Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update 'malware3.pl'

Browse Source
This commit is contained in:
Malin 2016-12-09 12:00:24 +01:00
parent cbb874ed48
commit e7f2af87e6
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
malware3.pl
View File

@ -23,6 +23,7 @@ my @regexen = (
qr/<\?php\s+function\s+([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for\(\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})\)\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset\(\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\)\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array\(.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})\)\)\;\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval\(base64\_decode\(\$([A-z0-9]{1,10})\)\)\;exit\(\)\;\s+\?>/is,
qr/<script.+?G91825.+?<\/script>/is,
qr/<\?php\s+\/\*\*\s+\*\s+\@version.+?\$b64\s+\=\s+\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\+\/\=\"\;.+?\$o3\s+\=\s+\$bits\s+\&\s+0xff\;.+?new\s+JApplication\(arrays+\(\'UID\'\s+\=>\s+\'.+?\'\)\)\;/is,
qr/<\?php\s+\/\/\#\#\#\=CACHE\s+START\=\#\#\#.+?\/\/\#\#\#\=CACHE\s+END\=\#\#\#\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=\"([A-z0-9]{1,10})\_\"\s+\;\$([A-z0-9]{1,10})\=\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\;\s+\$([A-z0-9]{1,10})\s+\=\$([A-z0-9]{1,10})\s+\(\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\s+\.\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\.\s+\$([A-z0-9]{1,10})\[([0-9]{1,10})\]\s+\)\s+\;\s+if\s+\(isset\s+\(\$\{\$([A-z0-9]{1,10})\s+\}\[\s+\'([A-z0-9]{1,10})\'\]\)\)\s+\{eval\(\${\s+\$([A-z0-9]{1,10})\}\[\s+\'([A-z0-9]{1,10})\'\]\s+\)\;\s+\}\s+\?> /is,
qr/<\?php\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\@set\_time\_limit\(3600\)\;\s+define\(\"DOMTXT\"\,\"http\:\/\/.+?return\s+\(\$ip\s+\?\s+\$ip\s+\:\s+\$\_SERVER\[\'REMOTE\_ADDR\'\]\)\;\s+\}\s+\/\/file\s+end/is,