extending patterns and whitelists

2026-06-16 12:30:35 +00:00 · 2016-08-15 15:07:23 +02:00
parent dbeec3d29e
commit 4f41362a46
2 changed files with 5 additions and 0 deletions
--- a/scan.php
+++ b/scan.php
@@ -149,6 +149,7 @@ class MalwareScanner
            '=\'base\'.(32*2).\'_de\'.\'code\'',
            '"base64_decode"',
            'YmFzZTY0X2RlY29kZ', // base64_decode
+            '"p"."r"."e"."g"."_"', // preg_
            
            /* 'eval', 'eval(', */
            'eval("?>',
@@ -191,6 +192,8 @@ class MalwareScanner
                // eval(v5JONDD($v5EKGVD, $vX3Z3DE));
                '(chr\(\d+\)\.){4,}',
                // chr(22).chr(33).chr(22).chr(22)
+                '(chr\(\d+\^\d+\)\.){4,}',
+                // chr(95^57).chr(95^54).chr(95^51).chr(95^58)
                '(\$[a-z0-9]{3,}\[\d+\]\.){4,}',
                // $saz98[5].$saz98[2].$saz98[1].$saz98[3].$saz98[5]
                'chr\(\d+\)\.""\.""\.""\.""\.""',
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -45,3 +45,5 @@ a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
 a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
 b3c71065cb5420e15a8bd1aeac63b00d owncloud/3rdparty/smb4php/smb.php -> /etc/passwd
 f063d5b84d03538b85f05cde9aae8037 civicrm/packages/os/guess.php -> uname -a
+f10b143d678bff74c4f3b69543472d6d wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
+db08c00ae52f4408393789ee7f927939 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}