From dd426d89eb2eda8c25834b2bf160568649c0843d Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Thu, 17 Jan 2019 06:37:41 +0100 Subject: [PATCH] added 4 new patterns --- malware6.pl | 6 +++++- malwaresh.pl | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/malware6.pl b/malware6.pl index ebf3991..a478524 100644 --- a/malware6.pl +++ b/malware6.pl @@ -380,7 +380,11 @@ my @regexen = ( qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is, qr/<\?php\s+if \(isset \(\$_GET\[\'check\'\]\)\) \{\s+echo \"checked\";.+?

File<\/h1>.+?echo\(\"FILE\"\);\s+\}\s+\?>\s+<\/body>\s+<\/html>/is, qr/<\?php function ([A-z0-9_]{1,20})\(\$i\)\{\$a=Array\(\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"([A-z0-9_]{1,20})\",\"\w\*\"\);return \$a\[\$i\];\} \?>/is, - + qr/<\?php eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\".+?\"\)\)\)\)\);/is, + qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'base\' \.\'64_d\' \.\'ecod\' \.\'e\';\$([A-z0-9_]{1,20}) = \'im\' \.\'pl\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\)\)\)\); \?>/is, + qr/
<\? echo \'Mailer<\/b>
.+?.+?\$data=curl_exec\(\$ch\);if\(\!\$data\)\{return false;\}return \$data;\}exit;/is, + qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is, + ); diff --git a/malwaresh.pl b/malwaresh.pl index 5d501fb..66ad7c4 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1369,8 +1369,13 @@ my @regexen = ( qr/<\?php\s+error_reporting\(E_ERROR\);set_time_limit\(0\);\s+if\(isset\(\$_POST\[\'.+?\'\]\)\)\{\s+\$tofile=\'40\d\.php\';\s+\$a =base64_decode\(strtr\(\$_POST\[\'.+?\'\], \'-_,\', \'+\/=\'\)\);\s+\$a=\'<\?php \'\.\$a\.\'\?>\';\s+\@file_put_contents\(\$tofile,\$a\);\s+require_once\(\'40\d\.php\'\);\s+\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is, qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\$b =base64_decode\(file_get_contents\(\$_POST\[\'b\'\]\)\);\s+\@file_put_contents\(\$index,\$b\);\s+echo \'ok\';\s+\}\s+\?>/is, qr/<\?php\s+error_reporting\(0\);\s+ini_set\(\'display_errors\', 0\);\s+\$install_code =.+?\$install_hash = md5\(\$_SERVER\[\'HTTP_HOST\'\] \. AUTH_SALT\);.+?wp-includes\/class\.wp\.php\';\s+\}\s+\}\s+\?><\?php error_reporting\(0\);\?>/is, + qr/<\?php eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\".+?\"\)\)\)\)\);/is, + qr/<\?php \$([A-z0-9_]{1,20}) = \'gz\'\. \'un\'\. \'co\'\. \'mp\'\. \'re\'\. \'ss\';\$([A-z0-9_]{1,20}) = \'base\' \.\'64_d\' \.\'ecod\' \.\'e\';\$([A-z0-9_]{1,20}) = \'im\' \.\'pl\' \.\'od\' \.\'e\';\$([A-z0-9_]{1,20}) = array\(.+?\)\)\)\); \?>/is, + qr/
<\? echo \'Mailer<\/b>
.+?.+?\$data=curl_exec\(\$ch\);if\(\!\$data\)\{return false;\}return \$data;\}exit;/is, + qr/<\?php header\(\"Cont\\145nt-Type: te\\x78t\/html; charset=utf-8\"\);error_reporting\(.+?\@preg_split\(\"\/\\x5cR\\134R\/\",\$([A-z0-9_]{1,20}),-0173- -0124-0213- -0264\);\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20});endif;endif;return\$([A-z0-9_]{1,20});\};/is, + ); my @base64_decodes = (