External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

extending patterns and whitelists

Browse Source
This commit is contained in:
Gabor Gyorvari
2016-08-12 21:39:10 +02:00
parent 5783ead57a
commit dbeec3d29e
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
scan.php
View File

@@ -156,6 +156,7 @@ class MalwareScanner
'\x65\166\x61\154\x28' /* dec/hex issue? */, '\x65\166\x61\154\x28' /* dec/hex issue? */,
'\x65\x76\x61\x6C' /* case, dec/hex issue? */, '\x65\x76\x61\x6C' /* case, dec/hex issue? */,
'ZXZhbCg', // eval 'ZXZhbCg', // eval
"'ev'.'al'.'",
'eval(base64_decode(', 'eval(base64_decode(',
'\x47\x4c\x4f\x42\x41LS', // GLOBALS '\x47\x4c\x4f\x42\x41LS', // GLOBALS
@@ -170,6 +171,8 @@ class MalwareScanner
/* too open? */ /* too open? */
// 'gzinflate(base64_decode(', // 'gzinflate(base64_decode(',
'md5($_GET[', // md5($_GET["ms-load"]) 'md5($_GET[', // md5($_GET["ms-load"])
'="create_";global'
); );
foreach ($patterns as $toSearch) { foreach ($patterns as $toSearch) {
$substrCount = substr_count($fileContent, $toSearch); $substrCount = substr_count($fileContent, $toSearch);

21
whitelist.txt
View File

@@ -26,5 +26,22 @@ a6cce6be28fd8c451e54280aaa88bfcc wp-content/plugins/nextgen-gallery/products/pho
73e90cd5d7580cba2f599d39f9351865 wp-includes/functions.php 73e90cd5d7580cba2f599d39f9351865 wp-includes/functions.php
e9cf6421fe6afc7b724bf0372697e1c4 wp-includes/formatting.php -> (chr\(\d+\)\.){4,} e9cf6421fe6afc7b724bf0372697e1c4 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
eb034c991aee49aa232f6d50372f8b4a wp-content/themes/enfold/framework/php/function-set-avia-frontend.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,} eb034c991aee49aa232f6d50372f8b4a wp-content/themes/enfold/framework/php/function-set-avia-frontend.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,} 5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
d2865536f339150ee54a81811ca80128 wp-includes/rss.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,} d2865536f339150ee54a81811ca80128 wp-includes/rss.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
279d3f9add6b50ccdb7e07803e713618 wp-content/plugins/wp-simple-firewall/src/common/googleauthenticator/googleauthenticator.php -> (chr\(\d+\)\.){4,}
1d1490c6c99b8ea03688428d8a22bb4a wp-content/plugins/wp-simple-firewall/src/features/firewall.php -> /etc/passwd
7b41326263c3868548a54d34eb595750 wp-content/plugins/google-calendar-events/vendor/mexitek/phpcolors/src/Mexitek/PHPColors/Color.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
f4e049f25bf7affcbf8d2cd99166d867 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
68cbd184451abe2a8427421125fd2d10 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
8268eaaad7d3dfa81480276500ffbf27 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
fa38cd66e5affb09324ece9fdafde98b smarty/SmartyBC.class.php -> {\s*eval\s*\(\s*\$
0f48a8c36e1b295545c9d4232c398ea4 smarty/sysplugins/smarty_cacheresource_keyvaluestore.php -> eval("?>
ae98a8bb6651b95c5bcb1c9c2139610e smarty/sysplugins/smarty_internal_template.php -> eval("?>
dde809382f87ac708cbda79254a05cc1 smarty/sysplugins/smarty_cacheresource_custom.php -> eval("?>
2781a19943e9ba76d30143708d3dc04c smarty/sysplugins/smarty_internal_templatebase.php -> eval("?>
26f93373fd5f05bb3432e153e294c844 x5engine.php -> "base64_decode"
a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
633af7bb3b31b39324bac96eca848668 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
b3c71065cb5420e15a8bd1aeac63b00d owncloud/3rdparty/smb4php/smb.php -> /etc/passwd
f063d5b84d03538b85f05cde9aae8037 civicrm/packages/os/guess.php -> uname -a