Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-05-24 12:56:20 +02:00
parent a520039ee7
commit c827071819
2 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
malware6.pl
View File

@@ -65,6 +65,15 @@ my @regexen = (
qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
);

8
malwaresh.pl
View File

@@ -1050,6 +1050,14 @@ my @regexen = (
qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
);