External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4 from nichogenius/master

Browse Source 
Lots of Tweaks and Functionality Added
This commit is contained in:
Győrvári Gábor
2017-08-21 06:40:13 +02:00
committed by GitHub
parent 2eedd69580 3159e7f034
commit f2b43f4f0c
10 changed files with 8287 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
README.md
View File

@@ -8,29 +8,73 @@ How to use?
-----------
```
$ php ./scan.php -h
Usage scan.php -d <directory> [-i=<directory|file>] [-e=.php] [--hide-ok] [--hide-whitelist]
-d Directory for searching
-e=.php Extension
-i=<directory|file> Directory of file to igonre
--hide-ok Hide OK aka not infected messages
--hide-whitelist Hide whitelisted messages
--extra-check Adds GoogleBot and htaccess to Scan List
--follow-symlink Follow symlinked directories
Usage: php scan.php -d <directory>
-h --help Show this help message
-d <directory> --directory Directory for searching
-e <file extension> --extension File Extension to Scan
-i <directory|file> --ignore Directory of file to ignore
-a --all-output Enables --checksum,--comment,--pattern,--time
-b --base64 Scan for base64 encoded PHP keywords
-m --checksum Display MD5 Hash/Checksum of file
-c --comment Display comments for matched patterns
-x --extra-check Adds GoogleBot and htaccess to Scan List
-l --follow-symlink Follow symlinked directories
-k --hide-ok Hide results with 'OK' status
-w --hide-whitelist Hide results with 'WL' status
-n --no-color Disable color mode
-s --no-stop Continue scanning file after first hit
-p --pattern Show Patterns next to the file name
-t --time Show time of last file change
```
Ignore argument could be used multiple times and accept glob style matching ex.: "cache*", "??-cache.php" or "/cache" etc.
Extension argument defaults to .php .
--base64 is an alternative scan mode which ignores the main pattern files and uses a large list of php keywords and functions that have been converted to base64. Slower and prone to false positives, but gives additional base64 scanning coverage. These pattern files are located in base64_patterns and were derived from php 7 keywords and functions. Not many PHP extensions are included.
--comment flag will display the last comment to appear in the pattern file before the matched pattern, so documenting the pattern files is important.
--pattern flag will display the pattern string that was matched.
Patterns
--------
There are two different pattern source, each line in these files is a patter so patterns_raw.txt lines searched as-is, patterns_re.txt used with preg_match function.
There are three main pattern files the cover different typtes of pattern matching. There is one pattern per line. All lines where the very first character is a '#' is considered a comment and not used as a pattern. Whitespace in the pattern files is not used.
-patterns_raw.txt -- Raw string matching
-patterns-iraw.txt -- Case insensitive raw string matching
-patterns-re.txt -- Regular expression matching.
Whitelisting
------------
See [whitelist.txt](https://github.com/scr34m/php-malware-scanner/blob/master/whitelist.txt) file for a predefined MD5 hash list. Only the first 32 characters are used, rest of the line ignored so feel free to leave a comment.
Tools
---------
-text2base64.py
Takes a plaintext string as input and returns 3 base64 string equivalents.
Python script that needs to be executed from the terminal to be used.
Marking as executable is required.
~$ chmod +x text2base64.py
It is worth noting that the presence of one of the three output strings in a block of text does not 100% guarantee that the string was
present in the original code. It is guaranteed that IF the subject string was present in the original code, then one of the three
output strings will be present in the base64 version.
usage:
./text2base64.py 'base64_decode'
YmFzZTY0X2RlY29kZ
Jhc2U2NF9kZWNvZG
iYXNlNjRfZGVjb2Rl
An example: The presence of 'YmFzZTY0X2RlY29kZ' does not guarantee that 'base64_decode' is in the plain text code.
It is guaranteed that IF 'base64_decode' was present in the plain text code, then one of these three base64 strings WILL be present.
The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.
Note the missing edge characters which is due to bit misalignments and character bleed.
Resources
---------

