From dbeec3d29ebd0617010224ad4d1e18ce322eb658 Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Fri, 12 Aug 2016 21:39:10 +0200
Subject: [PATCH] extending patterns and whitelists

---
 scan.php      |  3 +++
 whitelist.txt | 21 +++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/scan.php b/scan.php
index 3afa250..74f7528 100644
--- a/scan.php
+++ b/scan.php
@@ -156,6 +156,7 @@ class MalwareScanner
             '\x65\166\x61\154\x28' /* dec/hex issue? */,
             '\x65\x76\x61\x6C' /* case, dec/hex issue? */,
             'ZXZhbCg', // eval
+            "'ev'.'al'.'",
 
             'eval(base64_decode(',
             '\x47\x4c\x4f\x42\x41LS', // GLOBALS
@@ -170,6 +171,8 @@ class MalwareScanner
             /* too open? */
             // 'gzinflate(base64_decode(',
             'md5($_GET[', // md5($_GET["ms-load"])
+
+            '="create_";global'
         );
         foreach ($patterns as $toSearch) {
             $substrCount = substr_count($fileContent, $toSearch);
diff --git a/whitelist.txt b/whitelist.txt
index 5717bda..bde8014 100644
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -26,5 +26,22 @@ a6cce6be28fd8c451e54280aaa88bfcc wp-content/plugins/nextgen-gallery/products/pho
 73e90cd5d7580cba2f599d39f9351865 wp-includes/functions.php
 e9cf6421fe6afc7b724bf0372697e1c4 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
 eb034c991aee49aa232f6d50372f8b4a wp-content/themes/enfold/framework/php/function-set-avia-frontend.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
-5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,} 
-d2865536f339150ee54a81811ca80128 wp-includes/rss.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,} 
+5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
+d2865536f339150ee54a81811ca80128 wp-includes/rss.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
+279d3f9add6b50ccdb7e07803e713618 wp-content/plugins/wp-simple-firewall/src/common/googleauthenticator/googleauthenticator.php -> (chr\(\d+\)\.){4,}
+1d1490c6c99b8ea03688428d8a22bb4a wp-content/plugins/wp-simple-firewall/src/features/firewall.php -> /etc/passwd
+7b41326263c3868548a54d34eb595750 wp-content/plugins/google-calendar-events/vendor/mexitek/phpcolors/src/Mexitek/PHPColors/Color.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
+f4e049f25bf7affcbf8d2cd99166d867 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
+68cbd184451abe2a8427421125fd2d10 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
+8268eaaad7d3dfa81480276500ffbf27 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
+fa38cd66e5affb09324ece9fdafde98b smarty/SmartyBC.class.php -> {\s*eval\s*\(\s*\$
+0f48a8c36e1b295545c9d4232c398ea4 smarty/sysplugins/smarty_cacheresource_keyvaluestore.php -> eval("?>
+ae98a8bb6651b95c5bcb1c9c2139610e smarty/sysplugins/smarty_internal_template.php -> eval("?>
+dde809382f87ac708cbda79254a05cc1 smarty/sysplugins/smarty_cacheresource_custom.php -> eval("?>
+2781a19943e9ba76d30143708d3dc04c smarty/sysplugins/smarty_internal_templatebase.php -> eval("?>
+26f93373fd5f05bb3432e153e294c844 x5engine.php -> "base64_decode" 
+a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
+633af7bb3b31b39324bac96eca848668 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
+a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
+b3c71065cb5420e15a8bd1aeac63b00d owncloud/3rdparty/smb4php/smb.php -> /etc/passwd
+f063d5b84d03538b85f05cde9aae8037 civicrm/packages/os/guess.php -> uname -a