new patterns

2019-07-27 10:49:08 +02:00
parent e25f0160af
commit c618962b4b
2 changed files with 58 additions and 6 deletions
--- a/malware.pl
+++ b/malware.pl
@@ -4,8 +4,6 @@ use strict;
 use warnings;
 use CGI;

-# one more test
-
 BEGIN {
    $SIG{__DIE__} = sub {
        my $msg = shift;
@@ -1411,6 +1409,32 @@ my @regexen = (
    qr/<script type=\"text\/javascript\">var _0xc9e1=\[.+?\+ makeid\(\)\}\}<\/script>/is,
    qr/<\?php if\(!class_exists\(\'Ratel\'\)\).+?init\(\$ruri,\$host,\$is_bot\);\}/is,
    qr/<\?php if\(isset\(\$_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\$_REQUEST\[\'.+?\'\]\);exit;\/\*.+?\*\/\}\?>/is,
+    qr/<\?php eval\(base64_decode\(\'aWYg.+?QpleGl0KCk7\'\)\);/is,
+    qr/<\?php \$a = chr\(95\)\.chr\(116\)\.chr\(101\)\.chr\(109\)\..+?\@include\(\$a\);\@unlink\(\$a\); \?>/is,
+    qr/<\?php.+?\$a = chr\(95\)\.chr\(116\)\.chr\(101\)\.chr\(109\)\..+?\@include\(\$a\);\@unlink\(\$a\); \?>/is,
+    qr/<\?php\s+\$O_00O__0OO=\'\';.+?if\(\!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from.+?\[\"\\x4f\\x4f\\x5f\\x4f\\x4f\\x30\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
+    qr/<?PhP.+?Mass Defacement Script By Hunter Bajwa.+?endforeach;\s+\}\s+\?>/is,
+    qr/<\?php\s+set_time_limit\(0\);.+?\$t = \@str_replace\(\"www\.\"\,\"\"\,\$t\); \@\$passwd = file_get_contents\(\'\/home\/\'\.\$user\.\'\/etc\/\'\.\$t\.\'\/shadow\'\);.+?fclose\(\$connection\); \} \}\s+\?>/is,
+    qr/<\?php \/\*.+?\'\.\/\*exit;\*\/\"\"\.\'.+?\*\/\'e\'\.\"\"\.\/\*echo\*\/\'\(\".+?\"\)\);\'\);\$([A-z0-9_]{1,20})\/\*exit;\*\/\(\);\/\*die\(\"([A-z0-9_]{1,20})\"\);\*\/ \?>/is,
+    qr/<\?php\s+\$urls = array \(\s+\'http:\/\/.+?<meta http-equiv=\"refresh\" content=\"1; url=<?php echo  \$rand_url;\?> \">/is,
+    qr/<\?php \@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]=>1\)\,\@array\(\(string\)stripslashes\(\$_REQUEST\[\'re_password\'\]\)=>2\)\,\$_REQUEST\[\'login\'\]\); \?>/is,
+    qr/<\?php\s+\@session_start\(\);.+?echo \'<font color=\"green\">Upload Success\.\.<\/font><br \/>\';.+?\(\(\$perms \& 0x0200\) \? \'T\' \: \'\-\'\)\);\s+return \$info;\s+\}\s+\?>/is,
+    qr/<center>\s+<\?php\s+error_reporting\(0\);\s+if\(isset\(\$_GET\[host\]\)\).+?\.php_uname\(\)\..+?\}else\{echo\"<b>\";\}\}\} \?>\s+<\/center>/is,
+    qr/<\?php\s+set_time_limit\(0\);.+?function exect\(\$cmd\) \{\s+if\(function_exists\(\'system\'\)\) \{ .+?eof\(\);\s+echo \'<\/a>\';\s+echo \'<\/div>\';\s+echo \'<\/div>\';\s+\?>/is,
+    qr/\#\!\/bin\/bash\s+\# Using ZeroShell V 1\.3.+?function miningblue\(\).+?ostcheck\s+fi/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=\'.+?\$([A-z0-9_]{1,20})=\'.+?\'; \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(\'\'\, \'.+?\$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20})\(\);/is,
+    qr/<\?php.+?=== SecuPress Backdoor User ===.+?<\/div>\s+\<\/footer>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+\$a\[0\]=\'.+?\$a\[1\]=\'.+?\$a\[2\]=\'.+?eval\(trim\(base64_decode\(base64_decode\(\$co\)\)\)\); \?>/is,
