new patterns
This commit is contained in:
Palma Solutions LTD
18
malware5.pl
18
malware5.pl
@@ -255,6 +255,24 @@ my @regexen = (
|
||||
qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is,
|
||||
qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is,
|
||||
qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is,
|
||||
qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/is,
|
||||
qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/\/\?\?\?\?\?\s+\?>/is,
|
||||
qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is,
|
||||
qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/is,
|
||||
qr/\#\!\/bin\/sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is,
|
||||
qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/is,
|
||||
qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/logout<\/p>\s+<\/body>\s+<\/html>/is,
|
||||
qr/\/\*\s+exploit\s+lib\s+\*\/.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is,
|
||||
qr/\/\*.+?sd\@fucksheep\.org.+?struct\s+exploit\_state\s+\{.+?unlink\(\"\.\/suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/\'\.\'\.\*\/e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is,
|
||||
|
||||
|
||||
}/is,
|
||||
|
||||
|
||||
|
||||
);
|
||||
|
||||
|
||||
14
malwaresh.pl
14
malwaresh.pl
@@ -735,7 +735,21 @@ my @regexen = (
|
||||
qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is,
|
||||
qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is,
|
||||
qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is,
|
||||
qr/<\?php.+?Joomla\.Site.+?\$p\s+\=\s+getcwd\(\)\;\s+echo\s+\$p\;\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,20})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+str\_replace\(.+?\(\)\;\s+\?>/is,
|
||||
qr/<\?PHP\s+\$login.+?\$pass.+?\$md5\_pass\s+\=\s+\"\"\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\/\/\?\?\?\?\?\s+\?>/is,
|
||||
qr/<\?php.+?if\(\$chk\_login\s+\=\=\s+true\).+?mass\s+mailer\s+\|\:\..+?Sending\s+Completed.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\$so32\s+\=\s+\"\\x.+?\/usr\/bin\/host\"\)\;\s+\?>/is,
|
||||
qr/<\?php\s+eval\s+\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\s+\?>/is,
|
||||
qr/\#\!\/bin\/sh.+?sd\@fucksheep\.org.+?\.\/exploit\s+fi/is,
|
||||
qr/<\?php.+?eMail\s+\~>\s+RealUnix\.net.+?print\s+file\_get\_contents\(\$i\)\;\s+exit\;\s+\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php.+?class\s+viaWorm\s+\{.+?public\s+function\s+analyzePossibleIndexes\(\)\{.+?\$result\s+\=\s+viaWorm\:\:processHost\(\)\;.+?echo\s+json\_encode\(\$result\)\;\s+exit\(\)\;/is,
|
||||
qr/<html>.+?Owned\s+by\s+Widex.+?root\@Widex\:\s+\.\/logout<\/p>\s+<\/body>\s+<\/html>/is,
|
||||
qr/\/\*\s+exploit\s+lib\s+\*\/.+?struct\s+exploit\_state\s+\{.+?pa\_\_init\(NULL\)\;\s+return\s+0\;\s+\}/is,
|
||||
qr/\/\*.+?sd\@fucksheep\.org.+?struct\s+exploit\_state\s+\{.+?unlink\(\"\.\/suckit\_selinux\_nopz\"\)\;\s+exit\(1\)\;\s+\}/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+\(isset\(\s+\$\{\$([A-z0-9]{1,20})\}\[\'\d\d\'\]\)\)\s+preg\_replace\(\'\/\'\.\'\.\*\/e\'\,\s+\'ev\'\.\'al\s+\(\s+\$\'\.\$([A-z0-9]{1,20})\.\'\[\"\d\d\"\]\)\'\,\s+\'\'\)\;\s+\?>/is,
|
||||
|
||||
|
||||
|
||||
);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user