Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2019-02-10 13:15:23 +01:00
parent 2d4367ae38
commit f4b10d1e65
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
malware6.pl
View File

@ -1373,6 +1373,9 @@ my @regexen = (
qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\@touch\(\$index,strtotime\(\"-400 days\"\)\);echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php if \(isset\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) and md5\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) ==\"([A-z0-9_]{1,32})\"\) \{unlink\(__FILE__\); die\(md5\(([A-z0-9_]{1,10})\)\);\}/is,
qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?4.+?6.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?6.+?4.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is,

4
malwaresh.pl
View File

@ -1383,6 +1383,10 @@ my @regexen = (
qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\@touch\(\$index,strtotime\(\"-400 days\"\)\);echo \'ok\';\s+\}\s+\?>/is,
qr/<\?php if \(isset\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) and md5\(\$_COOKIE\[\"([A-z0-9_]{1,10})\"\]\) ==\"([A-z0-9_]{1,32})\"\) \{unlink\(__FILE__\); die\(md5\(([A-z0-9_]{1,10})\)\);\}/is,
qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?4.+?6.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
qr/<\?php\s+\$md5 = \"([A-z0-9_]{1,32})\";\s+\$([A-z0-9_]{1,5}) = array\(.+?6.+?4.+?\);\s+\$([A-z0-9_]{1,32}) = create_function\(.+?\'\);\s+\?>/is,
qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is,
qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is,
);