Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-05-10 06:36:40 +02:00
parent c35ed9ac38
commit be41fb2a50
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
malware5.pl
View File

@ -486,7 +486,10 @@ my @regexen = (
qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"\"\;\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\)\;.+?\$([A-z0-9]{1,20})\=array\(.+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+join\(\'\'\,\s+\$([A-z0-9]{1,20})\)\s+\)\;.+?return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$subject\s+\=\s+\"php\s+SSH\"\;.+?if\s+\(\$hist\_arr\)\s+\{.+?<\/BODY>\s+<\/HTML>/is,
qr/<\?php\s+echo\s+\'\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+\"\\x61\"\s+\.\s+\"s\"\s+\.\s+\"\\x73\"\s+\.\s+\"e\"\s+\.\s+\"r\"\s+\.\s+\"\\x74\"\s+\.\s+\"\"\;\s+\@\s+\$([A-z0-9]{1,20})\s+\(\s+\"e\"\s+\.\s+\"v\"\s+\.\s+\"a\"\s+\.\s+\"l\"\s+\.\s+\"\(\"\s+\.\s+\"g\"\s+\.\s+\"z\"\s+\.\s+\"u\"\s+\.\s+\"n\"\s+\.\s+\"c\"\s+\.\s+\"\\x6f\"\s+\.\s+\"m\"\s+\.\s+\"\\x70\"\s+\.\s+\"\\x72\"\s+\.\s+\"E\"\s+\.\s+\"\\x73\"\s+\.\s+\"S\"\s+\.\s+\"\(\"\s+\.\s+\"b\"\s+\.\s+\"a\"\s+\.\s+\"s\"\s+\.\s+\"\\x65\"\s+\.\s+\"6\"\s+\.\s+\"4\"\s+\.\s+\"\\x5f\"\s+\.\s+\"d\"\s+\.\s+\"\\x.+?\)\)\)\;\"\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,.+?function\s+wp\_cd\(\$.+?\$npDcheckClassBgp.+?\}\s+\?>/is,
);
my @base64_decodes = (

2
malwaresh.pl
View File

@ -969,6 +969,8 @@ my @regexen = (
qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"\"\;\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\)\;.+?\$([A-z0-9]{1,20})\=array\(.+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+join\(\'\'\,\s+\$([A-z0-9]{1,20})\)\s+\)\;.+?return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
qr/<\?php.+?\$subject\s+\=\s+\"php\s+SSH\"\;.+?if\s+\(\$hist\_arr\)\s+\{.+?<\/BODY>\s+<\/HTML>/is,
qr/<\?php\s+echo\s+\'\'\;\s+\$([A-z0-9]{1,20})\s+\=\s+\"\\x61\"\s+\.\s+\"s\"\s+\.\s+\"\\x73\"\s+\.\s+\"e\"\s+\.\s+\"r\"\s+\.\s+\"\\x74\"\s+\.\s+\"\"\;\s+\@\s+\$([A-z0-9]{1,20})\s+\(\s+\"e\"\s+\.\s+\"v\"\s+\.\s+\"a\"\s+\.\s+\"l\"\s+\.\s+\"\(\"\s+\.\s+\"g\"\s+\.\s+\"z\"\s+\.\s+\"u\"\s+\.\s+\"n\"\s+\.\s+\"c\"\s+\.\s+\"\\x6f\"\s+\.\s+\"m\"\s+\.\s+\"\\x70\"\s+\.\s+\"\\x72\"\s+\.\s+\"E\"\s+\.\s+\"\\x73\"\s+\.\s+\"S\"\s+\.\s+\"\(\"\s+\.\s+\"b\"\s+\.\s+\"a\"\s+\.\s+\"s\"\s+\.\s+\"\\x65\"\s+\.\s+\"6\"\s+\.\s+\"4\"\s+\.\s+\"\\x5f\"\s+\.\s+\"d\"\s+\.\s+\"\\x.+?\)\)\)\;\"\s+\)\s+\;\s+\?>/is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,.+?function\s+wp\_cd\(\$.+?\$npDcheckClassBgp.+?\}\s+\?>/is,
);