Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-05-04 18:58:41 +02:00
parent 0389274073
commit f96cd93d08
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
malware5.pl
View File

@ -384,7 +384,6 @@ my @regexen = (
qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is,
qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?><br>\s+<br>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
@ -406,7 +405,11 @@ my @regexen = (
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/wp\-includes\/wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/pastebin\.com\/raw\/.+?\?>/is,
qr/<\?php\s+if\(\$\_POST\[\'Copy\'\]\)\{\s+\$\_\=\"b\"\/\*\*\/\.\"ase64\_decode\"\;\s+preg\_replace\(\"\/\^\/e\"\,\$\_\(\".+?\"\)\,0\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$this\->zipname\s+\=\s+\$p\_zipname\;.+?\$archive\s+\=\s+new\s+PclZip\(\"orppxie\.zip\"\)\;.+?else\s+\{\s+die\(\"1425756856\"\)\;\s+\}/is,
qr/<\?php.+?\/\/PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;ob\_clean\(\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$a\,\$b\,\$c\)\{return\s+trim\(preg\_replace\(\"\/\"\.addcslashes\(.+?str\_replace\(\'\{.+?\;\}\}\?>/is,
qr/RewriteEngine\s+On\s+RewriteRule\s+\^\(topic\|hot\|updated\|free\|review\|rewrite\)\-\(\.\*\)\s+index\.php\?\$1\=\$2\s+\[L\]/is,
qr/<\?php\s+function\s+DirFilesR\(\$dir\).+?<title><\?php\s+echo\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\?><\/title>.+?\$k\+\+\;\s+\}\s+\?>\s+<\/table>/is,
qr/<HTML>.+?<title>Hacked\s+by\s+Mister\s+Spy<\/title>.+?dQ\_\-z9pTRL6tA2kqbnXH6A\.jpg\'>/is,

7
malwaresh.pl
View File

@ -867,7 +867,6 @@ my @regexen = (
qr/\*\/if\(\@isset\(\$\_SERVER\[HTTP\_25F0C\]\)\)\{\@eval\(base64\_decode\(\$\_SERVER\[HTTP\_25F0C\]\)\)\;\}\/\*/is,
qr/<\?php\s+\$.+?\'str\'\.\'rev\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php\s+\$.+?\'gzun\'\.\s+\'comp\'\.\s+\'ress\'\;\$.+?\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\?>/is,
qr/<\?php.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?><br>\s+<br>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\\x66lat\\x65\(b\"\.chr\(97\)\.\"se64\"\.chr\(95\)\.\"\"\.chr\(100\)\..+?\"([0-9]{1,20})\"\);/is,
qr/<\?php.+?Leaf\s+PHP\s+Mailer.+?leafmailer\.pw.+?print\s+\'<\/body>\'\;\s+\?>/is,
qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
@ -889,7 +888,11 @@ my @regexen = (
qr/<\?php\s+function\s+http\_get\(\$url\)\{.+?\/wp\-includes\/wp\-footer\.php.+?\/wp\-admin\/shapes\.php.+?https\:\/\/pastebin\.com\/raw\/.+?\?>/is,
qr/<\?php\s+if\(\$\_POST\[\'Copy\'\]\)\{\s+\$\_\=\"b\"\/\*\*\/\.\"ase64\_decode\"\;\s+preg\_replace\(\"\/\^\/e\"\,\$\_\(\".+?\"\)\,0\)\;\s+\}\s+\?>/is,
qr/<\?php\s+\$this\->zipname\s+\=\s+\$p\_zipname\;.+?\$archive\s+\=\s+new\s+PclZip\(\"orppxie\.zip\"\)\;.+?else\s+\{\s+die\(\"1425756856\"\)\;\s+\}/is,
qr/<\?php.+?\/\/PASSWORD\s+CONFIGURATION.+?if\(\!function\_exists\(.+?\)\)\;\?>\'\)\)\;\s+\?>/is,
qr/<\?php\s+error\_reporting\(0\)\;ob\_clean\(\)\;if\(\!function\_exists\(\'str\_ireplace\'\)\)\{function\s+str\_ireplace\(\$a\,\$b\,\$c\)\{return\s+trim\(preg\_replace\(\"\/\"\.addcslashes\(.+?str\_replace\(\'\{.+?\;\}\}\?>/is,
qr/RewriteEngine\s+On\s+RewriteRule\s+\^\(topic\|hot\|updated\|free\|review\|rewrite\)\-\(\.\*\)\s+index\.php\?\$1\=\$2\s+\[L\]/is,
qr/<\?php\s+function\s+DirFilesR\(\$dir\).+?<title><\?php\s+echo\s+\$\_SERVER\[\'SCRIPT\_FILENAME\'\]\;\?><\/title>.+?\$k\+\+\;\s+\}\s+\?>\s+<\/table>/is,
qr/<HTML>.+?<title>Hacked\s+by\s+Mister\s+Spy<\/title>.+?dQ\_\-z9pTRL6tA2kqbnXH6A\.jpg\'>/is,
);
my @base64_decodes = (