7036
base64_patterns/php_functions.txt Normal file
View File

File diff suppressed because it is too large Load Diff

332
base64_patterns/php_keywords.txt Normal file
View File

@@ -0,0 +1,332 @@
# This is a list of php7 internal keywords and their 3 base64 fingerprints.
# Some patterns are too short to be useful with scan.php.
# All base64 patterns 3 characters or less have been commented out.
# This file should be ready to use in place of patterns_raw.txt
# Expect false positives and slow scan speeds.
# Use this pattern file on known malware to find new patterns.
# "__halt_compiler" in base64
X19oYWx0X2NvbXBpbGVy
9faGFsdF9jb21waWxlc
fX2hhbHRfY29tcGlsZX
# "abstract" in base64
YWJzdHJhY3
Fic3RyYWN0
hYnN0cmFjd
# "and" in base64
YW5k
#FuZ
#hbm
# "array" in base64
YXJyYX
FycmF5
hcnJhe
# "as" in base64
#YX
#Fz
#hc
# "break" in base64
YnJlYW
JyZWFr
icmVha
# "callable" in base64
Y2FsbGFibG
NhbGxhYmxl
jYWxsYWJsZ
# "case" in base64
Y2FzZ
Nhc2
jYXNl
# "catch" in base64
Y2F0Y2
NhdGNo
jYXRja
# "class" in base64
Y2xhc3
NsYXNz
jbGFzc
# "clone" in base64
Y2xvbm
Nsb25l
jbG9uZ
# "const" in base64
Y29uc3
NvbnN0
jb25zd
# "continue" in base64
Y29udGludW
NvbnRpbnVl
jb250aW51Z
# "declare" in base64
ZGVjbGFyZ
RlY2xhcm
kZWNsYXJl
# "default" in base64
ZGVmYXVsd
RlZmF1bH
kZWZhdWx0
# "die" in base64
ZGll
#RpZ
#kaW
# "do" in base64
#ZG
#Rv
#kb
# "echo" in base64
ZWNob
VjaG
lY2hv
# "else" in base64
ZWxzZ
Vsc2
lbHNl
# "elseif" in base64
ZWxzZWlm
Vsc2VpZ
lbHNlaW
# "empty" in base64
ZW1wdH
VtcHR5
lbXB0e
# "enddeclare" in base64
ZW5kZGVjbGFyZ
VuZGRlY2xhcm
lbmRkZWNsYXJl
# "endfor" in base64
ZW5kZm9y
VuZGZvc
lbmRmb3
# "endforeach" in base64
ZW5kZm9yZWFja
VuZGZvcmVhY2
lbmRmb3JlYWNo
# "endif" in base64
ZW5kaW
VuZGlm
lbmRpZ
# "endswitch" in base64
ZW5kc3dpdGNo
VuZHN3aXRja
lbmRzd2l0Y2
# "endwhile" in base64
ZW5kd2hpbG
VuZHdoaWxl
lbmR3aGlsZ
# "eval" in base64
ZXZhb
V2YW
ldmFs
# "exit" in base64
ZXhpd
V4aX
leGl0
# "extends" in base64
ZXh0ZW5kc
V4dGVuZH
leHRlbmRz
# "final" in base64
ZmluYW
ZpbmFs
maW5hb
# "for" in base64
Zm9y
#Zvc
#mb3
# "foreach" in base64
Zm9yZWFja
ZvcmVhY2
mb3JlYWNo
# "function" in base64
ZnVuY3Rpb2
Z1bmN0aW9u
mdW5jdGlvb
# "global" in base64
Z2xvYmFs
dsb2Jhb
nbG9iYW
# "goto" in base64
Z290b
dvdG
nb3Rv
# "if" in base64
#aW
#lm
#pZ
# "implements" in base64
aW1wbGVtZW50c
ltcGxlbWVudH
pbXBsZW1lbnRz
# "include" in base64
aW5jbHVkZ
luY2x1ZG
pbmNsdWRl
# "include_once" in base64
aW5jbHVkZV9vbmNl
luY2x1ZGVfb25jZ
pbmNsdWRlX29uY2
# "instanceof" in base64
aW5zdGFuY2VvZ
luc3RhbmNlb2
pbnN0YW5jZW9m
# "insteadof" in base64
aW5zdGVhZG9m
luc3RlYWRvZ
pbnN0ZWFkb2
# "interface" in base64
aW50ZXJmYWNl
ludGVyZmFjZ
pbnRlcmZhY2
# "isset" in base64
aXNzZX
lzc2V0
pc3Nld
# "list" in base64
bGlzd
xpc3
saXN0
# "namespace" in base64
bmFtZXNwYWNl
5hbWVzcGFjZ
uYW1lc3BhY2
# "new" in base64
bmV3
#5ld
#uZX
# "or" in base64
#b3
#9y
#vc
# "print" in base64
cHJpbn
ByaW50
wcmlud
# "private" in base64
cHJpdmF0Z
ByaXZhdG
wcml2YXRl
# "protected" in base64
cHJvdGVjdGVk
Byb3RlY3RlZ
wcm90ZWN0ZW
# "public" in base64
cHVibGlj
B1YmxpY
wdWJsaW
# "require" in base64
cmVxdWlyZ
JlcXVpcm
yZXF1aXJl
# "require_once" in base64
cmVxdWlyZV9vbmNl
JlcXVpcmVfb25jZ
yZXF1aXJlX29uY2
# "return" in base64
cmV0dXJu
JldHVyb
yZXR1cm
# "static" in base64
c3RhdGlj
N0YXRpY
zdGF0aW
# "switch" in base64
c3dpdGNo
N3aXRja
zd2l0Y2
# "throw" in base64
dGhyb3
Rocm93
0aHJvd
# "trait" in base64
dHJhaX
RyYWl0
0cmFpd
# "try" in base64
dHJ5
#Rye
#0cn
# "unset" in base64
dW5zZX
Vuc2V0
1bnNld
# "use" in base64
dXNl
#VzZ
#1c2
# "var" in base64
dmFy
#Zhc
#2YX
# "while" in base64
d2hpbG
doaWxl
3aGlsZ
# "xor" in base64
eG9y
#hvc
#4b3

