From e3d436746abf9d8cb51c50535b224d0810900438 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Thu, 25 May 2017 10:57:35 +0200 Subject: [PATCH] new pattern --- malware3.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/malware3.pl b/malware3.pl index 9d471d1..a55ef1a 100644 --- a/malware3.pl +++ b/malware3.pl @@ -528,7 +528,8 @@ my @regexen = ( qr/<\?php\s+\$([A-z0-9]{1,10})\=\".+?eg\_.+?\.chr\(101\)\.\"plac.+?\"\;\?>/is, qr/<\?php\s+if\(isset\(\$\_GET\[php\]\)\)\{\echo\s+\'\';echo\s+\'<\/form>\';if\(\$\_POST\[\'golden\'\]\=\=\"Done\"\)\{if\(\@copy\(\$\_FILES\[\'file\'\]\[\'tmp\_name\'\]\,\$\_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'\+\';\}else\{echo\'\-\';\}\}\}/is, qr/<\?php\s+\$root\_path\s+\=\s+get\_root\(\);\s+\$cms\s+\=\s+get\_cms\(\$root\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$\_SERVER\[\'HTTP\_HOST\'\]\.\';;;\';\s+\$domains\s+\=\s+get_domains\(\$root\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+foreach\s+\(\$domains\s+as\s+\$domain\_path\)\s+\{\s+\$tmp\s+\=\s+explode\(\'\/\'\,\s+\$domain\_path\);\s+\$domain\_name\s+\=\s+\(count\(\$tmp\)\s+\>\s+0\)\?\s+\$tmp\[count\(\$tmp\)\s+\-\s+1\]\:\s+\'\';\s+\$cms\s+=\s+get\_cms\(\$domain\_path\);\s+\$func\s+\=\s+\'do\_backdoor\_\'\.\$cms;\s+\$func\(\$domain\_path\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\);\s+echo\s+\$domain\_name\.\';;;\';\s+\}\s+function\s+do\_backdoor\_jml1\(\$domain\_path\,\s+\$domain\)\s+{\s+change\_content\_of\_file\(\$domain\_path\.\'\/\.htaccess\'\,.+?function\s+get\_cron\(\)\s+\{\s+return.+?\';\s+\}/is, - + qr/<\?php\s+error\_reporting\(0\)\;\s+\$\_([A-z0-9]{1,20}).+?strlen\(\$\_([A-z0-9]{1,20})\)\;\s+\$i\+\+\)\s+\$\_([A-z0-9]{1,20})\s+\.\=\s+sprintf\(\"\%c\"\,\s+$\_([A-z0-9]{1,20})\s+\^\s+ord\(\$\_([A-z0-9]{1,20})\[\$i\]\)\)\;\$\_([A-z0-9]{1,20})\s+\=\s+\"\"\;s+for.+?\*\//is, +