Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new pattens

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-03-18 12:40:25 +01:00
parent 215aa591dd
commit cb715cfd4c
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
malware4.pl
View File

@ -415,6 +415,13 @@ my @regexen = (
qr/<\?php\s+\$\{.+?\=\@unserialize\(decode\(get\_param.+?\]\}\;\}\s+\?>/is,
qr/<\?php.+?define\(\'\_JEXEC\'\,\s+\'([A-z0-9]{100,}).+?<\/form>\'\;\s+\?>/is,
qr/<\?php\s+\/\*\s+DO.+?class\s+ADODB\_Pager.+?\$pager\->render\_pagelinks\(\)\;/is,
qr/\#\!\/usr\/bin\/env\s+php\s+<\?php.+?private\s+function\s+extractFile\(\$info\).+?\_\_HALT\_COMPILER\(\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
qr/<\?php\s+\$([A-z0-9]{5,})\=\"([A-z0-9]{5,})\"\;.+?\$domain\s+\=\s+\'([A-z0-9]{1,20})\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$([A-z0-9]{1,10})\,\s+TRUE\,\s+302\)\;\s+\}/is,
qr/include\s+\"\\x.+?php\"\;.+?eval\(base64\_decode\(.+?\)\)\;/is,
qr/<\?php\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(\$([A-z0-9]{1,20})\)\)\;\s+for\(\$i\=0\;\$i<strlen\(\$([A-z0-9]{1,20})\)\;\$i\+\+\)\s+\{\s+\$([A-z0-9]{1,20})\[\$i\]\s+\=\s+chr\(ord\(\$([A-z0-9]{1,20})\[\$i\]\)\-1\)\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}eval\(([A-z0-9]{1,20})\(.+?\)\)\;\?>/is,

7
scan.php
View File

@ -34,6 +34,11 @@ set_time_limit(0);
error_reporting(E_ALL);
$pattern = array(
"if\(isset\(\$_REQUEST\[(.*)\{eval\((.*)\$_REQUEST\[(.*)exit",
"<\?php.*?if\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
"<\?php.*?if\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
"<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
"<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
"^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)\(\?><\?php\)*\n",
"eval(\s*)\((.*)base64_decode(\s*)\(",
"this.form.upload_file.disabled=false",
@ -465,6 +470,8 @@ error_reporting(E_ALL);
"<\?php)*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*(\?>",
"<\?php.*?if\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
"<\?php.*?if\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
"<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
"<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
// hacker emails & socials
"b0x\@hotmail\.com",
"facebook\.com\/007mrspy",