Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns & fixes

Browse Source
This commit is contained in:
Palma Solutions LTD
2017-10-22 12:23:42 +02:00
parent 8a767b8ec3
commit c66ae8a137
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
malware4.pl
View File

@@ -186,6 +186,9 @@ my @regexen = (
qr/<\?php\s+set\_time\_limit\(0\)\;\s+ignore\_user\_abort\(\)\;.+?echo\s+\$mail\.\"\s+\-\s+sending\s+ok.+?\}\s+\}\s+\?>/is,
qr/\/\/installbg\s+\$rifilename\=\'\/home\/([A-z0-9]{1,20})\/public\_html\/.+?\'\;\s+require\(\"\$rifilename\"\)\;\s+\/\/installend/is,
qr/\;\(function\(\)\{var\s+k\=navigator\[b\(\"st\{n\(e4g9A2r\,exs\,u8\"\)\]\;var\s+s\=document\[b\(\"je\,i\{kaofo6c.+?async\=true\;w\.src\=.+?length\-1\;v>\=0\;v\-\-\)\{n\+\=y\[v\]\;\}return\s+n\;\}\}\)\(\)\;/is,
qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(.+?if\(\@\$isbot\)\{.+?echo\s+\$result\;\s+\}\s+\?>/is,
qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval\(\$b\(\$new\)\)\;\s+\?>/is,
qr/<\?php\s+\/\*\s+\(c\)\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode\(.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is,
);
my @base64_decodes = (

2
scan.php
View File

@@ -159,7 +159,7 @@ error_reporting(E_ALL);
"fistik=PHVayv;",
"Dark Shell",
"CTT SHELL",
"\/etc\/passwd",
/* "\/etc\/passwd", --too many false positives */
"<tr><td>Chiave<\/td><td>Valore<\/td><\/tr>",
"fonk_kap = get_cfg_var",
"PHPSHELL_VERSION",