From e6a93d04cb63c1e8587025b38a9a7f249c6fb544 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sat, 5 May 2018 07:50:48 +0200 Subject: [PATCH] new patterns & fixes --- cms-ver.php | 1 + malware5.pl | 10 +++++++++- malwaresh.pl | 9 +++++++++ scan.php | 4 ++-- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/cms-ver.php b/cms-ver.php index 02046f8..fdc7876 100644 --- a/cms-ver.php +++ b/cms-ver.php @@ -139,6 +139,7 @@ $versions = array( array("phpAds", "/libraries/lib-dbconfig.inc.php", "\$phpAds_version_readable ="), array("Smarty Framework", "/smarty/libs/Smarty.class.php", "var \$_version"), array("phpDealerLocator", "/config.php", "phpDealerLocator v"), + array("CraftySyntax", "/admin_common.php", "CVS will be released with version"), // still need to work on these array("CubeCart", "/index.php", "CubeCart v"), // may need one more line diff --git a/malware5.pl b/malware5.pl index e39ad7b..c037d6c 100644 --- a/malware5.pl +++ b/malware5.pl @@ -419,7 +419,15 @@ my @regexen = ( qr/<\?php\s+\$\w\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$\w\(.+?\)\)\;\s+\?>/is, qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+class.+?\=base64\_DEcODE\(self\:\:\$\_.+?\(\'\_\'\.\'.+?\'\)\]\)\;endif\;exit\;/is, - + qr/<\?php.+?Black\-ID\@W\.Cn.+?preg\_replace\(\"\\x.+?\"\)\;\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\)\;if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is, + qr/<\?php\s+if\(empty\(\$\_GET\[\'ineedthispage\'\]\)\)\{ini\_set\(\'display\_errors\'\,\"Off\"\)\;ignore\_user\_abort\(.+?\}\}closedir\(\$dir\)\;rmdir\(\$directory\)\;\}\;\s+\/\/item\->alias\s+\?>/is, + qr/<\?php.+?\$pathToDor\s+\=\s+\"\/nsw\-uk\".+?\$cookie\_name\s+\=\s+\'UTCSESSID\'\;.+?setcookie\(\$cookie\_name\,md5\(uniqid\(\)\)\,0\,\'\/\'\,\$cookieDomain\)\;.+?\$curl\_loops\=0\;\s+return\s+\$data\;.+?\?>/is, + qr/<\?php\s+if\(strpos\(strtolower\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\,\'nsw\-uk\'\)\)\{\s+include\(getcwd\(\)\.\'\/version\.php\'\)\;\s+exit\;\}\s+\?>/is, + qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is, + qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"

403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is, + ); diff --git a/malwaresh.pl b/malwaresh.pl index 90e1290..56d3e05 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -902,6 +902,15 @@ my @regexen = ( qr/<\?php\s+\$\w\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$\w\(.+?\)\)\;\s+\?>/is, qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+class.+?\=base64\_DEcODE\(self\:\:\$\_.+?\(\'\_\'\.\'.+?\'\)\]\)\;endif\;exit\;/is, + qr/<\?php.+?Black\-ID\@W\.Cn.+?preg\_replace\(\"\\x.+?\"\)\;\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\)\;if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is, + qr/<\?php\s+if\(empty\(\$\_GET\[\'ineedthispage\'\]\)\)\{ini\_set\(\'display\_errors\'\,\"Off\"\)\;ignore\_user\_abort\(.+?\}\}closedir\(\$dir\)\;rmdir\(\$directory\)\;\}\;\s+\/\/item\->alias\s+\?>/is, + qr/<\?php.+?\$pathToDor\s+\=\s+\"\/nsw\-uk\".+?\$cookie\_name\s+\=\s+\'UTCSESSID\'\;.+?setcookie\(\$cookie\_name\,md5\(uniqid\(\)\)\,0\,\'\/\'\,\$cookieDomain\)\;.+?\$curl\_loops\=0\;\s+return\s+\$data\;.+?\?>/is, + qr/<\?php\s+if\(strpos\(strtolower\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\,\'nsw\-uk\'\)\)\{\s+include\(getcwd\(\)\.\'\/version\.php\'\)\;\s+exit\;\}\s+\?>/is, + qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is, + qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"

403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is, + ); diff --git a/scan.php b/scan.php index f483ebf..2077308 100644 --- a/scan.php +++ b/scan.php @@ -472,8 +472,8 @@ error_reporting(0); "<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>", "<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>", // hacker emails & socials - "b0x\@hotmail\.com", - "facebook\.com\/007mrspy", + "b0x@hotmail.com", + "facebook.com/007mrspy", "Skype\:\s*live\:zepek_al", "nerf\.sarcasm007\@gmail\.com", "submit\[at\]1337day\.com",