diff --git a/malware5.pl b/malware5.pl index f031c7b..f1820e1 100644 --- a/malware5.pl +++ b/malware5.pl @@ -209,9 +209,28 @@ my @regexen = ( qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?\$email\s+\=\s+\@base64\_decode\(.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is, qr/<\?php\s+\/\*Details.+?\$auth\_pass\s+\=.+?\$\_\_\=s\(base64\_decode\(.+?\$\_\=create\_function\(\"\"\,\@gzuncompress\(\$\_\_\)\)\;\$\_\(\)\;\?>/is, qr/eval\(str\_rot13\(\'([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\{\$\w\=.+?\$\w\=([A-z0-9]{1,20})\(\_\_([A-z0-9]{1,20})\_\_\)\..+?\}\}([A-z0-9]{1,20})\_([A-z0-9]{1,20})\(\)\;\'\)\)\;/is, - - - + qr/\s+\s+Local\s+DOMAIN\:USER\s+Show\s+\|\s+by\s+\[\s+Lagripe\-Dz\s+\]<\/title>.+?\@implode\(\@file\(\"\/etc\/named\.conf\"\)\)\;.+?<\/body>\s+\<\/html>/is, + qr/<\?php.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'base\'\s+\.\'64\_d\'\s+\.\'ecod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval.+?\?>/is, + qr/<\?php\s+\$auth\_pass.+?Shell.+?\?>\s+<\/body>\s+<\/html>/is, + qr/<\?php\s+\$pass\s+\=.+?Blackwave\s+Mass\s+Defacer.+?Contact\s+Me<\/font>/is, + qr/<\?php.+?PHP\s+Encoder\s+priv8.+?set\_time\_limit\(0\)\;error\_reporting\(0\)\;preg\_replace\(\"\\x.+?\)\;\s+\?>/is, + qr/<\?php\s+\$color\s+\=\s+\"\#df5\"\;.+?FilesMan.+?Found\'\)\;\s+exit\;/is, + qr/<\?php.+?\$wp\_object\_cache\s+\=.+?strrev\(\'edo\'\.\'c\'\.\'ed\_4\'\.\'6e\'\.\'sab\'\)\;.+?strrev\(\'ecalp\'\.\'er\'\.\'\_ge\'\.\'rp\'\)\;.+?\\x3B\"\,\"\.\"\)\;\s+\?>/is, + qr/\#\!\/usr\/bin\/perl.+?use\s+MIME\:\:Base64.+?\}\)\{print\s+decode\_base64\(\$.+?system\(decode\_base64\(\$.+?<\/pre>\"\}\}/is, + qr/\#Coded\s+By.+?AddHandler\s+cgi\-script\s+\.alfa/is, + qr/\#\!\/usr\/bin\/perl\s+\-I\/usr\/local\/bandmin\s+use\s+MIME\:\:Base64\;use\s+Compress\:\:Zlib\;eval\(Compress\:\:Zlib\:\:memGunzip\(decode\_base64\(.+?\)\)\)\;/is, + qr/\#\!\/usr\/bin\/python\s+import\s+zlib\,\s+base64\s+eval\(compile\(zlib\.decompress\(base64\.b64decode\(.+?\)\)\,\'<string>\'\,\'exec\'\)\)/is, + qr/<center><H2>\s+<SCRIPT>.+?function\s+string2array\(text\).+?while\(farben\.length<text\.length\).+?\/\/document\.write\(text\)\;\s+<\/SCRIPT><\/H2><\/center>/is, + qr/<\!DOCTYPE.+?Stupidc0de\s+Shell.+?\+\s+copyright\s+\+.+?<\/div>\s+<\/BODY><\/html>/is, + qr/<\?php.+?\$me\s+\=\s+basename\(\_\_FILE\_\_\)\;\s+\$cookiename\s+\=.+?ours\s+\:\-\)\s+exit\(\)\;\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)\s+or\s+die\;\/\*\'\..+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$.+?\'\;/is, + qr/<\?php\s+\$sh\_name\s+\=\s+\"x0rg\-Bypass\s+w0rms\.com\"\;.+?Restricted\s+Area.+?capriv8exit\(\)\;\s+\?>/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\)die\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20}).+?\$\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\&\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\(\/\*.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\).+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\(([A-z0-9]{1,20})\.\'@\'\..+?\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*.+?\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is, + qr/<\?php\s+\$OO00O0\=\d\;eval\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\?>/is, + qr/<\?php\s+\$OO00O0\=\d\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is, + ); my @base64_decodes = (