One more malicious pattern found

scr34m / php-malware-scanner

Scans PHP files for malwares and known threats

GNU General Public License v3.0

556 stars 96 forks source link

One more malicious pattern found #16

Closed vmirkovicmodx closed 6 years ago

vmirkovicmodx commented 6 years ago

Hey @scr34m,

Found another pattern that the scanner didn't pick up.

https://gist.github.com/vmirkovicmodx/24de92c053c187f6dba90e0df8816b3a

It was in a .json file.

scr34m commented 6 years ago

This file is truncated, I'm missing the closing quote aren't there any? The escape sequence is common that's why not in regexp definitions. Possible solution is to match as array with 2-more hex escape sequense.

scr34m commented 6 years ago

Well why would anyone escape these strings, so the raw patterns updated with this fragments:

join escaped \x6A\x6F\x69\x6E
reverse escaped \x72\x65\x76\x65\x72\x73\x65
split escaped \x73\x70\x6C\x69\x74
reversed \x3E\x74\x70\x69\x72\x63\x73\x2F\x3C