Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-05-09 10:16:45 +02:00
parent 09af660610
commit e9bd670d51
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
malware5.pl
View File

@ -469,7 +469,13 @@ my @regexen = (
qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
qr/<\?php\s+error\_reporting.+?upload\s+shell.+?move\_uploaded\_file\(\$saw1\,\$saw2\)\;\s+\}\s+\?>/is,
qr/GIF89a.+?<\?\s+eval\(stripslashes\(\$\_POST\[\w\]\)\)\;exit\;\?>\;/is,
qr/<\?php\s+error\_reporting\(.+?\$cookiename\=.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+Shell\s+I.+?exit\(\)\;\s+\?>/is,
qr/<\?\s+\$buffer\s+\=.+?\$buffer\.\=.+?\$newphrase\=str\_replace\(.+?eval\(\$\_\w\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?pHp\s+\$([A-z0-9]{1,20})\s+\=\s+urldecode\(\$\_GET\[\'\w\'\]\)\;\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+file\_get\_contents\(\$([A-z0-9]{1,20})\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php.+?function\s+ASGLogin\(\)\s+\{.+?if\s+\(empty\(\$tmpdir\)\).+?<\/html><\?php\s+chdir\(\$lastdir\)\;\s+\?>/is,
);
my @base64_decodes = (

7
malwaresh.pl
View File

@ -952,7 +952,12 @@ my @regexen = (
qr/GIF89a.+?<\?php\s+if\s+\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\s+eval\(stripslashes\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\;\s+\?>/is,
qr/<\?php\s+print\s+\'\!hacked\!\'\;\s+\?>/is,
qr/<\?php\s+system\(\'wget\s+http\:\/\/.+?\)\;\?>/is,
qr/<\?php\s+error\_reporting.+?upload\s+shell.+?move\_uploaded\_file\(\$saw1\,\$saw2\)\;\s+\}\s+\?>/is,
qr/GIF89a.+?<\?\s+eval\(stripslashes\(\$\_POST\[\w\]\)\)\;exit\;\?>\;/is,
qr/<\?php\s+error\_reporting\(.+?\$cookiename\=.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+Shell\s+I.+?exit\(\)\;\s+\?>/is,
qr/<\?\s+\$buffer\s+\=.+?\$buffer\.\=.+?\$newphrase\=str\_replace\(.+?eval\(\$\_\w\(\$newphrase\)\)\;\s+\?>/is,
qr/<\?pHp\s+\$([A-z0-9]{1,20})\s+\=\s+urldecode\(\$\_GET\[\'\w\'\]\)\;\s+\@ini\_set\(\'output\_buffering\'\,0\)\;\s+\@ini\_set\(\'display\_errors\'\,\s+0\)\;\s+\$auth\_pass\s+\=\s+\"([A-z0-9]{32})\"\;\s+\$([A-z0-9]{1,20})\s+\=\s+file\_get\_contents\(\$([A-z0-9]{1,20})\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
qr/<\?php.+?function\s+ASGLogin\(\)\s+\{.+?if\s+\(empty\(\$tmpdir\)\).+?<\/html><\?php\s+chdir\(\$lastdir\)\;\s+\?>/is,
);