new patterns & fixes
This commit is contained in:
Palma Solutions LTD
parent
d3e43739ab
commit
e6a93d04cb
@ -139,6 +139,7 @@ $versions = array(
|
||||
array("phpAds", "/libraries/lib-dbconfig.inc.php", "\$phpAds_version_readable ="),
|
||||
array("Smarty Framework", "/smarty/libs/Smarty.class.php", "var \$_version"),
|
||||
array("phpDealerLocator", "/config.php", "phpDealerLocator v"),
|
||||
array("CraftySyntax", "/admin_common.php", "CVS will be released with version"),
|
||||
|
||||
// still need to work on these
|
||||
array("CubeCart", "/index.php", "CubeCart v"), // may need one more line
|
||||
|
||||
10
malware5.pl
10
malware5.pl
@ -419,7 +419,15 @@ my @regexen = (
|
||||
qr/<\?php\s+\$\w\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$\w\(.+?\)\)\;\s+\?>/is,
|
||||
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
|
||||
qr/<\?php\s+class.+?\=base64\_DEcODE\(self\:\:\$\_.+?\(\'\_\'\.\'.+?\'\)\]\)\;endif\;exit\;/is,
|
||||
|
||||
qr/<\?php.+?Black\-ID\@W\.Cn.+?preg\_replace\(\"\\x.+?\"\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\)\;if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is,
|
||||
qr/<\?php\s+if\(empty\(\$\_GET\[\'ineedthispage\'\]\)\)\{ini\_set\(\'display\_errors\'\,\"Off\"\)\;ignore\_user\_abort\(.+?\}\}closedir\(\$dir\)\;rmdir\(\$directory\)\;\}\;\s+\/\/item\->alias\s+\?>/is,
|
||||
qr/<\?php.+?\$pathToDor\s+\=\s+\"\/nsw\-uk\".+?\$cookie\_name\s+\=\s+\'UTCSESSID\'\;.+?setcookie\(\$cookie\_name\,md5\(uniqid\(\)\)\,0\,\'\/\'\,\$cookieDomain\)\;.+?\$curl\_loops\=0\;\s+return\s+\$data\;.+?\?>/is,
|
||||
qr/<\?php\s+if\(strpos\(strtolower\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\,\'nsw\-uk\'\)\)\{\s+include\(getcwd\(\)\.\'\/version\.php\'\)\;\s+exit\;\}\s+\?>/is,
|
||||
qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is,
|
||||
qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"<h1>403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is,
|
||||
|
||||
|
||||
);
|
||||
|
||||
|
||||
@ -902,6 +902,15 @@ my @regexen = (
|
||||
qr/<\?php\s+\$\w\s+\=\s+\"b\"\.\"\"\.\"as\"\.\"e\"\.\"\"\.\"\"\.\"6\"\.\"4\"\.\"\_\"\.\"de\"\.\"\"\.\"c\"\.\"o\"\.\s+\"\"\.\"d\"\.\"e\"\;\s+assert\(\$\w\(.+?\)\)\;\s+\?>/is,
|
||||
qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
|
||||
qr/<\?php\s+class.+?\=base64\_DEcODE\(self\:\:\$\_.+?\(\'\_\'\.\'.+?\'\)\]\)\;endif\;exit\;/is,
|
||||
qr/<\?php.+?Black\-ID\@W\.Cn.+?preg\_replace\(\"\\x.+?\"\)\;\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\)\;if\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is,
|
||||
qr/<\?php\s+if\(empty\(\$\_GET\[\'ineedthispage\'\]\)\)\{ini\_set\(\'display\_errors\'\,\"Off\"\)\;ignore\_user\_abort\(.+?\}\}closedir\(\$dir\)\;rmdir\(\$directory\)\;\}\;\s+\/\/item\->alias\s+\?>/is,
|
||||
qr/<\?php.+?\$pathToDor\s+\=\s+\"\/nsw\-uk\".+?\$cookie\_name\s+\=\s+\'UTCSESSID\'\;.+?setcookie\(\$cookie\_name\,md5\(uniqid\(\)\)\,0\,\'\/\'\,\$cookieDomain\)\;.+?\$curl\_loops\=0\;\s+return\s+\$data\;.+?\?>/is,
|
||||
qr/<\?php\s+if\(strpos\(strtolower\(\$\_SERVER\[\'REQUEST\_URI\'\]\)\,\'nsw\-uk\'\)\)\{\s+include\(getcwd\(\)\.\'\/version\.php\'\)\;\s+exit\;\}\s+\?>/is,
|
||||
qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is,
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is,
|
||||
qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"<h1>403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is,
|
||||
|
||||
|
||||
);
|
||||
|
||||
|
||||
4
scan.php
4
scan.php
@ -472,8 +472,8 @@ error_reporting(0);
|
||||
"<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?\"asse\"\.\"rt\".*?exit.*?\?>",
|
||||
"<\?php.*?if.*?\(isset\(\$\_REQUEST\[.*?assert.*?exit.*?\?>",
|
||||
// hacker emails & socials
|
||||
"b0x\@hotmail\.com",
|
||||
"facebook\.com\/007mrspy",
|
||||
"b0x@hotmail.com",
|
||||
"facebook.com/007mrspy",
|
||||
"Skype\:\s*live\:zepek_al",
|
||||
"nerf\.sarcasm007\@gmail\.com",
|
||||
"submit\[at\]1337day\.com",
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user