Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update 'malware3.pl'

Browse Source
This commit is contained in:
Malin 2016-10-03 11:28:38 +02:00
parent 1c64d9481e
commit c9dd12de17
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
malware3.pl
View File

@ -23,6 +23,7 @@ my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is, qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
qr/<script.+?G91825.+?<\/script>/is, qr/<script.+?G91825.+?<\/script>/is,
qr/<\?php\s+function\s+query\_str\(\$params\)\{\s+\$str\s+\=\s+\'\'\;.+?\$urlz\=lrtrim\(\$urlz\)\;\s+\$contenttype\=lrtrim\(\$contenttype\)\;\s+\$encode\_text\=\$\_POST\[\'encode\'\]\;.+?sent\s+successfully\'\)\;\s+<\/script>\"\;\}\}\s+\?>\s+<p\s+align\=\"center\">\&nbsp\;<\/p>\s+\&nbsp\;\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\@error\_reporting\(0\)\;\s+set\_time\_limit\(150\)\;\s+ignore\_user\_abort\(true\)\;\s+ini\_set\(\'max\_execution\_time\'\,150\)\;\s+if\(\$\_SERVER\[\'REQUEST\_METHOD\'\]\=\=\'GET\'\)\{\s+exit\(\'OK\'\)\;\s+\}.+?\$ex\=explode\(\'\:\'\,\$emails\)\;.+?imagedestroy\(\$image\_p\)\;\s+return\s+\$out\;\s+\}\s+\?>/is, qr/<\?php\s+\@error\_reporting\(0\)\;\s+set\_time\_limit\(150\)\;\s+ignore\_user\_abort\(true\)\;\s+ini\_set\(\'max\_execution\_time\'\,150\)\;\s+if\(\$\_SERVER\[\'REQUEST\_METHOD\'\]\=\=\'GET\'\)\{\s+exit\(\'OK\'\)\;\s+\}.+?\$ex\=explode\(\'\:\'\,\$emails\)\;.+?imagedestroy\(\$image\_p\)\;\s+return\s+\$out\;\s+\}\s+\?>/is,
qr/<\?php\s+\/\/Valar\s+dohaeris\s+\$arya\s+\=.+?\$tyrion\s+\=\s+\'as\'\s+\.\s+\'se\'\s+\.\s+\'rt\'\;\s+\$daenerys\s+\=\s+sprintf\(\'\!ev\'\s+\.\s+\'al\(b\'\s+\.\s+\'ase\'\s+\.\s+\'64\'\s+\.\s+\'\_\'\s+\.\s+\'de\'\s+\.\s+\'code\'\s+\.\s+\'\s+\(\"\%s\"\)\)\'\,\s+\$arya\)\;\s+\$tyrion\(stripslashes\(\$daenerys\)\)\;/is, qr/<\?php\s+\/\/Valar\s+dohaeris\s+\$arya\s+\=.+?\$tyrion\s+\=\s+\'as\'\s+\.\s+\'se\'\s+\.\s+\'rt\'\;\s+\$daenerys\s+\=\s+sprintf\(\'\!ev\'\s+\.\s+\'al\(b\'\s+\.\s+\'ase\'\s+\.\s+\'64\'\s+\.\s+\'\_\'\s+\.\s+\'de\'\s+\.\s+\'code\'\s+\.\s+\'\s+\(\"\%s\"\)\)\'\,\s+\$arya\)\;\s+\$tyrion\(stripslashes\(\$daenerys\)\)\;/is,
qr/<\?php\s+eval\(eval\(.+?\)\;\s+eval\(.+?\)\;\"\)\)\;\s+\?>/is, qr/<\?php\s+eval\(eval\(.+?\)\;\s+eval\(.+?\)\;\"\)\)\;\s+\?>/is,