Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-03-15 19:39:23 +01:00
parent 68375c0420
commit fae4f83343
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
malware4.pl
View File

@@ -359,6 +359,14 @@ my @regexen = (
qr/include\s+\"\\x.+?eval\(base64\_decode\(.+?file\_get\_contents\(\"index\.htm\"\)\;exit\;\}/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=.+?\]\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\).+?\)\{function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{return\s+\$([A-z0-9]{1,20}).+?\{eval\(\$([A-z0-9]{1,20})\[.+?\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
qr/<\?php\s+session\_start\(\)\;.+?\#\s+md5\:\s+IndoXploit.+facebookexternalhit.+?\Z/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{.+?\]\)\{eval\/\*([A-z0-9]{1,20})\*\/\(\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\[\'([A-z0-9]{1,20})\'\]\[([A-z0-9]{1,20})\]\]\)\;\}exit\(\)\;\}\s+\?>/is,
qr/<\!DOCTYPE\s+html>.+?<title>PHP\s+sCAn<\/title>.+?\?>\s+<\/html>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+function\s+([A-z0-9]{1,20})\s+\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\s+\{\s+return\s+\$([A-z0-9]{1,20})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,20})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,20})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,20})\)\)\)\;\s+\}\s+\?>/is,
qr/<\?php\s+if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{die\(pi\(\)\*\d\)\;\}\s+error\_reporting\(0\)\;\s+if\s+\(isset\(\$\_GET\[\"ping\"\]\)\s+and\s+\$\_GET\[\"ping\"\]\s+\=\=\s+\(\"ping\_host\"\)\)\s+\{.+?if\s+\(\$return\s+\=\=\s+true\)\s+\{\s+echo\s+\"true\"\;\s+\}\s+else\s+\{\s+echo\s+\"false\"\;\s+\}\s+\}\s+\?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\(\'\/\/e\'\,\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[.+?\]\,\'\'\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\{\/\*([A-z0-9]{1,20})\*\/eval\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\?>/is,
qr/error\s+page\s+news\s+version\s+\d\.\d\.\d\s+<\?php.+?\$([A-z0-9]{1,20})\s+=\s+str\_replace\(.+?\/\/\$([A-z0-9]{1,20})\(\)\;\s+\?>/is,
qr/<\?php\s+\$\w\_\_\_\w\_\=\'base\'\.\(32\*2\)\.\'\_de\'\.\'code\'\;\$\w\_\_\_\w\_\=\$\w\_\_\_\w\_\(str\_replace\(\"\\n\"\,\s+\'\'.+?value\=\"\&gt\;\"\/><\/form>/is,
);