Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-09-30 14:18:20 +02:00
parent 3b4b44bcd6
commit dbb45ddce8
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
malware6.pl
View File

@ -316,6 +316,21 @@ my @regexen = (
qr/<\?php.+?if\(empty\(\$_GET\[\'ineedthispage\'\]\)\)\{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?if\(\!empty\(\$_COOKIE\[\'PHPSSIDDD2\'\]\)\)\{\$.+?\)\];\}return\$([A-z0-9_]{1,20});\};\s+\/\/item->alias\s+\?>/is,
qr/if\(isset\(\$_REQUEST\[\'bot\'\]\)\) assert\(stripslashes\(\$_REQUEST\[bot\]\)\);/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
qr/<\?php\s+class XYZ_Logger\s+\{.+?\$this->backdoorFile\(\$path\);\s+\}\s+\}\s+\$fabLicense = <<<EOF\s+<\?php \/\*.+?if \(\@\$_GET\[\'rm\'\]\) \{\s+\@unlink\(\_\_FILE\_\_\);\s+\}/is,
qr/<\?php\s+\$combatwork=\"yes\";.+?\$linkstable = \'wp_old_lcache\';.+?mysqli_close\(\$dbcon\);return\$row_count;\}\}\?>/is,
qr/<\?php\s+header\(.+?array\(\'index\.php\',\'index\.html\',\'index\.htm\',\'index\.shtml\',\'index\.html\.bak\.bak\',\'index\.html\.bak\',\'default\.htm\',\'default\.html\'\);.+?function traverse\(\$path = \'\.\'\) \{.+?return \$file_array;\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'base\' ,\'64_d\' ,\'ecod\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gz\', \'un\', \'co\', \'mp\', \'re\', \'ss\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if\(isset\(\$_GET\[\'fuck\'\]\) \&\& \$_GET\[\'fuck\'\] == \'1\'\)\{\s+\$name=\'simple\.php\';\/\/.+?unlink\(\"\.\/get\.php\"\);\s+\}else\{\s+echo \"the file is ok\.\.\.\.\";\s+\}/is,
qr/eval\(str_rot13\(\'([A-z0-9_]{1,20}) ([A-z0-9_]{1,20})\(\)\{([A-z0-9_]{1,20})\(\!\(.+?\(\);\'\)\);/is,
qr/eval\(str_rot13\(\'.+?\(\_\_SVYR\_\_\)\.\"\/.+?\}\}([A-z0-9_]{1,20})\(\);\'\)\);/is,
qr/ob_start\(\"security_update\"\); function security_update\(\$buffer\)\{return \$buffer\.base64_decode\(.+?\'\);\}/is,
qr/<\?php\s+\/\*\*\s+\* Leaf PHP Mailer by \[leafmailer\.pw\].+?\$password =.+?\$code_=\'.+?\$ccc=str_rot13\(gzinflate\(base64_decode\(\$code_\)\)\);\s+eval\(\$ccc\);\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+\$file=\"\.\/public_html\/error\.php\";\s+\$shellcode = \(\"<\? eval\(base64_decode\(.+?\'\)\); \?>\"\);\s+\$fopen=fopen\(\$file,\"a\+\"\);\s+\$fwrite=fwrite\(\$fopen,\$shellcode\);\s+\$fclose=fclose\(\$fopen\);\s+\?>/is,
qr/<\?php \$GLOBALS\[.+?foreach \(\$GLOBALS\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\].+?\$([A-z0-9_]{1,20}) = \@\$GLOBALS\[\$GLOBALS\[.+?elseif \(\$([A-z0-9_]{1,20})\[\$GLOBALS\[.+?eval\(\$([A-z0-9_]{1,20})\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\]\);\s+\}\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(\".+?\)\)\)\); \?>/is,
qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,

