search

nexylan / PHPAV

PHP CLI Virus/Malware Scanner
MIT License
27 stars 7 forks source link

Infected file regex propositions #3

Closed sigmounte closed 7 years ago

sigmounte commented 8 years ago

Regex qui fonctionnent bien , et qui seraient bien d'intégrées a PHPav , parce que PHPav c'est bien , c'est bon , mangez en 

grep "\"64_decode" >> result.txt

grep "\\x[0-9a-f][0-9a-f]\\x[0-9a-f][0-9a-f]\\x[0-9a-f][0-9a-f]\\x[0-9a-f][0-9a-f]\\x[0-9a-f][0-9a-f]\\x[0-9a-f][0-9a-f]\\x[0-9a-f][0-9a-f]" >> result.txt

grep ";global" >> result.txt

grep "[0-9a-zA-Z]\].\$GLOBALS" >> result.txt
gallart commented 8 years ago

Bonjour,

Merci pour la proposition, mais peux-tu en dire plus ?

soullivaneuh commented 8 years ago

Can you elaborate a bit about how each regex work?

soullivaneuh commented 8 years ago

Please use English sentences to make it understandable by everyone.

sigmounte commented 8 years ago

If any of the four regex match , this is an infected file

soullivaneuh commented 8 years ago

Yes. But why this is considered as infected?

gallart commented 8 years ago

How did you make sure they don't match legit files?

sigmounte commented 8 years ago

this is fingerprinting based , not code analysis based

gallart commented 7 years ago

Fingerprints have been updated in webshells.txt. Let us know;

soullivaneuh commented 7 years ago

I close this issue because of no answers for a while.

Feel free to re-open it if needed.