extending patterns and whitelists

2026-06-16 12:30:35 +00:00 · 2016-08-12 21:39:10 +02:00
parent 5783ead57a
commit dbeec3d29e
2 changed files with 22 additions and 2 deletions
--- a/scan.php
+++ b/scan.php
@@ -156,6 +156,7 @@ class MalwareScanner
            '\x65\166\x61\154\x28' /* dec/hex issue? */,
            '\x65\x76\x61\x6C' /* case, dec/hex issue? */,
            'ZXZhbCg', // eval
+            "'ev'.'al'.'",

            'eval(base64_decode(',
            '\x47\x4c\x4f\x42\x41LS', // GLOBALS
@@ -170,6 +171,8 @@ class MalwareScanner
            /* too open? */
            // 'gzinflate(base64_decode(',
            'md5($_GET[', // md5($_GET["ms-load"])
+
+            '="create_";global'
        );
        foreach ($patterns as $toSearch) {
            $substrCount = substr_count($fileContent, $toSearch);
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -26,5 +26,22 @@ a6cce6be28fd8c451e54280aaa88bfcc wp-content/plugins/nextgen-gallery/products/pho
 73e90cd5d7580cba2f599d39f9351865 wp-includes/functions.php
 e9cf6421fe6afc7b724bf0372697e1c4 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
 eb034c991aee49aa232f6d50372f8b4a wp-content/themes/enfold/framework/php/function-set-avia-frontend.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
-5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,} 
-d2865536f339150ee54a81811ca80128 wp-includes/rss.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,} 
+5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
+d2865536f339150ee54a81811ca80128 wp-includes/rss.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
+279d3f9add6b50ccdb7e07803e713618 wp-content/plugins/wp-simple-firewall/src/common/googleauthenticator/googleauthenticator.php -> (chr\(\d+\)\.){4,}
+1d1490c6c99b8ea03688428d8a22bb4a wp-content/plugins/wp-simple-firewall/src/features/firewall.php -> /etc/passwd
+7b41326263c3868548a54d34eb595750 wp-content/plugins/google-calendar-events/vendor/mexitek/phpcolors/src/Mexitek/PHPColors/Color.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
+f4e049f25bf7affcbf8d2cd99166d867 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
+68cbd184451abe2a8427421125fd2d10 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
+8268eaaad7d3dfa81480276500ffbf27 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
+fa38cd66e5affb09324ece9fdafde98b smarty/SmartyBC.class.php -> {\s*eval\s*\(\s*\$
+0f48a8c36e1b295545c9d4232c398ea4 smarty/sysplugins/smarty_cacheresource_keyvaluestore.php -> eval("?>
+ae98a8bb6651b95c5bcb1c9c2139610e smarty/sysplugins/smarty_internal_template.php -> eval("?>
+dde809382f87ac708cbda79254a05cc1 smarty/sysplugins/smarty_cacheresource_custom.php -> eval("?>
+2781a19943e9ba76d30143708d3dc04c smarty/sysplugins/smarty_internal_templatebase.php -> eval("?>
+26f93373fd5f05bb3432e153e294c844 x5engine.php -> "base64_decode" 
+a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
+633af7bb3b31b39324bac96eca848668 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
+a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
+b3c71065cb5420e15a8bd1aeac63b00d owncloud/3rdparty/smb4php/smb.php -> /etc/passwd
+f063d5b84d03538b85f05cde9aae8037 civicrm/packages/os/guess.php -> uname -a