new patterns
This commit is contained in:
Palma Solutions LTD
@@ -42,6 +42,12 @@ my @regexen = (
|
||||
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
|
||||
qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}\s+function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php \/\* get_header\(\); .+?\$wordpress_report = strrev \(.+?\@move_uploaded_file\(\$open_image_tmp,\$image_tmp\);.+?\?>/is,
|
||||
qr/<\?\s+\/\/ \@\~ PRO Mailer V2.+?return stripslashes\(ltrim\(rtrim\(\$string\)\)\);.+?function SendOrMail\(\$from\) \{.+?sent successfully\'\); <\/script>\";\}\}\s+\?>/is,
|
||||
qr/preg_replace\(\"\/\.\+\/e\",\"\\x65.+?\\x3B\",\"\.\"\);/is,
|
||||
qr/if \(isset\(\$_GET\[\'CONFIG\'\]\)\) if \(.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\$file = \$_FILES\/\*;\*\/\[.+?touch\/\*;\*\/\(\$filename, \$time\);\s+return null;\s+\}/is,
|
||||
qr/<\?php\s+\$\w = array\(.+?\);\s+\$([A-z0-9]{1,20}) = implode\(\"\", \$\w\);\s+\$([A-z0-9]{1,20}) = \"base64_decode\";\s+\$([A-z0-9]{1,20}) = \"gzuncompress\";\s+\$([A-z0-9]{1,20}) = \"str_rot13\";\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\);\s+\?>/is,
|
||||
qr/<\?php echo base64_decode\(\'([A-z0-9]{1,20})\'\); if\( isset\( \$_REQUEST\[\'\w\'\] \) \) \{ system\( \$_REQUEST\[\'\w\'\] \. \' 2>\&1\' \); \}/is,
|
||||
|
||||
);
|
||||
|
||||
|
||||
@@ -1026,6 +1026,14 @@ my @regexen = (
|
||||
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
|
||||
qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}\s+function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php \/\* get_header\(\); .+?\$wordpress_report = strrev \(.+?\@move_uploaded_file\(\$open_image_tmp,\$image_tmp\);.+?\?>/is,
|
||||
qr/<\?\s+\/\/ \@\~ PRO Mailer V2.+?return stripslashes\(ltrim\(rtrim\(\$string\)\)\);.+?function SendOrMail\(\$from\) \{.+?sent successfully\'\); <\/script>\";\}\}\s+\?>/is,
|
||||
qr/preg_replace\(\"\/\.\+\/e\",\"\\x65.+?\\x3B\",\"\.\"\);/is,
|
||||
qr/if \(isset\(\$_GET\[\'CONFIG\'\]\)\) if \(.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\$file = \$_FILES\/\*;\*\/\[.+?touch\/\*;\*\/\(\$filename, \$time\);\s+return null;\s+\}/is,
|
||||
qr/<\?php\s+\$\w = array\(.+?\);\s+\$([A-z0-9]{1,20}) = implode\(\"\", \$\w\);\s+\$([A-z0-9]{1,20}) = \"base64_decode\";\s+\$([A-z0-9]{1,20}) = \"gzuncompress\";\s+\$([A-z0-9]{1,20}) = \"str_rot13\";\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\);\s+\?>/is,
|
||||
qr/<\?php echo base64_decode\(\'([A-z0-9]{1,20})\'\); if\( isset\( \$_REQUEST\[\'\w\'\] \) \) \{ system\( \$_REQUEST\[\'\w\'\] \. \' 2>\&1\' \); \}/is,
|
||||
|
||||
);
|
||||
|
||||
my @base64_decodes = (
|
||||
|
||||
Reference in New Issue
Block a user