diff --git a/malware4.pl b/malware4.pl index 393e2b5..f9ad21a 100644 --- a/malware4.pl +++ b/malware4.pl @@ -30,10 +30,10 @@ my @regexen = ( qr/<\?php\s+eval\(gzuncompress\(.+?\"\)\)\;/is, qr/<\?php.+?class\s+JApplication.+?new\s+JApplication\(array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'\)\)\;/is, qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval\(base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\?>/is, - qr/<\?php\s+\if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is, +# qr/<\?php\s+\if\s+\(\!defined\(\'ALREADY\_RUN\_.+?\)\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array\(.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom\)\-1\)\]\.\'\/file\.php\'\;.+?header\(\'Location\:\s+\'\.\$url\)\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"id\"\]\)\)\s+header\(.+?\.\$\_GET\[\"id\"\]\)\;\s+\?>/is, - qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is, +# qr/<\?php\s+eval\(base64\_decode\(.+?\)\)\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is, qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is, @@ -51,11 +51,11 @@ my @regexen = ( qr/<\?php\s+if\(isset\(\$\_POST\[chr\(100\).+?

Object\s+not\s+found\!<\/h1>.+?

Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(97\)\.chr\(117\)\.\"t\"\.chr\(104\)\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr\(115\)\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is, qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return.+?round\(.+?\)\;\}/is, - qr/\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, - qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+\header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is, +# qr/\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*\(google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, +# qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+\header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is, qr/function\s+l\_\_1\(\$.+?function\s+l\_\_3\(\$\_2\)\{if\(\$GLOBALS\[\Z/is, - qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is, - qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is, +# qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is, +# qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is, qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+\(preg\_match\(\'\/facebook\/si\'\,\$ua\)\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, qr/<\?php\s+session\_start\(\)\;.+?\.php\_uname\(\)\..+?<\/form>/is,