From f2a7b1f6e5f59d3dbeda369518ad821aed5c8b01 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sat, 5 May 2018 08:06:56 +0200 Subject: [PATCH] new patterns --- malware5.pl | 4 +++- malwaresh.pl | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/malware5.pl b/malware5.pl index c037d6c..bb41efb 100644 --- a/malware5.pl +++ b/malware5.pl @@ -427,7 +427,9 @@ my @regexen = ( qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is, qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"

403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is, - + qr/<\?PHP\s+\$login.+?\$md5\_pass\s+\=.+?eval\(gzinflate\(base64\_decode\(.+?\?>/is, + qr/<\?\$sInjectPHP\s+\=\s+\"/is, + qr/<\/iframe>/is, ); diff --git a/malwaresh.pl b/malwaresh.pl index 56d3e05..93e027f 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -910,7 +910,9 @@ my @regexen = ( qr/<\?php\s+if\s+\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\{eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;exit\;\}\s+if\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\{echo\s+\"([A-z0-9]{1,20})\s+\:\s+([A-z0-9]{1,20})\=\"\;exit\;\}\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\)eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?([A-z0-9]{1,20})\'\;/is, qr/<\?php.+?if\s+\(\!isset\(\$\_COOKIE\[\'.+?\$compressed\=base64\_decode\(\$cookieData\).+?\$str\=\"

403\s+Forbidden<\/h1><\!\-\-\s+token\:.+?return\s+array\(\$resultHeaders\,\s+\$body\)\;\s+}/is, - + qr/<\?PHP\s+\$login.+?\$md5\_pass\s+\=.+?eval\(gzinflate\(base64\_decode\(.+?\?>/is, + qr/<\?\$sInjectPHP\s+\=\s+\"/is, + qr/<\/iframe>/is, );