new patterns - mailers
This commit is contained in:
Palma Solutions LTD
parent
91c2824983
commit
f97e577010
@ -445,6 +445,12 @@ my @regexen = (
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
|
||||
qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,
|
||||
qr/<\!doctype\s+html>.+?<title>MAILER<\/title>.+?function\s+doset\(\)\s+\{.+?print\s+\"\s+SEND<br>\"\;\s+flush\(\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<html>\s+<head>\s+<title>Mail<\/title>.+?\$attach\[\$h\]\=\s+base64\_encode\(fread\(\$f\,filesize\(\$HTTP\_POST\_FILES\[\'filename\'\]\[\'tmp\_name\'\]\[\$h\]\)\)\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<html>\s+<head>\s+<title><\?php\s+tr\(\'name\'\,false\)\;\s+\?>\s+<\?php\s+echo\s+VERSION\;\?><\/title>.+?function\s+pingoutservers\(\)\s+\{.+?function\s+StopSendMail\(\)\s+\{.+?<\/body>\s+<\/html>/is,
|
||||
qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
|
||||
|
||||
);
|
||||
|
||||
|
||||
@ -928,6 +928,12 @@ my @regexen = (
|
||||
qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
|
||||
qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
|
||||
qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,
|
||||
qr/<\!doctype\s+html>.+?<title>MAILER<\/title>.+?function\s+doset\(\)\s+\{.+?print\s+\"\s+SEND<br>\"\;\s+flush\(\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<html>\s+<head>\s+<title>Mail<\/title>.+?\$attach\[\$h\]\=\s+base64\_encode\(fread\(\$f\,filesize\(\$HTTP\_POST\_FILES\[\'filename\'\]\[\'tmp\_name\'\]\[\$h\]\)\)\)\;.+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<html>\s+<head>\s+<title><\?php\s+tr\(\'name\'\,false\)\;\s+\?>\s+<\?php\s+echo\s+VERSION\;\?><\/title>.+?function\s+pingoutservers\(\)\s+\{.+?function\s+StopSendMail\(\)\s+\{.+?<\/body>\s+<\/html>/is,
|
||||
qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is,
|
||||
qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is,
|
||||
|
||||
|
||||
);
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user