From 6b55cfd8b38e8210168b297dfaebdddfb5102388 Mon Sep 17 00:00:00 2001 From: nichogenius Date: Mon, 24 Jul 2017 12:23:39 -0600 Subject: [PATCH 1/5] Added Equivalent base64 pattern samples Because base64 converts from an 8 bit to a 6 bit character system, you can get 3 unique base64 strings from a single ascii string depending on the position of the first character. for example: base64_encode("system"); base64_encode(" system"); base64_encode("( system"); The above 3 input strings all produce very different base64 signatures even though they all contain the same keyword 'system'. This is because the first letter of system, 's' fall on indices 0,1,2 respectively. I updated several of the base64 samples to include their offset counterparts as the originals would only catch about 1 in 3 of the actual present matches. --- patterns_raw.txt | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/patterns_raw.txt b/patterns_raw.txt index f100684..e91ed6b 100644 --- a/patterns_raw.txt +++ b/patterns_raw.txt @@ -2,27 +2,43 @@ uname -a /etc/shadow /etc/passwd WSOstripslashes -PD9waHA +PD9waH +w/cGhw +8P3Boc c3lzdGVt +N5c3Rlb +zeXN0ZW \x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system cHJlZ19yZXBsYWNl +ByZWdfcmVwbGFjZ +wcmVnX3JlcGxhY2 \x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace -ZXhlYyg +ZXhlYy +V4ZWMo +leGVjK \x65\x78\x65\x63' /* dec/hex issue? */, // exec ='base'.(32*2).'_de'.'code' "base64_decode" YmFzZTY0X2RlY29kZ +Jhc2U2NF9kZWNvZG +iYXNlNjRfZGVjb2Rl "p"."r"."e"."g"."_" eval("?> ev\x61l \x65\166\x61\154\x28' /* dec/hex issue? */, \x65\x76\x61\x6C' /* case, dec/hex issue? */, -ZXZhbCg +ZXZhbC +V2YWwo +ldmFsK 'ev'.'al'.' eval(base64_decode( \x47\x4c\x4f\x42\x41LS SFRUUF9VU0VSX0FHRU5U +hUVFBfVVNFUl9BR0VOV +IVFRQX1VTRVJfQUdFTl YWxsb3dfdXJsX2ZvcGVu +FsbG93X3VybF9mb3Blb +hbGxvd191cmxfZm9wZW ${${ file_get_contents('http://codepad.org PHPJiaMi @@ -45,7 +61,9 @@ base=base64_encode 1@1.com META http-equiv="refresh" content="0; ="create_";global -YW55cmVzdWx0cy5uZXQ= +YW55cmVzdWx0cy5uZX +FueXJlc3VsdHMubmV0 +hbnlyZXN1bHRzLm5ld ZOBUGTEL MagelangCyber //rasta// @@ -76,7 +94,9 @@ ayu pr1 pr2 pr3 pr4 pr5 pr6 f0VMRgEBAQA 0d0a0d0a676c6f62616c20246d795f736d7 etalfnizg -JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV +JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfVf +R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX +kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV edoced_46esab VOBRA GANGO itsoknoproblembro @@ -151,4 +171,4 @@ Dr.abolalh C0derz.com Mr.HiTman \x47\x4c\x4f\x42\x41\x4c\x53 -@eval($_POST[' \ No newline at end of file +@eval($_POST[' From deb569cd119d3dce61da0be24c8826f2999651d0 Mon Sep 17 00:00:00 2001 From: nichogenius Date: Mon, 24 Jul 2017 12:33:00 -0600 Subject: [PATCH 2/5] contact-form-7 welcome-panel.php whitelist contact-form-7 welcome-panel.php whitelist confirmed md5 checksum from wordpress.org download. --- whitelist.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitelist.txt b/whitelist.txt index f32f0e7..21f3158 100644 --- a/whitelist.txt +++ b/whitelist.txt @@ -57,4 +57,5 @@ edd1548e1908e445eeae6ca465d1c259 wp-includes/formatting.php -> (chr\(\d+\)\.){4, 380ae5f3190f2b2e38477e2d52c09a3b wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace b2f59fc0fcc1e40561e3ca485d5569a2 wp-content/plugins/s2member/includes/classes/tracking-codes.inc.php -> eval("?