Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update 'malware3.pl'

Browse Source
This commit is contained in:
Malin 2016-12-18 11:46:09 +01:00
parent 976a0c45ba
commit e60fa55f1f
1 changed files with 2 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
malware3.pl
View File

@ -23,7 +23,7 @@ my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
qr/<script.+?G91825.+?<\/script>/is,
qr/<\?php\s+if\s+\(\!defined\(\'ALREADY\_RUN.+?\)\)\;\s+\}/is,
qr/<\?php.+?defined.+?ALREADY\_RUN.+?ALREADY\_RUN.+?\)\)\;\s+\}/is,
qr/<\?php\s+echo\"trest\"\;error\_reporting\(0\)\;.+?val\(base64\_decode\(\$kk\)\)\;\s+echo\"abrval\"\;\s+\?>/is,
qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_([A-z0-9]{1,10})\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,
qr/<\?php\s+\/\*\*\s+\*\s+\@version.+?\$b64\s+\=\s+\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\+\/\=\"\;.+?\$o3\s+\=\s+\$bits\s+\&\s+0xff\;.+?new\s+JApplication\(arrays+\(\'UID\'\s+\=>\s+\'.+?\'\)\)\;/is,
@ -33,14 +33,8 @@ my @regexen = (
qr/<\!DOCTYPE\s+html>\s+<html\s+lang\=\"en\-US\">\s+<head>.+?<link\s+rel\=\'dns\-prefetch\'\s+href\=\'\/\/blogg\.profsoffice\.se\'>.+?<div\s+id\=\"fb\-root\"><\/div>\s+<\/body>\s+<\/html><\/div>/is,
qr/<\?php\s+\$arrId\s+\=\s+array\(.+?\)\;\s+\/\/file\s+end/is,
qr/<html>\s+<head>\s+<title>\s+Dark\s+Shell.+?Rename\s+directory<\/a><\/td><\/tr>.+?\"\;\s+\}\s+\}\s+echo\s+\"<\/table>.+?\"\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+([A-z0-9]{1,10})\;\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\=Array\(\)\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$\{.+?\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
# qr/<\?\s+\$ua\=\@\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\;\$row\=split\(\"\=\=\=\"\,\$ua\)\;echo\s+\"\->\|\"\;if\(\$row\[0\]\=\=\"k8\"\)\@eval\(\$row\[1\]\)\;echo\s+\"\|<\-\"\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\s+([A-z0-9]{1,10})\;\$GLOBALS\[\'([A-z0-9]{1,10})\'\]\=Array\(\)\;global\$([A-z0-9]{1,10})\;\$([A-z0-9]{1,10})\=\$GLOBALS\;\$\{.+?\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\?php\s+if\(\@md5\(\$\_SERVER\[\'HTTP\_PATH\'\]\)\=\=\=\'([A-z0-9]{1,32})\'\)\{\s+\@extract\(\$\_REQUEST\)\;\s+\@die\(\$stime\(\$mtime\)\)\;\s+\}\s+\?>/is,
# needs review qr/<\?php\s+if\(\!empty\(\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+\$userAgents\s+\=\s+array\(\"Google\"\,\s+\"Slurp\"\,\s+\"MSNBot\"\,\s+\"ia\_archiver\"\,\s+\"Yandex\"\,\s+\"Rambler\"\)\;\s+if\(preg\_match\(\'\/\'\s+\.\s+implode\(\'\|\'\,\s+\$userAgents\)\s+\.\s+\'\/i\'\,\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\)\)\s+\{\s+header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;\s+\}\s+\}.+?<input\s+type\=\"submit\"\s+value\=\"Sent\"\s+\/>\s+<\/form>\s+<\/body>\s+<\/html>\'\;/is,
# qr/<\?php\s+\/\/header\(\"Content\-Type\:\s+text\/html\;\s+charset\=utf\-8\"\)\;\s+\$config\_password\=\"yt\"\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;\s+if\(\$password\!\=\$config\_password\).+?function\s+createFolder\(\$path\)\s+\{\s+if\s+\(\!file\_exists\(\$path\)\)\s+\{\s+createFolder\(dirname\(\$path\)\)\;\s+mkdir\(\$path\,\s+0777\)\;\}\s+\}\s+\?>/is,
# qr/<\?php\s+error\_reporting\(E\_ERROR\)\;\s+\$password\=\$\_REQUEST\[\'password\'\]\;\s+\$action\=\$\_REQUEST\[\'action\'\]\;\s+\$filename\=\$\_REQUEST\[\'filename\'\]\;\s+\$filepath\=\"\"\;\s+\$body\=stripslashes\(\$\_REQUEST\[\'body\'\]\)\;\s+if\(\$password\!\=\"abcdefgh\"\).+?echo\s+\"uploaded\"\;\s+\}\s+\?>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+0\.0\;\s+width\:\s+0\.0\;\s+height\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?<\/a>.+?<\/div>/is,
qr/<div\s+style\=\"position\:\s+absolute\;\s+left\:\s+\-5000px\;\s+font\-size\:\s+0\.0\;\s+width\:\s+0\.0\;\s+height\:\s+1\.0\;\s+overflow\:\s+hidden\;\">.+?rel\=dofollow>.+?<\/a><\/h2>.+?<\/div>/is,
qr/<IfModule\s+mod\_rewrite\.c>\s+RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+\[OR\]\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\(google\|yahoo\|msn\|aol\|bing\)\s+RewriteRule\s+\^\.\*\$\s+index\.php\s+\[L\]\s+<\/IfModule>/is,