19
malwaresh.pl
View File

@ -1303,7 +1303,24 @@ my @regexen = (
qr/\*\/\s+\@\$wordpress404=\"e\\x76.+?\$wordpress401\(\$wp\[30\]\.\$wp\[31\]\.\$wp\[27\]\.\$wp\[30\]\.\$wp\[4\],\$wordpress404,\"\"\);\s+\/\*/is,
qr/<\?php.+?if\(empty\(\$_GET\[\'ineedthispage\'\]\)\)\{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?if\(\!empty\(\$_COOKIE\[\'PHPSSIDDD2\'\]\)\)\{\$.+?\)\];\}return\$([A-z0-9_]{1,20});\};\s+\/\/item->alias\s+\?>/is,
qr/if\(isset\(\$_REQUEST\[\'bot\'\]\)\) assert\(stripslashes\(\$_REQUEST\[bot\]\)\);/is,
qr/<\?php\s+class XYZ_Logger\s+\{.+?\$this->backdoorFile\(\$path\);\s+\}\s+\}\s+\$fabLicense = <<<EOF\s+<\?php \/\*.+?if \(\@\$_GET\[\'rm\'\]\) \{\s+\@unlink\(\_\_FILE\_\_\);\s+\}/is,
qr/<\?php\s+\$combatwork=\"yes\";.+?\$linkstable = \'wp_old_lcache\';.+?mysqli_close\(\$dbcon\);return\$row_count;\}\}\?>/is,
qr/<\?php\s+header\(.+?array\(\'index\.php\',\'index\.html\',\'index\.htm\',\'index\.shtml\',\'index\.html\.bak\.bak\',\'index\.html\.bak\',\'default\.htm\',\'default\.html\'\);.+?function traverse\(\$path = \'\.\'\) \{.+?return \$file_array;\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?\);\$([A-z0-9_]{1,20}) = array\(\'base\' ,\'64_d\' ,\'ecod\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gz\', \'un\', \'co\', \'mp\', \'re\', \'ss\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php\s+if\(isset\(\$_GET\[\'fuck\'\]\) \&\& \$_GET\[\'fuck\'\] == \'1\'\)\{\s+\$name=\'simple\.php\';\/\/.+?unlink\(\"\.\/get\.php\"\);\s+\}else\{\s+echo \"the file is ok\.\.\.\.\";\s+\}/is,
qr/eval\(str_rot13\(\'([A-z0-9_]{1,20}) ([A-z0-9_]{1,20})\(\)\{([A-z0-9_]{1,20})\(\!\(.+?\(\);\'\)\);/is,
qr/eval\(str_rot13\(\'.+?\(\_\_SVYR\_\_\)\.\"\/.+?\}\}([A-z0-9_]{1,20})\(\);\'\)\);/is,
qr/ob_start\(\"security_update\"\); function security_update\(\$buffer\)\{return \$buffer\.base64_decode\(.+?\'\);\}/is,
qr/<\?php\s+\/\*\*\s+\* Leaf PHP Mailer by \[leafmailer\.pw\].+?\$password =.+?\$code_=\'.+?\$ccc=str_rot13\(gzinflate\(base64_decode\(\$code_\)\)\);\s+eval\(\$ccc\);\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+\$file=\"\.\/public_html\/error\.php\";\s+\$shellcode = \(\"<\? eval\(base64_decode\(.+?\'\)\); \?>\"\);\s+\$fopen=fopen\(\$file,\"a\+\"\);\s+\$fwrite=fwrite\(\$fopen,\$shellcode\);\s+\$fclose=fclose\(\$fopen\);\s+\?>/is,
qr/<\?php \$GLOBALS\[.+?foreach \(\$GLOBALS\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\].+?\$([A-z0-9_]{1,20}) = \@\$GLOBALS\[\$GLOBALS\[.+?elseif \(\$([A-z0-9_]{1,20})\[\$GLOBALS\[.+?eval\(\$([A-z0-9_]{1,20})\[\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\]\);\s+\}\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'g\'\. \'z\'\. \'u\'\. \'n\'\. \'c\'\. \'o\'\. \'m\'\. \'p\'\. \'r\'\. \'e\'\. \'s\'\. \'s\';\$([A-z0-9_]{1,20}) = \'ba\' \.\'se\' \.\'64\' \.\'_d\' \.\'ec\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = \'imp\' \.\'lod\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(\".+?\)\)\)\); \?>/is,
qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,
);