Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added 4 new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2019-01-17 06:37:41 +01:00
parent 937ee7268d
commit dd426d89eb
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
malware6.pl
View File

@ -380,7 +380,11 @@ my @regexen = (
qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php\s+if \(isset \(\$_GET\[\'check\'\]\)\) \{\s+echo \"checked\";.+?<h1>File<\/h1>.+?echo\(\"FILE\"\);\s+\}\s+\?>\s+<\/body>\s+<\/html>/is,
qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"\w\*\"\);return \$a\[\$i\];\} \?>/is,
qr/<\?php eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\".+?\"\)\)\)\)\);/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'base\' \.\'64_d\' \.\'ecod\' \.\'e\';\$([A-z0-9_]{1,20}) = \'im\' \.\'pl\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\)\)\)\); \?>/is,
qr/<center><\? echo \'<b>Mailer<\/b><br>.+?<input type=hidden name=a value=\'FilesMan\'>.+?\$data=curl_exec\(\$ch\);if\(\!\$data\)\{return false;\}return \$data;\}exit;/is,
qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is,
);

5
malwaresh.pl
View File

@ -1369,8 +1369,13 @@ my @regexen = (
qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+\@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php\s+error_reporting\(0\);\s+ini_set\(\'display_errors\', 0\);\s+\$install_code =.+?\$install_hash = md5\(\$_SERVER\[\'HTTP_HOST\'\] \. AUTH_SALT\);.+?wp-includes\/class\.wp\.php\';\s+\}\s+\}\s+\?><\?php error_reporting\(0\);\?>/is,
qr/<\?php eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\".+?\"\)\)\)\)\);/is,
qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'base\' \.\'64_d\' \.\'ecod\' \.\'e\';\$([A-z0-9_]{1,20}) = \'im\' \.\'pl\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\)\)\)\); \?>/is,
qr/<center><\? echo \'<b>Mailer<\/b><br>.+?<input type=hidden name=a value=\'FilesMan\'>.+?\$data=curl_exec\(\$ch\);if\(\!\$data\)\{return false;\}return \$data;\}exit;/is,
qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is,
);
my @base64_decodes = (