1\]\)\)\{\$_=\$_GET;\$_\[1\]\(\$_\[2\]\);exit;\}/is,
qr/<\?php\s+\/\/die\(\"Temporary Under Maintenance\"\);.+?if\(is_uploaded_file\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\]\)\) \{ \@copy\(\$_FILES\[([A-z0-9_]{1,20})\]\[tmp_name\],\$_FILES\[([A-z0-9_]{1,20})\]\[name\]\); \}\};\}.+?404 Not Found<\/h1>\";\s+exit\(\);\s+\}\?>/is,
qr/<\?php\s+if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'ba\' \,\'se\' \,\'64\' \,\'_d\' \,\'ec\' \,\'od\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\'\, \'z\'\, \'u\'\, \'n\'\, \'c\'\, \'o\'\, \'m\'\, \'p\'\, \'r\'\, \'e\'\, \'s\'\, \'s\'\) ;\$.+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array.+? array\(\'bas\' \,\'e64\' \,\'_de\' \,\'cod\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\'\, \'nco\'\, \'mpr\'\, \'ess\'\) ;\$([A-z0-9_]{1,20}).+?eval.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if \(isset\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\)\) \{\s+eval\(\$_POST\[\'([A-z0-9_-]{1,20})\'\]\);\s+\};\s+\?>/is,
qr/<\?php.+?\*\/\$([O0o]{1,20})=urldecode\(\'\%\d\d.+?\$GLOBALS\[\'([O0o]{1,20})\'\]=\$([O0o]{1,20})\{\d\}.+?eval\(\$GLOBALS\[\'([O0o]{1,20})\'\]\(.+?([A-z0-9]{1,20})\Z/is,
qr/<\?php if\(isset\(\$_POST\[\"cod\\x65\"\]\)\)\{eval\(base64_decode\(\$_POST\[\"co\\x64e\"\]\)\);\}\s+\?>/is,
qr/<\?php if \(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\{eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\);exit;\} \?>/is,
qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"2; url=http:\/\/.+?\">\s+<\/head>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>/is,
qr/<\?php\s+\@error_reporting\(0\); \@ini_set\(\'error_log\',NULL\); \@ini_set\(\'log_errors\',0\); if \(count\(\$_POST\) < 2\) \{ die\(PHP_OS\.chr\(.+?preg_split\(\'\/;\/\',strtolower\(\$.+?next\(explode\(\'\@\', \$.+?return \$([A-z0-9]{1,20}); \} \?>/is,
qr/<!--visitorTracker--><\?php \@ob_start\(\);\@ini_set\(\"display_errors\",0\);\@error_reporting\(0\);echo base64_decode\(.+?\"\);\?><!--visitorTracker-->/is,
qr/<\?php\s+if\(!empty\(\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\) \{ \$([A-z0-9_]{1,20}) = array\(\"Google\", \"Slurp\", \"MSNBot\", \"ia_archiver\", \"Yandex\", \"Rambler\", \"StackRambler\"\); if\(preg_match\(\'\/\' \. implode\(\'\|\', \$([A-z0-9_]{1,20})\) \. \'\/i\', \@\$_SERVER\[\'HTTP_USER_AGENT\'\]\)\).+?\$([A-z0-9_]{1,20})\[\]=\@realpath\(\$([A-z0-9_]{1,20})\.DIRECTORY_SEPARATOR\.\$([A-z0-9_]{1,20})\)\.DIRECTORY_SEPARATOR; else continue; .+?return \$([A-z0-9_]{1,20}) ; \} \?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\",([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20}),\$([A-z0-9_]{1,20})\)\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20}); \$([A-z0-9_]{1,20})\(\"\"\); \$([A-z0-9_]{1,20})=\(([0-9_]{1,20})-([0-9_]{1,20})\); \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})-1; \?>/is,
)
;
);
my @base64_decodes = (