Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-27 13:50:33 +02:00
parent 0e176c851a
commit beb37a4b0a
2 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
malware6.pl
View File

@@ -90,6 +90,14 @@ my @regexen = (
qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
qr/<\?php\s+\$url = base64_decode\(\$_SERVER\[\'QUERY_STRING\'\]\);.+?\$out \.= \"Connection: Close\\r\\n\\r\\n\";.+?\?>/is,
qr/<\?php.+?if \(\!function_exists\(\'exec\'\) or ini_get\(\'safe_mode\'\)\) \{ die \(\"STOP\. No available functions\.\"\); \}\s+\$bashcheck = \'\s+echo \$\(whoami\).+?unlink\(\'([A-z0-9_]{1,20})\.php\'\);\s+\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);file_put_contents\(\"\/tmp\/.+?\"\)\); \@shell_exec\(\"perl.+?\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);if\(move_uploaded_file\(\$_FILES\[.+?<\/form>\';\?>/is,
qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,

11
malwaresh.pl
View File

@@ -1075,7 +1075,16 @@ my @regexen = (
qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
qr/<\?php\s+\$url = base64_decode\(\$_SERVER\[\'QUERY_STRING\'\]\);.+?\$out \.= \"Connection: Close\\r\\n\\r\\n\";.+?\?>/is,
qr/<\?php.+?if \(\!function_exists\(\'exec\'\) or ini_get\(\'safe_mode\'\)\) \{ die \(\"STOP\. No available functions\.\"\); \}\s+\$bashcheck = \'\s+echo \$\(whoami\).+?unlink\(\'([A-z0-9_]{1,20})\.php\'\);\s+\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);file_put_contents\(\"\/tmp\/.+?\"\)\); \@shell_exec\(\"perl.+?\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);if\(move_uploaded_file\(\$_FILES\[.+?<\/form>\';\?>/is,
qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,
);