Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-28 09:02:43 +02:00
parent 6111460a23
commit ba71f2bdae
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
malware5.pl
View File

@@ -310,7 +310,14 @@ my @regexen = (
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\/\*\*\/\s+eval\(base64\_decode\(\"aWYo.+?\)\)\;\?>/is,
qr/<\?php.+?\$auth\_pass.+?FilesMan.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<div\s+id\=\'HideMeBetter\'>.+?document\.getElementById\(\'HideMeBetter\'\)\.style\.display\s+\=\s+\'none\'\;\}<\/script>/is,
qr/<\!\-\-start\-add\-div\-content\-\-><p\s+class\=\"dnn\">.+?Viagra.+?<\/p><\!\-\-end\-add\-div\-content\-\->/is,
qr/<script\s+language\=\"JavaScript\">\s+function\s+dnnViewState\(\).+?dnnViewState\(\)\;\s+<\/script>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
);

10
malwaresh.pl
View File

@@ -791,7 +791,15 @@ my @regexen = (
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\/\*\*\/\s+eval\(base64\_decode\(\"aWYo.+?\)\)\;\?>/is,
qr/<\?php.+?\$auth\_pass.+?FilesMan.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
qr/<div\s+id\=\'HideMeBetter\'>.+?document\.getElementById\(\'HideMeBetter\'\)\.style\.display\s+\=\s+\'none\'\;\}<\/script>/is,
qr/<\!\-\-start\-add\-div\-content\-\-><p\s+class\=\"dnn\">.+?Viagra.+?<\/p><\!\-\-end\-add\-div\-content\-\->/is,
qr/<script\s+language\=\"JavaScript\">\s+function\s+dnnViewState\(\).+?dnnViewState\(\)\;\s+<\/script>/is,
qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
);