Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-23 06:51:01 +02:00
parent a79f15a065
commit e6de003b6e
4 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cms-ver.php
View File

@@ -14,7 +14,7 @@ $versions = array(
array("PHPlist", "/admin/connect.php", "define(\"VERSION\","),
array("RoundCube", "/program/include/iniset.php", "define('RCMAIL_VERSION',"),
array("Squirrel Mail", "/functions/strings.php", "\$version ="),
array("Dede CMS<", "/config_base.php", "\$cfg_soft_enname\|\$cfg_version"),
array("Dede CMS", "/config_base.php", "\$cfg_soft_enname\|\$cfg_version"),
array("Sugar CRM", "/sugar_version.php", "\$sugar_version"),
array("XOOPS", "/version.php", "XOOPS_VERSION"),
array("Concrete5", "/config/concrete.php", "version_installed"),
@@ -132,6 +132,7 @@ $versions = array(
array("Dokeos", "main/inc/installedVersion.inc.php", "\$dokeos_version"),
array("CakePHP","cake/config/config.php","\$config['Cake.version'] ="),
array("phpFormGenerator", "/fields.php", "<title>phpFormGenerator v"), // does not escape correctly
array("ZenPhoto", "/zp-core/functions.php", "define('ZENPHOTO_VERSION',"),
// still need to work on these
array("CubeCart", "/index.php", "CubeCart v"), // may need one more line

10
malware5.pl
View File

@@ -272,7 +272,15 @@ my @regexen = (
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
}/is,

9
malwaresh.pl
View File

@@ -752,7 +752,14 @@ my @regexen = (
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is,
qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is,
);

3
patterns/swag.txt
View File

@@ -1 +1,4 @@
United Bangladeshi Hackers
ubhteam.org
Prappo Prince
prappo-prince.me