Add fingerprints for #147

build/all-confirmed.txt

@@ -94,8 +94,12 @@
 111\,\ 112\,\ 116\,\ 105\,\ 109\,\ 105\,\ 122\,\ 108\,\ 121\,\ 46\,\ 105\,\ 110\,\ 102\,\ 111
 111\,\ 114\,\ 100\,\ 101\,\ 114\,\ 45\,\ 115\,\ 101\,\ 99\,\ 117\,\ 114\,\ 105\,\ 116\,\ 121\,\ 46\,\ 99\,\ 111\,\ 109
 112\,97\,115\,115\,45\,106\,115\,46\,99\,108\,105\,99\,107
+112\,97\,121\,109\,101\,110\,116\,110\,111\,119\,46\,116\,107
+112\,97\,121\,109\,101\,110\,116\,112\,97\,108\,46\,99\,102
 112\,97\,121\,109\,101\,110\,116\,115\,121\,115\,116\,101\,109\,46\,105\,110\,102\,111
 112\,\ 97\,\ 115\,\ 115\,\ 45\,\ 106\,\ 115\,\ 46\,\ 99\,\ 108\,\ 105\,\ 99\,\ 107
+112\,\ 97\,\ 121\,\ 109\,\ 101\,\ 110\,\ 116\,\ 110\,\ 111\,\ 119\,\ 46\,\ 116\,\ 107
+112\,\ 97\,\ 121\,\ 109\,\ 101\,\ 110\,\ 116\,\ 112\,\ 97\,\ 108\,\ 46\,\ 99\,\ 102
 112\,\ 97\,\ 121\,\ 109\,\ 101\,\ 110\,\ 116\,\ 115\,\ 121\,\ 115\,\ 116\,\ 101\,\ 109\,\ 46\,\ 105\,\ 110\,\ 102\,\ 111
 114\,101\,113\,117\,101\,115\,116\,110\,101\,116\,46\,116\,107
 114\,\ 101\,\ 113\,\ 117\,\ 101\,\ 115\,\ 116\,\ 110\,\ 101\,\ 116\,\ 46\,\ 116\,\ 107
@@ -157,6 +161,7 @@
 119\,\ 101\,\ 98\,\ 45\,\ 115\,\ 116\,\ 97\,\ 116\,\ 46\,\ 109\,\ 101
 121\,111\,117\,112\,97\,121\,109\,101\,46\,105\,110\,102\,111
 121\,\ 111\,\ 117\,\ 112\,\ 97\,\ 121\,\ 109\,\ 101\,\ 46\,\ 105\,\ 110\,\ 102\,\ 111
+3duc4t10n4l
 3g2t3c0w362k251r1610372j1m3i1f1x192f2b1a3027
 4aa336a2b0df4c437cc1fbf5dfca17b5
 5e908r948q9e605j8t9b915n5o9f8r5e5d969g9d795b4s6p8t9h9f978o8p8s9590936l6k8j9670524p7490915l5f8r90878t917f7g8p8o8p8k9c605i8d937t7m8i8q8o8q959h7p828e7r8e7q7e8m8o5g5e9199918o9g7q7c8c8t99905a5i8l94989h7r7g8i8t8m5f5o92917q7k9i9e948c919h925a5d8j915h608t8p8t9f937b7k9i9e948c919h92
@@ -305,6 +310,8 @@ ZXZhbChiYXNlNjRfZGVjb2RlK
 \&\#111\;\&\#112\;\&\#116\;\&\#105\;\&\#109\;\&\#105\;\&\#122\;\&\#108\;\&\#121\;\&\#46\;\&\#105\;\&\#110\;\&\#102\;\&\#111\;
 \&\#111\;\&\#114\;\&\#100\;\&\#101\;\&\#114\;\&\#45\;\&\#115\;\&\#101\;\&\#99\;\&\#117\;\&\#114\;\&\#105\;\&\#116\;\&\#121\;\&\#46\;\&\#99\;\&\#111\;\&\#109\;
 \&\#112\;\&\#97\;\&\#115\;\&\#115\;\&\#45\;\&\#106\;\&\#115\;\&\#46\;\&\#99\;\&\#108\;\&\#105\;\&\#99\;\&\#107\;
+\&\#112\;\&\#97\;\&\#121\;\&\#109\;\&\#101\;\&\#110\;\&\#116\;\&\#110\;\&\#111\;\&\#119\;\&\#46\;\&\#116\;\&\#107\;
+\&\#112\;\&\#97\;\&\#121\;\&\#109\;\&\#101\;\&\#110\;\&\#116\;\&\#112\;\&\#97\;\&\#108\;\&\#46\;\&\#99\;\&\#102\;
 \&\#112\;\&\#97\;\&\#121\;\&\#109\;\&\#101\;\&\#110\;\&\#116\;\&\#115\;\&\#121\;\&\#115\;\&\#116\;\&\#101\;\&\#109\;\&\#46\;\&\#105\;\&\#110\;\&\#102\;\&\#111\;