+    qr/<\?php\s+\$GLOBALS\[\'\_\_ALFA\_\_\'\] = array\(\'user\' => \'deathphantom\'\, \/\/username.+?if \(\!function_exists\(\'b\' \. \'as\' \. \'e6\' \. \'4\_\' \. \'en\' \. \'co\' \. \'de\'\)\) \{.+?\'\); \?>/is,
+    qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$([A-z0-9_]{1,30})=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt\_compiler\(\);aWYo\Z/is,
+    qr/<\?php\s+session_start\(\);.+?<title>IndoXploit<\/title>.+?serverinfo\(\);\s+action\(\);\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<head>\s+<title>:: Res7ock Crew<\/title>.+?Res7ock Crew<\/font><\/td><\/table><\/div><\/center><\/body><\/html>/is,
+    qr/<\?php\s+\$O_O0__OO00=\'\';\s+\$O_O0_OO0_0=\(\".+?if\(\!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from\,\$to\,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from.+?\[\"\\x4f\\x30\\x30\\x5f\\x5f\\x30\\x4f\\x4f\\x5f\\x4f\"\]\(\);\?>/is,
+    qr/<\!DOCTYPE HTML PUBLIC \"\-\/\/IETF\/\/DTD HTML 2\.0\/\/EN\">  <html><head>  <title>404 Not Found<\/title>  <\/head><body>  <h1>Not Found<\/h1>  <p>The requested URL \/error\.php was not found on this server\.<\/p>  <\/body><\/html>  <\?php  \@preg_replace\(\"\/\[checksql\]\/e\"\,\$_POST\[\'date\'\]\,\"saft\"\);  header\(\'HTTP\/1\.1 404 Not Found\'\);  \?>/is,
+    qr/<\?php\s+\$c0000101101.+?\$c00100.+?\);\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\'\,\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' \,\'a\' \,\'s\' \,\'e\' \,\'6\' \,\'4\' \,\'\_\' \,\'d\' \,\'e\' \,\'c\' \,\'o\' \,\'d\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\'\, \'comp\'\, \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'im\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'\'\.chr\(100\)\.\'e\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\'\, \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
+    
 );

 my @base64_decodes = (
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1404,6 +1404,7 @@ my @regexen = (
    qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
    qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
    qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{.+?class KF\{public \$url=\"\\x68.+?init\(\$uri,\$ua\);\}/is,
+    qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\).+?#rogerbot\|exabot\|mj12bot\|dotbot.+?\$ratel=new KF;\$ratel->init\(\$uri,\$ua\);\}/is,
    qr/<script type=\'text\/javascript\' async src=\'https\:\/\/setforspecialdomain\.com\/.+?\'><\/script>/is,
    qr/<\?php\s+ignore_user_abort\(true\);set_time_limit\(0\);error_reporting\(0\);define\(.+?\[0x00000e\]\(\$.+?CURLOPT_RETURNTRANSFER,0x001\);\$.+?\[0x0002a\]\)\);\}\?>/is,
    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}).+?return \$([A-z0-9_]{1,20}); \}\s+\/\*([A-z0-9_]{50,})\*\/\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'o\'\.\'i\'\.\'t\'.+?\(\);\s+\/\*([A-z0-9_]{50,})\*\//is,
@@ -1413,10 +1414,37 @@ my @regexen = (
    qr/<\?php error_reporting\(0\);.+?ini_set\(\"error_log\", "\/dev\/null\"\);.+?\$contents = \@file_get_contents\(\$url, false, \$context\); \} \} return \$contents; \} \?>/is,
