From 4f41362a461b7e754f5cc171d6f31523d4bbc7e1 Mon Sep 17 00:00:00 2001 From: Gabor Gyorvari Date: Mon, 15 Aug 2016 15:07:23 +0200 Subject: [PATCH] extending patterns and whitelists --- scan.php | 3 +++ whitelist.txt | 2 ++ 2 files changed, 5 insertions(+) diff --git a/scan.php b/scan.php index 74f7528..ffe3476 100644 --- a/scan.php +++ b/scan.php @@ -149,6 +149,7 @@ class MalwareScanner '=\'base\'.(32*2).\'_de\'.\'code\'', '"base64_decode"', 'YmFzZTY0X2RlY29kZ', // base64_decode + '"p"."r"."e"."g"."_"', // preg_ /* 'eval', 'eval(', */ 'eval("?>', @@ -191,6 +192,8 @@ class MalwareScanner // eval(v5JONDD($v5EKGVD, $vX3Z3DE)); '(chr\(\d+\)\.){4,}', // chr(22).chr(33).chr(22).chr(22) + '(chr\(\d+\^\d+\)\.){4,}', + // chr(95^57).chr(95^54).chr(95^51).chr(95^58) '(\$[a-z0-9]{3,}\[\d+\]\.){4,}', // $saz98[5].$saz98[2].$saz98[1].$saz98[3].$saz98[5] 'chr\(\d+\)\.""\.""\.""\.""\.""', diff --git a/whitelist.txt b/whitelist.txt index bde8014..e06029d 100644 --- a/whitelist.txt +++ b/whitelist.txt @@ -45,3 +45,5 @@ a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a b3c71065cb5420e15a8bd1aeac63b00d owncloud/3rdparty/smb4php/smb.php -> /etc/passwd f063d5b84d03538b85f05cde9aae8037 civicrm/packages/os/guess.php -> uname -a +f10b143d678bff74c4f3b69543472d6d wp-includes/formatting.php -> (chr\(\d+\)\.){4,} +db08c00ae52f4408393789ee7f927939 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}