From de928ac01637a37f2575ca17f81d70a6ff9a710d Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sat, 28 Apr 2018 09:36:22 +0200 Subject: [PATCH] new patterns --- malware5.pl | 3 +++ malwaresh.pl | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/malware5.pl b/malware5.pl index 0595ba9..b4feb7f 100644 --- a/malware5.pl +++ b/malware5.pl @@ -319,6 +319,9 @@ my @regexen = ( qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas.+?array\(\'gzu.+?eval.+?\?>/is, + qr/<\?php\s+error\_reporting\(0\)\;\$.+?WP\_Error\_Page\_Not\_Found.+?\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\}\}\}\}\}\}\}\}\;/is, + qr/<\?php\s+error\_reporting\(0\)\;echo\(\"Form.+?\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\].+?
\'\;\}\}\;\}\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval\?>/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index 8418376..af30bd2 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -800,7 +800,9 @@ my @regexen = ( qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas.+?array\(\'gzu.+?eval.+?\?>/is, - + qr/<\?php\s+error\_reporting\(0\)\;\$.+?WP\_Error\_Page\_Not\_Found.+?\(\$\_SERVER\[\'DOCUMENT\_ROOT\'\]\)\;\}\}\}\}\}\}\}\}\;/is, + qr/<\?php\s+error\_reporting\(0\)\;echo\(\"Form.+?\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\].+?
\'\;\}\}\;\}\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?array\(.+?eval\?>/is, );