    qr/<\?php\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{32})\";\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,\$([A-z0-9_]{1,20})\)\{\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\);\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\).+?\);__halt_compiler\(\);([A-z0-9_]{1,20})/is,
    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\, \$([A-z0-9_]{1,20}) = \"\\61\\x32\\63\"\) .+?\(\"n\"\.\"o\"\.\"i\"\.\"t\"\..+?\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
-    qr/<\?php if\(!class_exists\(\'Ratel\'\)\)\{.+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
-    qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$lock\(stripslashes\(\$shall\)\) \&\& exit; if\(!class_exists\(\'Ratel\'\)\).+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
-    qr/<\?php\s+if\(!class_exists\(\'Ratel\'\)\).+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
-    qr/if\(!class_exists\(\'Ratel\'\)\)\{.+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20}) = base64_decode\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\);.+?imap_mail.+?echo \'([A-z0-9_]{1,20}) : \' \. \$([A-z0-9_]{1,20});\}/is,
+    qr/<\?php.+?\$a=\$_COOKIE\[\'a\'\];\$ho=urldecode\(\$_COOKIE\[\'ho\'\]\).+?Cookie: \"\.\$data\.\"\\r\\n\\r\\n\"\);socket_close\(\$socket\);\}die\(\);\}\s+\?>/is,
+    qr/<script type=\"text\/javascript\">var _0xc9e1=\[.+?\+ makeid\(\)\}\}<\/script>/is,
+    qr/<\?php if\(!class_exists\(\'Ratel\'\)\).+?init\(\$ruri,\$host,\$is_bot\);\}/is,
+    qr/<\?php if\(isset\(\$_REQUEST\[\'.+?\'\]\)\)\/\*.+?\*\/\{\/\*.+?\*\/eval\(\$_REQUEST\[\'.+?\'\]\);exit;\/\*.+?\*\/\}\?>/is,
+    qr/<\?php eval\(base64_decode\(\'aWYg.+?QpleGl0KCk7\'\)\);/is,
+    qr/<\?php \$a = chr\(95\)\.chr\(116\)\.chr\(101\)\.chr\(109\)\..+?\@include\(\$a\);\@unlink\(\$a\); \?>/is,
+    qr/<\?php.+?\$a = chr\(95\)\.chr\(116\)\.chr\(101\)\.chr\(109\)\..+?\@include\(\$a\);\@unlink\(\$a\); \?>/is,
+    qr/<\?php\s+\$O_00O__0OO=\'\';.+?if\(\!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from.+?\[\"\\x4f\\x4f\\x5f\\x4f\\x4f\\x30\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
+    qr/<?PhP.+?Mass Defacement Script By Hunter Bajwa.+?endforeach;\s+\}\s+\?>/is,
+    qr/<\?php\s+set_time_limit\(0\);.+?\$t = \@str_replace\(\"www\.\"\,\"\"\,\$t\); \@\$passwd = file_get_contents\(\'\/home\/\'\.\$user\.\'\/etc\/\'\.\$t\.\'\/shadow\'\);.+?fclose\(\$connection\); \} \}\s+\?>/is,
+    qr/<\?php \/\*.+?\'\.\/\*exit;\*\/\"\"\.\'.+?\*\/\'e\'\.\"\"\.\/\*echo\*\/\'\(\".+?\"\)\);\'\);\$([A-z0-9_]{1,20})\/\*exit;\*\/\(\);\/\*die\(\"([A-z0-9_]{1,20})\"\);\*\/ \?>/is,
+    qr/<\?php\s+\$urls = array \(\s+\'http:\/\/.+?<meta http-equiv=\"refresh\" content=\"1; url=<?php echo  \$rand_url;\?> \">/is,
+    qr/<\?php \@array_diff_ukey\(\@array\(\(string\)\$_REQUEST\[\'password\'\]=>1\)\,\@array\(\(string\)stripslashes\(\$_REQUEST\[\'re_password\'\]\)=>2\)\,\$_REQUEST\[\'login\'\]\); \?>/is,
