Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-05-11 08:12:44 +02:00
parent 985dc14691
commit e02abd60d3
3 changed files with 49 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
malware5.pl
View File

@ -503,8 +503,11 @@ my @regexen = (
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is, qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is, qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
qr/\/\/istart.+?\/\/iend/is, qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is, qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is,
qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
); );
my @base64_decodes = ( my @base64_decodes = (

7
malwaresh.pl
View File

@ -986,8 +986,11 @@ my @regexen = (
qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is, qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is,
qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is, qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
qr/\/\/istart.+?\/\/iend/is, qr/\/\/istart.+?\/\/iend/is,
qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is, qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is,
qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is,
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
); );
my @base64_decodes = ( my @base64_decodes = (

99
scan.py
View File

@ -1,18 +1,17 @@
#!/usr/bin/env python #!/usr/bin/env python
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# Copyright 2014-2015 Planet-Work <f.vanniere@planet-work.com> # Original code by Planet-Work <f.vanniere@planet-work.com>
# Source: https://github.com/planet-work/php-malware-scanner # Forked by Malin Cenusa for Lunarpages (malin.cenusa@lunarpages.com)
# License: MIT #
# https://github.com/planet-work/php-malware-scanner/blob/master/LICENSE
import os import os
import re import re
import fnmatch import fnmatch
whitelist = [ whitelist = [
'/lp-msh-scanner/scan.php', '/lp-msh-scanner/',
'/lp-msh-scanner/mscan.php', '/lp-msh-scanner/',
'/._', '/._',
'cache/object/000000/', 'cache/object/000000/',
'libraries/simplepie/simplepie.php', 'libraries/simplepie/simplepie.php',
@ -414,12 +413,14 @@ def is_hacked(filename):
or (line_num == 1 and "@$_COOKIE[" in l and "();}?>" in l) \ or (line_num == 1 and "@$_COOKIE[" in l and "();}?>" in l) \
or (line_num == 1 and '@move_uploaded_file' in l) \ or (line_num == 1 and '@move_uploaded_file' in l) \
or ("move_uploaded_file/*;*/" in l) \ or ("move_uploaded_file/*;*/" in l) \
or 'Database Emails Extractor' in l\ or 'Database Emails Extractor' in l \
or ("<h4>!PhpSend!</h4>" in l) \ or ("<h4>!PhpSend!</h4>" in l) \
or '<b>Done ==> $userfile_name</b></center>' in l \ or '<b>Done ==> $userfile_name</b></center>' in l \
or ('$files=fopen(\'../../../\'.$filepaths.' in l and ',"w+");' in l) \ or ('$files=fopen(\'../../../\'.$filepaths.' in l and ',"w+");' in l) \
or "chmod ($_REQUEST['p1'], $_REQUEST['p2']);" in l \ or "chmod ($_REQUEST['p1'], $_REQUEST['p2']);" in l \
or "\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65" in l\ or "\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65" in l \
or "\\x73\\x74\\x72\\x5f\\x72\\x6f\\x74\\x31\\x33" in l \
or "\\x67\\x7a\\x75\\x6e\\x63\\x6f\\x6d\\x70\\x72\\x65\\x73\\x73" in l \
or (line_num == 2 and "$ref = $_SERVER['HTTP_USER_AGENT'];" in l) \ or (line_num == 2 and "$ref = $_SERVER['HTTP_USER_AGENT'];" in l) \
or (line_num < 4 and "passthru($_POST[" in l) \ or (line_num < 4 and "passthru($_POST[" in l) \
or (line_num == 1 and '$stg="ba"."se"."64_d"."ecode";eval($stg(' in l) \ or (line_num == 1 and '$stg="ba"."se"."64_d"."ecode";eval($stg(' in l) \
@ -493,58 +494,36 @@ def is_hacked(filename):
score.append(('XXTEA_ENCRYPT', '')) score.append(('XXTEA_ENCRYPT', ''))
if 'wp_sysoptions' in l: if 'wp_sysoptions' in l:
score.append(('CONCAT_STRING', '')) score.append(('CONCAT_STRING', ''))
if '6006014887a2c09ec470f5b676c8f68a' in l: if '6006014887a2c09ec470f5b676c8f68a' in l \
score.append(('MD5')) or 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l \
if 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l: or '5088db39ad7cc4d4fa9f462f74faccb6' in l \
score.append(('MD5')) or 'eb2d3273ac60f499d82d97da0fa44689' in l \
if '5088db39ad7cc4d4fa9f462f74faccb6' in l: or 'b071e67503e9dcefecafd62e81704ef0' in l \
score.append(('MD5')) or 'c7a628cba22e28eb17b5f5c6ae2a266a' in l \
if 'eb2d3273ac60f499d82d97da0fa44689' in l: or 'a13756bf1e2bd46921c135232774fc5f' in l \
score.append(('MD5')) or '78b45bf662bafae9ac6b66097762c7d5' in l:
if 'b071e67503e9dcefecafd62e81704ef0' in l: score.append(('MD5', ''))
score.append(('MD5'))
if 'c7a628cba22e28eb17b5f5c6ae2a266a' in l: if 'b0x@hotmail.com' in l \
score.append(('MD5')) or 'botv3@mrspybotv3.com' in l \
if 'a13756bf1e2bd46921c135232774fc5f' in l: or 'sellerolux@gmail.com' in l \
score.append(('MD5')) or 'nerf.sarcasm007@gmail.com' in l \
if '78b45bf662bafae9ac6b66097762c7d5' in l: or 'submit[at]1337day.com' in l \
score.append(('MD5')) or 'luan.hackingpro123@hotmail.com' in l \
if 'b0x@hotmail.com' in l: or 'Black-ID@W.Cn' in l \
score.append(('SOCIALS')) or 'facebook.com/007mrspy' in l \
if 'botv3@mrspybotv3.com' in l: or 'Skype: live:zepek_al' in l \
score.append(('SOCIALS')) or 'facebook.com/luan.santo.5437' in l \
if 'sellerolux@gmail.com' in l: or 'Mister Spy' in l \
score.append(('SOCIALS')) or 'darkshadow-tn' in l \
if 'nerf.sarcasm007@gmail.com' in l: or 'IndoXploit' in l \
score.append(('SOCIALS')) or 'Black-ID' in l \
if 'submit[at]1337day.com' in l: or 'https://hastebin.com/raw/ifucenaquz' in l \
score.append(('SOCIALS')) or 'https://hastebin.com/raw/iracirucad' in l \
if 'luan.hackingpro123@hotmail.com' in l: or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
score.append(('SOCIALS')) or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
if 'Black-ID@W.Cn' in l: score.append(('SOCIALS', ''))
score.append(('SOCIALS'))
if 'facebook.com/007mrspy' in l:
score.append(('SOCIALS'))
if 'Skype: live:zepek_al' in l:
score.append(('SOCIALS'))
if 'facebook.com/luan.santo.5437' in l:
score.append(('SOCIALS'))
if 'Mister Spy' in l:
score.append(('SOCIALS'))
if 'darkshadow-tn' in l:
score.append(('SOCIALS'))
if 'IndoXploit' in l:
score.append(('SOCIALS'))
if 'Black-ID' in l:
score.append(('SOCIALS'))
if 'https://hastebin.com/raw/ifucenaquz' in l:
score.append(('SOCIALS'))
if 'https://hastebin.com/raw/iracirucad' in l:
score.append(('SOCIALS'))
if 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l:
score.append(('SOCIALS'))
if 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
score.append(('SOCIALS'))
previous_line = l previous_line = l
if line_num < 20: if line_num < 20: