Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ne patterns

Browse Source
This commit is contained in:
root
2019-07-27 12:13:48 +02:00
parent de9c8f0581
commit dea9e10ca0
2 changed files with 29 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
malware.pl
View File

@@ -1439,7 +1439,21 @@ my @regexen = (
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php.+?function decrypt\(\$str\,\$pwd\)\{\$pwd=base64_encode\(\$pwd\);\$str=base64_decode\(.+?call_user_func\(\'action\' \. \$_POST\[\'a\'\]\);\s+\?>/is,
qr/<\!\-\- HTML And JavaScript \-\->.+?Rebels Mailer.+?<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+if\(isset\(\$_GET\[\"up\"\]\)\)\{echo\"<font color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"\[\/uname\]\";echo\"<br><font color=\#FFFFFF>\[dir\]\"\.getcwd\(\)\.\"\[\/dir\]\";echo\"<form method=post enctype=multipart\/form-data>\";echo\"<input type=file name=f><input name=v type=submit id=v value=up><br>\";if\(\$_POST\[\"v\"\]==up\)\{if\(\@copy\(\$_FILES\[\"f\"\]\[\"tmp_name\"\]\,\$_FILES\[\"f\"\]\[\"name\"\]\)\)\{echo\"<b>Success<\/b>\-\->\"\.\$_FILES\[\"f\"\]\[\"name\"\];\}else\{echo\"<b>Failed\";\}\}\}\s+\?>/is,
qr/<\?php\s+\@ini_set\(\'display_errors\', \'0\'\);.+?\$bad_agents = \'\~google.+?\@include\(\"\{\$eb\}\.\$algo\"\);\s+\}\s+\}\s+\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)die\(pi\(\)\*6\);\$GLOBALS\[\'.+?\)\)\);if\(isset\(\$_1\)\)\{\@eval\(\$_1\);exit\(\);\}\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$except\(stripslashes\(\$internal\)\) \&\& exit; if\(\!class_exists\(\'Ratel\'\)\).+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$system\(stripslashes\(\$catch\)\) \&\& exit;/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$pass\(stripslashes\(\$not\)\) \&\& exit; if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"assert\";\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$lock\(stripslashes\(\$request\)\) \&\& exit; if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$request\(stripslashes\(\$catch\)\) \&\& exit; if\(\!class_exists\(\'Ratel\'\)\)\{.+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$internal\(stripslashes\(\$user\)\) \&\& exit;\s+if \(\!class_exists\(\'Ratel\'\)\) \{.+?\$ratel->init\(\$ruri, \$host, \$is_bot\);\s+\}\s+\?>/is,
qr/\@ini_set\(\'display_errors\', \'0\'\);\s+error_reporting\(0\);\s+\$skipme = false;\s+\$bad_agents = \'\~google.+?register_shutdown_function\(\'ob_end_flush\'\);\s+\}\s+\}\s+\?>/is,
qr/if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
);
my @base64_decodes = (

16
malwaresh.pl
View File

@@ -1449,8 +1449,20 @@ my @regexen = (
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?php \/\*([A-z0-9_]{1,20})\*\/if\/\*([A-z0-9_]{1,20})\*\/\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{eval\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\}/is,
qr/<\?php.+?function decrypt\(\$str\,\$pwd\)\{\$pwd=base64_encode\(\$pwd\);\$str=base64_decode\(.+?call_user_func\(\'action\' \. \$_POST\[\'a\'\]\);\s+\?>/is,
qr/<\!\-\- HTML And JavaScript \-\->.+?Rebels Mailer.+?<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+if\(isset\(\$_GET\[\"up\"\]\)\)\{echo\"<font color=\#FFFFFF>\[uname\]\"\.php_uname\(\)\.\"\[\/uname\]\";echo\"<br><font color=\#FFFFFF>\[dir\]\"\.getcwd\(\)\.\"\[\/dir\]\";echo\"<form method=post enctype=multipart\/form-data>\";echo\"<input type=file name=f><input name=v type=submit id=v value=up><br>\";if\(\$_POST\[\"v\"\]==up\)\{if\(\@copy\(\$_FILES\[\"f\"\]\[\"tmp_name\"\]\,\$_FILES\[\"f\"\]\[\"name\"\]\)\)\{echo\"<b>Success<\/b>\-\->\"\.\$_FILES\[\"f\"\]\[\"name\"\];\}else\{echo\"<b>Failed\";\}\}\}\s+\?>/is,
qr/<\?php\s+\@ini_set\(\'display_errors\', \'0\'\);.+?\$bad_agents = \'\~google.+?\@include\(\"\{\$eb\}\.\$algo\"\);\s+\}\s+\}\s+\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)die\(pi\(\)\*6\);\$GLOBALS\[\'.+?\)\)\);if\(isset\(\$_1\)\)\{\@eval\(\$_1\);exit\(\);\}\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$except\(stripslashes\(\$internal\)\) \&\& exit; if\(\!class_exists\(\'Ratel\'\)\).+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$system\(stripslashes\(\$catch\)\) \&\& exit;/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$pass\(stripslashes\(\$not\)\) \&\& exit; if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\/\*([A-z0-9_]{1,20})\*\/\"assert\";\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\/\*([A-z0-9_]{1,20})\*\/;exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php if\(isset\(\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\/\*([A-z0-9_]{1,20})\*\/\$([A-z0-9_]{1,20})=\$([A-z0-9_]{1,20})\/\*([A-z0-9_]{1,20})\*\/\(\/\*([A-z0-9_]{1,20})\*\/\$_REQUEST\[\'([A-z0-9_]{1,20})\'\]\);\/\*([A-z0-9_]{1,20})\*\/exit;\/\*([A-z0-9_]{1,20})\*\/\}\?>/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$lock\(stripslashes\(\$request\)\) \&\& exit; if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$request\(stripslashes\(\$catch\)\) \&\& exit; if\(\!class_exists\(\'Ratel\'\)\)\{.+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$internal\(stripslashes\(\$user\)\) \&\& exit;\s+if \(\!class_exists\(\'Ratel\'\)\) \{.+?\$ratel->init\(\$ruri, \$host, \$is_bot\);\s+\}\s+\?>/is,
qr/\@ini_set\(\'display_errors\', \'0\'\);\s+error_reporting\(0\);\s+\$skipme = false;\s+\$bad_agents = \'\~google.+?register_shutdown_function\(\'ob_end_flush\'\);\s+\}\s+\}\s+\?>/is,
qr/if\(isset\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\(\$_COOKIE\[\"([A-z0-9_]{1,20})\"\]\);exit;\}/is,
);