From cc9e281cbcc69bdcce6e92bb5af1e043ff0e7b60 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Mon, 19 Mar 2018 08:05:22 +0100 Subject: [PATCH] new patterns --- malware4.pl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/malware4.pl b/malware4.pl index 89dfab9..6db2cd3 100644 --- a/malware4.pl +++ b/malware4.pl @@ -425,6 +425,12 @@ my @regexen = ( qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\,base64\_decode\(.+?\)\,base64\_decode\(.+?\)\)\;\s+\?><\?\s+function.+?\=Array\(.+?return\s+base64\_decode\(.+?\]\)\;\}\s+\?><\?php\s+\$GLOBALS\[.+?\)\)eval\(base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is, qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\@set\_time\_limit\(3600\)\;.+?if\(isset\(.+?echo\s+\'\#ok\#\'\;.+?return\s+\$dir\;\s+\}\s+\/\//is, qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{.+?if\s+\(file\_exists\(\"wp\-content\"\)\).+?unlink\(\$scriptname\)\;\s+\?>/is, + qr/<\?php\s+echo\"Hello\,\s+Dollys\"\;error\_reporting\(0\)\;if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\&\&\s+md5\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\s+\=\=\s+\'([A-z0-9]{20,})\'\s+\&\&\s+isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(base64\_decode\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\?>/is, + qr/<\?php\s+\$RootDir\s+\=\s+\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\;.+?if\s+\(\!\s+is\_dir\s+\(\s+\$RootDir\.\"\/wp\-content\"\s+\)\).+?\$str\=\'<\?php\s+if\(\$\_GET\[.+?unlink\(\"\.\/([A-z0-9]{1,20})\.php\"\)\;/is, + qr/<\?php\s+if\(\$\_GET\[\".+?<\/form><\?php\s+\}\s+\?>/is, + qr/\?php\s+\/\*\s+\(c\)\s+2005.+?\=base64\_decode\(\$.+?for\(\$i\=0\;\s+\$i/is, + qr/if\(isset\(\$\_REQUEST\[\'.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;\s+exit\(\)\;\s+\}/is, + qr/\$alphabet\s+\=\s+\".+?\$string\s+\=\s+\".+?\$array\_name\s+\=\s+\"\"\;.+?\$array\_name\s+\.\=\s+\$alphabet\[\$.+?strrev\(\"noi\"\.\"tcnuf\"\.\"\_eta\"\.\"erc\"\)\;.+?\/\/\s+MALWARE\s+\$([A-z0-9]{1,20})\(\)\;/is, );