1

I am trying to figure out grep for malware that is hard to match with a single pattern. One line from the malicious file looks like this:

$bhbwjhu[11].$bhbwjhu[15].$bhbwjhu[34].$bhbwjhu[23].$bhbwjhu[30].$bhbwjhu[6].$bhbwjhu[3].$bhbwjhu[34].$bhbwjhu[31]

Tried with something like this, but obviously, my grep skills are quite poor (this gives invalid range end error):

find . -type f | xargs grep -s -l "\$[A-z]*\[[0-9]*\]\.\$[A-z]*\[[0-9]*\]\.\$[A-z]*\[[0-9]*\]"

Any way to search for that bunch of array elements in files?

Grep version is

grep (GNU grep) 2.20

Linux version 2.6.32-896.16.1.lve1.4.54.el6.x86_64

Community
  • 1
  • 1
DzoniT
  • 155
  • 1
  • 1
  • 8
  • Tried this and it worked without issue; maybe add your version of grep/platform. – l'L'l Sep 14 '18 at 01:51
  • @l'L'l yes, thank you, I have added that info – DzoniT Sep 14 '18 at 06:19
  • 1
    I guess grep is complaining about your usage of `[A-z]`, which indeed - depending on the locale - might raise an incorrect range. It doesn't make much sense anyway. Replace it either by `[A-Za-z]`, or follow the suggestion posted by JGK. – user1934428 Sep 14 '18 at 06:50

1 Answers1

2

I recommend using the following:

find . -type f -print0 | xargs -0 grep -s -l '\$[[:alpha:]]*\[[[:digit:]]*\]\.\$[[:alpha:]]*\[[[:digit:]]*\]\.\$[[:alpha:]]*\[[[:digit:]]*\]'

Using the character classes is much more safer, than using ranges. Also I recommend using -print0 and xargs -0 so filenames with whitespaces don't mess your command up. See also this explaination.

JGK
  • 3,710
  • 1
  • 21
  • 26