+    qr/<\?php\s+\@session_start\(\);.+?echo \'<font color=\"green\">Upload Success\.\.<\/font><br \/>\';.+?\(\(\$perms \& 0x0200\) \? \'T\' \: \'\-\'\)\);\s+return \$info;\s+\}\s+\?>/is,
+    qr/<center>\s+<\?php\s+error_reporting\(0\);\s+if\(isset\(\$_GET\[host\]\)\).+?\.php_uname\(\)\..+?\}else\{echo\"<b>\";\}\}\} \?>\s+<\/center>/is,
+    qr/<\?php\s+set_time_limit\(0\);.+?function exect\(\$cmd\) \{\s+if\(function_exists\(\'system\'\)\) \{ .+?eof\(\);\s+echo \'<\/a>\';\s+echo \'<\/div>\';\s+echo \'<\/div>\';\s+\?>/is,
+    qr/\#\!\/bin\/bash\s+\# Using ZeroShell V 1\.3.+?function miningblue\(\).+?ostcheck\s+fi/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=\'.+?\$([A-z0-9_]{1,20})=\'.+?\'; \$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\(\'\'\, \'.+?\$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20})\(\);/is,
+    qr/<\?php.+?=== SecuPress Backdoor User ===.+?<\/div>\s+\<\/footer>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+\$a\[0\]=\'.+?\$a\[1\]=\'.+?\$a\[2\]=\'.+?eval\(trim\(base64_decode\(base64_decode\(\$co\)\)\)\); \?>/is,
+    qr/<\?php\s+\$GLOBALS\[\'\_\_ALFA\_\_\'\] = array\(\'user\' => \'deathphantom\'\, \/\/username.+?if \(\!function_exists\(\'b\' \. \'as\' \. \'e6\' \. \'4\_\' \. \'en\' \. \'co\' \. \'de\'\)\) \{.+?\'\); \?>/is,
+    qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$([A-z0-9_]{1,30})=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt\_compiler\(\);aWYo\Z/is,
+    qr/<\?php\s+session_start\(\);.+?<title>IndoXploit<\/title>.+?serverinfo\(\);\s+action\(\);\s+\?>\s+<\/body>\s+<\/html>/is,
+    qr/<head>\s+<title>:: Res7ock Crew<\/title>.+?Res7ock Crew<\/font><\/td><\/table><\/div><\/center><\/body><\/html>/is,
+    qr/<\?php\s+\$O_O0__OO00=\'\';\s+\$O_O0_OO0_0=\(\".+?if\(\!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from\,\$to\,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from.+?\[\"\\x4f\\x30\\x30\\x5f\\x5f\\x30\\x4f\\x4f\\x5f\\x4f\"\]\(\);\?>/is,
+    qr/<\!DOCTYPE HTML PUBLIC \"\-\/\/IETF\/\/DTD HTML 2\.0\/\/EN\">  <html><head>  <title>404 Not Found<\/title>  <\/head><body>  <h1>Not Found<\/h1>  <p>The requested URL \/error\.php was not found on this server\.<\/p>  <\/body><\/html>  <\?php  \@preg_replace\(\"\/\[checksql\]\/e\"\,\$_POST\[\'date\'\]\,\"saft\"\);  header\(\'HTTP\/1\.1 404 Not Found\'\);  \?>/is,
+    qr/<\?php\s+\$c0000101101.+?\$c00100.+?\);\s+\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\); eval\( \$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\$([A-z0-9_]{1,20}) \(\'\'\,\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' \,\'a\' \,\'s\' \,\'e\' \,\'6\' \,\'4\' \,\'\_\' \,\'d\' \,\'e\' \,\'c\' \,\'o\' \,\'d\' \,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzun\'\, \'comp\'\, \'ress\'\) ;\$([A-z0-9_]{1,20}) = \'im\'\.chr\(112\)\.\'l\'\.chr\(111\)\.\'\'\.chr\(100\)\.\'e\' ; \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\'\'\, \$([A-z0-9_]{1,20})\); eval \( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\( \'\'\, \$([A-z0-9_]{1,20}) \) \) \) \) ; \?>/is,
+    


 );