 \&\#114\;\&\#101\;\&\#113\;\&\#117\;\&\#101\;\&\#115\;\&\#116\;\&\#110\;\&\#101\;\&\#116\;\&\#46\;\&\#116\;\&\#107\;
 \&\#115\;\&\#104\;\&\#111\;\&\#112\;\&\#45\;\&\#97\;\&\#110\;\&\#97\;\&\#108\;\&\#121\;\&\#116\;\&\#105\;\&\#99\;\&\#115\;\&\#46\;\&\#110\;\&\#101\;\&\#116\;
@@ -537,7 +544,11 @@ ZXZhbChiYXNlNjRfZGVjb2RlK
 \\x70\\x61\\x73\\x73\\x2D\\x6A\\x73\\x2E\\x63\\x6C\\x69\\x63\\x6B
 \\x70\\x61\\x73\\x73\\x2d\\x6a\\x73\\x2e\\x63\\x6c\\x69\\x63\\x6b
 \\x70\\x61\\x79\\x6D\\x65\\x6E\\x74\\x2D\\x62\\x75\\x74\\x74\\x6F\\x6E\\x73\\x2D\\x63\\x6F\\x6E\\x74\\x61\\x69\\x6E\\x65\\x72
+\\x70\\x61\\x79\\x6D\\x65\\x6E\\x74\\x6E\\x6F\\x77\\x2E\\x74\\x6B
+\\x70\\x61\\x79\\x6D\\x65\\x6E\\x74\\x70\\x61\\x6C\\x2E\\x63\\x66
 \\x70\\x61\\x79\\x6D\\x65\\x6E\\x74\\x73\\x79\\x73\\x74\\x65\\x6D\\x2E\\x69\\x6E\\x66\\x6F
+\\x70\\x61\\x79\\x6d\\x65\\x6e\\x74\\x6e\\x6f\\x77\\x2e\\x74\\x6b
+\\x70\\x61\\x79\\x6d\\x65\\x6e\\x74\\x70\\x61\\x6c\\x2e\\x63\\x66
 \\x70\\x61\\x79\\x6d\\x65\\x6e\\x74\\x73\\x79\\x73\\x74\\x65\\x6d\\x2e\\x69\\x6e\\x66\\x6f
 \\x71\\x75\\x65\\x72\\x79\\x53\\x65\\x6C\\x65\\x63\\x74\\x6F\\x72\\x41\\x6C\\x6C
 \\x72\\x65\\x71\\x75\\x65\\x73\\x74\\x6E\\x65\\x74\\x2E\\x74\\x6B
@@ -711,6 +722,7 @@ ipays\@craxs\.co\.cc
 isset\(\$GLOBALS\[\"\\x
 isset\(\$_POST\['___'\]
 jQuery\('\[id\*\=\"cc_ss_issue\"\]'\)\.val\(\)
+jQuery\(\"\#checkout\-onepage\-buttom\"\)\.attr\(\"onclick\"\,\ \"paynow_right\(\)\;\"\)\;
 janeseste\.87\@gmail\.com
 javacc\@ymail\.com
 jcloudcdn\.com\/
@@ -756,12 +768,15 @@ optimizly\.info\/
 order\-security\.com\/
 paranoidal\ admin\[s\]\ has\ been\ disabled\ many\ functions
 pass\-js\.click\/
+paymentnow\.tk\/
+paymentpal\.cf\/
 paymentsystem\.info\/
 pepekgorengcok\@gmail\.com
 phpFileManager
 preg_match\(\"\/\"\.base64_decode\('YmlsbGluZ3xmaXJzdG5hbWV8Y2NfbnVtYmVyfGxvZ2lufHVzZXJuYW1lfHBheW1lbnR8Y2Nf'\)\.\"\/i\"
 preg_match\(\"\/billing\|firstname\|cc_number\|login\|username\|payment\|cc_root\/i\"
 preg_replace\(\"\/\.\/\\x65\"\,\@\$_
+purp0zes
 querySelectorAll\(\"input\,\ select\,\ textarea\,\ checkbox\"
 rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk\+4ONwXQNbGniQLttfyrgkB8d9
 rb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCt
@@ -795,6 +810,7 @@ trustd\.biz\/
 type:[a-z]\("[SPOT]{4}",[0-9]{1,3},[0-9]{1,3}\),url
 type:[a-z]\("[SPOT]{4}",[0-9]{1,3},[0-9]{1,3}\),url
 typekit\.website\/
+ultr4l33t
 ups\-broker\.org\/
 url:\s?'https?:\/\/[^\/]{5,30}\/gate\.php\?token=\w{4,20}',
 userinfos\.com\/

