Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-04-06 19:35:17 +02:00
parent e95924727a
commit b90f8c61c7
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
malware5.pl
View File

@ -121,6 +121,22 @@ my @regexen = (
qr/<\?php.+?\$auth\_pass\s+\=\s+\".+?\"\;\s+\/\/\s+default\:.+?eval\(base64\_decode\(gzinflate\(str\_rot13\(convert\_uudecode\(gzinflate\(base64\_decode\(\(\$.+?\)\)\)\)\)\)\)\)\;/is,
qr/<\?php\s+\$\{.+?\"\;if\(get\_magic\_quotes\_gpc\(\)\)\{\$.+?\)\)\;return\$\{\$([A-z0-9]{1,20})\}\;\}\s+\?>/is,
qr/<\?php.+?\@clearstatcache\(\)\;.+?echo\s+\"<center>Copyright\s+\&copy\;.+?\}\s+\?>/is,
qr/<\?php.+?\@clearstatcache\(\)\;.+?function\s+login\_shell\(\)\s+\{.+?if\(\!is\_readable\(\$dir\)\)\s+\{.+?\}\s+\?>\s+<\/html>/is,
qr/<\?php.+?if\(get\_magic\_quotes\_gpc\(\)\)\{.+?foreach\(\$scandir\s+as\s+\$dir\)\{.+?return\s+\$info\;\s+\}\s+\?>/is,
qr/<\?php\s+ini\_get\(\'max\_execution\_time\'\)\;.+?\$message\s+\=\s+stripslashes\(\$message\)\;.+?BLACKER\.X\s+<\/p>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\$web\s+\=\s+\$\_SERVER\[\"HTTP\_HOST\"\]\;.+?Shell\s+http\:\/\/\$web\$inj.+?IP\:\s+\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$\{.+?\$\{.+?\$\{.+?\;\$\{\"G.+?\;\$\{\"G.+?\;\$\{\"G.+?\}\)\;\}\}\}\}\}\s+\/\/([A-z0-9]{1,20})\s+\?>/is,
qr/<\?php\s+echo\s+\'<form\s+action\=\"\"\s+method\=\"post\"\s+enctype\=\"multipart\/form\-data\"\s+name\=\"upl\"\s+id\=\"upl\">\'\;echo\s+\'<input\s+type\=\"file\"\s+name\=\"file\"\s+size\=\"50\"><input\s+name\=\"\_upl\"\s+type\=\"submit\"\s+id\=\"\_upl\"\s+value\=\"Upload\"><\/form>\'\;if\(\s+\$\_POST\[\'\_upl\'\]\s+\=\=\s+\"Upload\"\s+\)\s+\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\s+\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\s+\'a\'\;\s+\}else\s+\{echo\s+\'b\'\;\}\}\?>/is,
qr/<\?php\s+header\(\'Content\-Type\:.+?Hacker\s+Shell.+?\)\;break\;default\:home\(\)\;break\;\}\?>/is,
qr/<\?php\s+\@preg\_replace\(\"\/\[pageerror\]\/e\"\,\$\_POST\[.+?\)\;\s+\?><\?php.+?\=urldecode\(.+?create\s+ok\!\"\;\}\}exit\;\'\)\;\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+\/\/header\(.+?\=urldecode\(.+?\$start\)\,\(\$\{.+?\]\(\)\;\?>/is,
qr/<\?php\s+if\(\!function\_exists\(.+?\)\+ord\(\$.+?\=strlen\(\$.+?preg\_match\(base64\_decode\(.+?\;\}\}\}\}eval\(.+?\)\)\;\?>/is,
qr/<\?\s+function\s+query\_str\(\$params\)\{.+?BlackSHOP.+?\$numemails\s+\=\s+count\(\$allemails\)\;\s+\$random\_smtp\_string\=array\(.+?eval\(base64\_decode\(\$undetect\)\)\;\s+\?>\s+<\/body>\s+<\/html>/is,
);