From d61259fe1bc975c541a6521fc9e27a2b78c99200 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sat, 21 Apr 2018 12:33:35 +0200 Subject: [PATCH] new patterns --- malware5.pl | 5 +++++ malwaresh.pl | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/malware5.pl b/malware5.pl index ee2ac88..16cd963 100644 --- a/malware5.pl +++ b/malware5.pl @@ -251,6 +251,11 @@ my @regexen = ( qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is, qr/.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is, + qr/<\?php.+?\{if\(is\_uploaded\_file\(\$\_FILES\[\"filename\"\]\[\"tmp\_name\"\]\)\)\{.+?\@eval\(\$uidmail\)\;\s+\}/is, + qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is, + qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is, + qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is, + ); my @base64_decodes = ( diff --git a/malwaresh.pl b/malwaresh.pl index 87dc027..32341b5 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -731,7 +731,11 @@ my @regexen = ( qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is, qr/.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is, - + qr/<\?php.+?\{if\(is\_uploaded\_file\(\$\_FILES\[\"filename\"\]\[\"tmp\_name\"\]\)\)\{.+?\@eval\(\$uidmail\)\;\s+\}/is, + qr/([0-9]{20,})<\?php\s+\@eval\(\$\_POST\[\'c\'\]\)\;\s+die\(\)\;\?>/is, + qr/<\?php\s+error\_reporting\(0\)\;echo\'404\-NOT\-FOUND\-ERROR\'\;\s+\$([A-z0-9]{1,20})\=gzinflate\(base64\_decode\(.+?\}\}closedir\(\$([A-z0-9]{1,20})\)\;\?>/is, + qr/<\?php\s+\@eval\(\$\_POST\[([A-z0-9]{1,20})\]\)\;\?>/is, + );