> 0af39249db48e6c5c274cb0a085b530d wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/backpress/functions.formatting.php -> (chr\(\d+\)\.){4,} -db0f55370d091c3960929f653c0a986d wp-content/plugins/tracking-code-manager/includes/classes/utils/Utils.php -> =urldecode +db0f55370d091c3960929f653c0a986d wp-content/plugins/tracking-code-manager/includes/classes/utils/Utils.php -> =urldecode +62300c057b53b6fc5ff8cf7ebe210c44 wp-content/plugins/contact-form-7/admin/includes/welcome-panel.php -> Spammer From 34e6238a19e1eb3080b7451f2e50d7d32abb4b6e Mon Sep 17 00:00:00 2001 From: nichogenius Date: Mon, 24 Jul 2017 21:51:43 -0600 Subject: [PATCH 3/5] Minor correction to base64 sample JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf is correct. encoded version of "$visitcount = $HTTP_COOKIE_" I seem to have added a couple of extra characters than what I should have. Not sure where they came from. --- patterns_raw.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patterns_raw.txt b/patterns_raw.txt index e91ed6b..3682206 100644 --- a/patterns_raw.txt +++ b/patterns_raw.txt @@ -94,7 +94,7 @@ ayu pr1 pr2 pr3 pr4 pr5 pr6 f0VMRgEBAQA 0d0a0d0a676c6f62616c20246d795f736d7 etalfnizg -JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfVf +JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV edoced_46esab From 32e8992b506b6d1f389942dfd1520e81f3d63ed5 Mon Sep 17 00:00:00 2001 From: nichogenius Date: Mon, 24 Jul 2017 22:32:57 -0600 Subject: [PATCH 4/5] preg_replace b64 sample shortened to 'replace' preg_replace should be shortened to just replace as it will also match str_replace, str_ireplace, ereg_replace, eregi_replace and many others I'm sure. Should increase number of hits. 'preg_replace' base64 strings: (removed) cHJlZ19yZXBsYWNl ByZWdfcmVwbGFjZ wcmVnX3JlcGxhY2 'replace' base64 strings: (added) cmVwbGFjZ JlcGxhY2 yZXBsYWNl --- patterns_raw.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/patterns_raw.txt b/patterns_raw.txt index 3682206..45e7e8b 100644 --- a/patterns_raw.txt +++ b/patterns_raw.txt @@ -9,9 +9,9 @@ c3lzdGVt N5c3Rlb zeXN0ZW \x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system -cHJlZ19yZXBsYWNl -ByZWdfcmVwbGFjZ -wcmVnX3JlcGxhY2 +cmVwbGFjZ +JlcGxhY2 +yZXBsYWNl \x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace ZXhlYy V4ZWMo From 9931821ec5f6e2cbd2ec19f049d108cfecb260b1 Mon Sep 17 00:00:00 2001 From: nichogenius Date: Tue, 25 Jul 2017 06:38:23 -0600 Subject: [PATCH 5/5] added wordfence whitelist wp-content/plugins/wordfence/lib/wordfenceURLHoover.php checksum verified with fresh download. --- whitelist.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/whitelist.txt b/whitelist.txt index 21f3158..04224c2 100644 --- a/whitelist.txt +++ b/whitelist.txt @@ -54,7 +54,8 @@ d77cecbe949c76a1d54a70cba5bf8df0 wp-includes/formatting.php -> (chr\(\d+\)\.){4, edd1548e1908e445eeae6ca465d1c259 wp-includes/formatting.php -> (chr\(\d+\)\.){4,} 7f95646cc4c16b9b5e1c1d3f7e6bb1df wp-includes/formatting.php -> (chr\(\d+\)\.){4,} 124ee8826072a166503ccca21b954e48 wp-content/plugins/ultimate-security-checker/securitycheck.class.php -> uname -a -380ae5f3190f2b2e38477e2d52c09a3b wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace +380ae5f3190f2b2e38477e2d52c09a3b wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace +241ea527ed67992dd4a19d274a1403c3 wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace b2f59fc0fcc1e40561e3ca485d5569a2 wp-content/plugins/s2member/includes/classes/tracking-codes.inc.php -> eval("?> 0af39249db48e6c5c274cb0a085b530d wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/backpress/functions.formatting.php -> (chr\(\d+\)\.){4,} db0f55370d091c3960929f653c0a986d wp-content/plugins/tracking-code-manager/includes/classes/utils/Utils.php -> =urldecode