Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-04-21 09:52:00 +02:00
parent 4e70a9d8fa
commit e9be0b3026
2 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
malware5.pl
View File

@@ -234,7 +234,11 @@ my @regexen = (
qr/<\?php.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@unlink\(\"1\.sh\"\)\;\s+\?>/is,
qr/<\?php.+?function\s+getDirContents\(\$dir\)\s+\{.+?if\(unlink\(\$path\.\'\/wp\-admin\/update\-core\.php\'\)\)\s+\{.+?\}\s+\}\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'\'\,\'.+?\;\$([A-z0-9]{1,20})\.\=\"\\x\d\w\\x\d\d\"\;\s+\$([A-z0-9]{1,20})\.\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
qr/<\?php\s+if\(isset\(\$\_SERVER\[\"HTTP\_USER_AGENT\"\]\)\s+\&\&\s+\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\s+\&\&\s+\!preg\_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam\/i\"\,\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\}\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\(\'e\'\.\'d\'\.\'o\'\.\'c\'\.\'e\'\.\'d\'\.\'\_\'\.\'4\'\.\'6\'\.\'e\'\.\'s\'\.\'a\'\.\'b\'\)\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'str\'\.\'rev\'\;\$.+?array.+?\(\'edolpmi\'\)\;\$.+?eval.+?\?>/is,
);

5
malwaresh.pl
View File

@@ -714,7 +714,10 @@ my @regexen = (
qr/<title>Hacked\s+By\s+Dr34mCyb3r.+?<\/style>\s+<div\s+class\=\"video\-background.+?allowfullscreen><\/iframe>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'ba\'\.\'se64\_dec\'\.\'o\'\.\'d\'\.\'e\'\.\'\'\;\s+\@eval\(\$([A-z0-9]{1,20})\(.+?\)\)\;/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\'\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\'\'\,\'.+?\;\$([A-z0-9]{1,20})\.\=\"\\x\d\w\\x\d\d\"\;\s+\$([A-z0-9]{1,20})\.\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
qr/<\?php\s+if\(isset\(\$\_SERVER\[\"HTTP\_USER_AGENT\"\]\)\s+\&\&\s+\!empty\(\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\s+\&\&\s+\!preg\_match\(\"\/google\|bot\|msn\|spider\|crawl\|spam\/i\"\,\$\_SERVER\[\"HTTP\_USER\_AGENT\"\]\)\)\s+\{\s+header\(\"Location\:\s+http\:\/\/.+?\"\)\;\}\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?array\(.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\(\'e\'\.\'d\'\.\'o\'\.\'c\'\.\'e\'\.\'d\'\.\'\_\'\.\'4\'\.\'6\'\.\'e\'\.\'s\'\.\'a\'\.\'b\'\)\;\$.+?eval.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'str\'\.\'rev\'\;\$.+?array.+?\(\'edolpmi\'\)\;\$.+?eval.+?\?>/is,
);