build/all-confirmed.yar

@@ -1,4 +1,4 @@
-/* AUTO GENERATED BY </home/demo/mwscan/magento-malware-scanner/tools/build_rules.py> DO NOT EDIT
+/* AUTO GENERATED BY </home/willem/git/magento-malware-collection/tools/build_rules.py> DO NOT EDIT
 
 WHITELIST = {
   "00324ef18dc5a2507e179dd8baec6aa91da69de4": "pma/libraries/sqlparser2.lib.php",
@@ -1770,6 +1770,54 @@ rule burner_domain_pass_js_click_cf292 {
 	strings: $ = "&#112;&#97;&#115;&#115;&#45;&#106;&#115;&#46;&#99;&#108;&#105;&#99;&#107;"
 	condition: any of them
 }
+rule burner_domain_paymentnow_tk_07a9a {
+	strings: $ = "112, 97, 121, 109, 101, 110, 116, 110, 111, 119, 46, 116, 107"
+	condition: any of them
+}
+rule burner_domain_paymentnow_tk_1d340 {
+	strings: $ = "112,97,121,109,101,110,116,110,111,119,46,116,107"
+	condition: any of them
+}
+rule burner_domain_paymentnow_tk_287f2 {
+	strings: $ = "&#112;&#97;&#121;&#109;&#101;&#110;&#116;&#110;&#111;&#119;&#46;&#116;&#107;"
+	condition: any of them
+}
+rule burner_domain_paymentnow_tk_5ce14 {
+	strings: $ = "\\x70\\x61\\x79\\x6D\\x65\\x6E\\x74\\x6E\\x6F\\x77\\x2E\\x74\\x6B"
+	condition: any of them
+}
+rule burner_domain_paymentnow_tk_6c4d7 {
+	strings: $ = "paymentnow.tk/"
+	condition: any of them
+}
+rule burner_domain_paymentnow_tk_6ea0a {
+	strings: $ = "\\x70\\x61\\x79\\x6d\\x65\\x6e\\x74\\x6e\\x6f\\x77\\x2e\\x74\\x6b"
+	condition: any of them
+}
+rule burner_domain_paymentpal_cf_02996 {
+	strings: $ = "\\x70\\x61\\x79\\x6D\\x65\\x6E\\x74\\x70\\x61\\x6C\\x2E\\x63\\x66"
+	condition: any of them
+}
+rule burner_domain_paymentpal_cf_14c47 {
+	strings: $ = "112,97,121,109,101,110,116,112,97,108,46,99,102"
+	condition: any of them
+}
+rule burner_domain_paymentpal_cf_1be02 {
+	strings: $ = "paymentpal.cf/"
+	condition: any of them
+}
+rule burner_domain_paymentpal_cf_25d01 {
+	strings: $ = "&#112;&#97;&#121;&#109;&#101;&#110;&#116;&#112;&#97;&#108;&#46;&#99;&#102;"
+	condition: any of them
+}
+rule burner_domain_paymentpal_cf_3cb37 {
+	strings: $ = "\\x70\\x61\\x79\\x6d\\x65\\x6e\\x74\\x70\\x61\\x6c\\x2e\\x63\\x66"
+	condition: any of them
+}
+rule burner_domain_paymentpal_cf_42830 {
+	strings: $ = "112, 97, 121, 109, 101, 110, 116, 112, 97, 108, 46, 99, 102"
+	condition: any of them
+}
 rule burner_domain_paymentsystem_info_01247 {
 	strings: $ = "112, 97, 121, 109, 101, 110, 116, 115, 121, 115, 116, 101, 109, 46, 105, 110, 102, 111"
 	condition: any of them
@@ -3174,6 +3222,10 @@ rule onepage_or_checkout_3e0b7 {
 	strings: $ = "\\x6F\\x6E\\x65\\x70\\x61\\x67\\x65\\x7C\\x63\\x68\\x65\\x63\\x6B\\x6F\\x75\\x74"
 	condition: any of them
 }
+rule onestepcheckout_paypal_hijack_45fd8 {
+	strings: $ = "jQuery(\"#checkout-onepage-buttom\").attr(\"onclick\", \"paynow_right();\");"
+	condition: any of them
+}
 rule overwrite_globals_hack_d949d {
 	strings: $ = /\$GLOBALS\['[^']{,20}'\]=Array\(/
 	condition: any of them
@@ -3378,6 +3430,18 @@ rule visbot_50cf9 {
 	strings: $ = "stripos($buf, 'Visbot')!==false && stripos($buf, 'Pong')!==false"
 	condition: any of them
 }
+rule webshell_leetspeak_362b5 {
+	strings: $ = "purp0zes"
+	condition: any of them
+}
+rule webshell_leetspeak_c8d75 {
+	strings: $ = "ultr4l33t"
+	condition: any of them
+}
+rule webshell_leetspeak_fe332 {
+	strings: $ = "3duc4t10n4l"
+	condition: any of them
+}
 rule wordpress_backdoor_374de {
 	strings: $ = "$db___WP=create_function"
 	condition: any of them