new patterns

2019-02-02 07:25:40 +01:00 · 2019-02-02 07:25:40 +01:00 · f58c34063e
commit f58c34063e
parent 25fd577c47
2 changed files with 989 additions and 2 deletions
--- a/malware6.pl
+++ b/malware6.pl
--- a/malwaresh.pl
+++ b/malwaresh.pl
@ -1376,8 +1376,11 @@ my @regexen = (
    qr/<\?php echo \'2018\'\.\'2019\'; if \(isset\(\$_REQUEST\[\'e\'\]\)\) \{ \$e = \$_REQUEST\[\'e\'\]; \$arr = array\(\$_POST\[\'w0w\'\],\); array_filter\(\$arr, \$e\); \}\?>/is,
    qr/<\?php\s+error_reporting\(0\);\s+set_time_limit\(0\);\s+if \(\$_GET\[\'q\'\]==\'1\'\)\{echo \'200\'; exit;\}\s+if\(\$_GET\[\'key\'\]==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+if\(md5\(\$_GET\[\'key\'\]\)==\'.+?\'\)eval\(base64_decode\(\$_POST\[\'fack\'\]\)\);\s+\?> /is,
    qr/<\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]=Array\(\'str_\' \.\'rot13\',\'pack\',\'st\' \.\'rrev\'\); \?><\?php function.+?\(\$_1\)\)\);if\(isset\(\$_1\)\)\{\@eval\(\$_1\);exit\(\);\}\}/is,
-    
-
+    qr/<\?php\s+error_reporting\(E_ERROR\).+?\}else\{.+?\@eval\(base64_decode\(strtr\(\$_POST\[.+?\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
+    qr/<\?php\s+function get_contents\(\$url\)\{.+?\$a = get_contents\(\'http:\/\/.+?eval\(\'\?>\'\.\$a\);/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=.+?\/index\.help\';\$([A-z0-9_]{1,20})=.+?\$([A-z0-9_]{1,20})=\'\';\@eval\(base64_decode\(.+?\)\);\/\*,\*\/\?>/is,
+    qr/<\?php\s+error_reporting\(E_ERROR\).+?\$a =base64_decode\(strtr\(\$_POST\[.+?\@eval\(base64_decode\(strtr\(\$_POST\[.+?\@unlink\(\$tofile\);\s+exit;\s+\}\s+\?>/is,
+    qr/<\?php\s+if\(isset\(\$_POST\[.+?\$index=\$_SERVER\[\'DOCUMENT_ROOT\'\]\.base64_decode\(strtr\(\$_POST\[\'filename\'\].+?\@touch\(\$index,strtotime\(\"-400 days\"\)\);echo \'ok\';\s+\}\s+\?>/is,

 );