19
definitions/patterns_iraw.txt Normal file
View File

@@ -0,0 +1,19 @@
#This file contains raw strings that will be matched case-insensitive.
#Comments and whitespace are possible, but comments must have '#' at the first character of the line.
#List of security service providers that phishers often block.
abovenet
avira
bitdefender
comodo
cyveillance
kaspersky
internap
mcafee
netcraft
oneandone
opendns
phishtank
sophos
surfright
symantec

361
patterns_raw.txt → definitions/patterns_raw.txt
View File

@@ -1,74 +1,215 @@
uname -a
/etc/shadow
/etc/passwd
WSOstripslashes
PD9waH
w/cGhw
8P3Boc
c3lzdGVt
N5c3Rlb
zeXN0ZW
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
cmVwbGFjZ
JlcGxhY2
yZXBsYWNl
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
ZXhlYy
V4ZWMo
leGVjK
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
='base'.(32*2).'_de'.'code'
"base64_decode"
YmFzZTY0X2RlY29kZ
Jhc2U2NF9kZWNvZG
iYXNlNjRfZGVjb2Rl
"p"."r"."e"."g"."_"
eval("?>
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
ZXZhbC
V2YWwo
ldmFsK
'ev'.'al'.'
eval(base64_decode(
\x47\x4c\x4f\x42\x41LS
SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl
YWxsb3dfdXJsX2ZvcGVu
FsbG93X3VybF9mb3Blb
hbGxvd191cmxfZm9wZW
${${
file_get_contents('http://codepad.org
PHPJiaMi
#Raw string patterns
#All strings in this file are case sensitive
#Comments are supported, but '#' must be the first character (index[0]) on the line.
#More critical patterns should be higher in the file as only the first pattern match is reported.
#Backdoor patterns
@eval($_POST['
Backdoor
@include($_GET[
system($_GET[
md5($_GET[
fwrite($fpsetv, getenv("HTTP_COOKIE")
system\"$cmd 1> /tmp/
#Web-Shell patterns
$sh3llColor
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
SHELL_PASSWORD
ConnectBackShell
ShellBOT
bgeteam
DisablePHP=
moban.html
== "bindshell"
#Remote Code
curl_get_from_webpage
file_get_contents('http://codepad.org
#Base64 String Samples. Each plain text string should have 3 base64 equivalents
# "shell" in base64
c2hlbG
NoZWxs
zaGVsb
# "<?php" in base64
PD9waH
w/cGhw
8P3Boc
# "stat" in base64
c3Rhd
N0YX
zdGF0
# "copy" in base64
Y29we
NvcH
jb3B5
# "chr" in base64
Y2hy
# "system" in base64
c3lzdGVt
N5c3Rlb
zeXN0ZW
# "replace" in base64
cmVwbGFjZ
JlcGxhY2
yZXBsYWNl
# "str_" in base64
c3RyX
N0cl
zdHJf
# "exec" in base64
ZXhlYy
V4ZWMo
leGVjK
# "echo" in base64
ZWNob
VjaG
lY2hv
# "function" in base64
ZnVuY3Rpb2
Z1bmN0aW9u
mdW5jdGlvb
# "include" in base64
aW5jbHVkZ
luY2x1ZG
pbmNsdWRl
# "require" in base64
cmVxdWlyZ
JlcXVpcm
yZXF1aXJl
# "base64" in base64
YmFzZTY0
Jhc2U2N
iYXNlNj
# "eval" in base64
ZXZhb
V2YW
ldmFs
# "HTTP_USER_AGENT" in base64
SFRUUF9VU0VSX0FHRU5U
hUVFBfVVNFUl9BR0VOV
IVFRQX1VTRVJfQUdFTl
# "file" in base64
ZmlsZ
ZpbG
maWxl
# "gzinflate" in base64
Z3ppbmZsYXRl
d6aW5mbGF0Z
nemluZmxhdG
# "open" in base64
b3Blb
9wZW
vcGVu
# "close" in base64
Y2xvc2
Nsb3Nl
jbG9zZ
# "array_" in base64
YXJyYXlf
FycmF5X
hcnJheV
# "cslashes" in base64
Y3NsYXNoZX
NzbGFzaGVz
jc2xhc2hlc
# "extract" in base64
ZXh0cmFjd
V4dHJhY3
leHRyYWN0
# "$_GET" in base64
JF9HRV
RfR0VU
kX0dFV
# "$_POST" in base64
JF9QT1NU
RfUE9TV
kX1BPU1
# "$_COOKIE" in base64
JF9DT09LSU
RfQ09PS0lF
kX0NPT0tJR
# "$_REQUEST" in base64
JF9SRVFVRVNU
RfUkVRVUVTV
kX1JFUVVFU1
# "GLOBALS" in base64
R0xPQkFMU
dMT0JBTF
HTE9CQUxT
# "sizeof" in base64
c2l6ZW9m
NpemVvZ
zaXplb2
# "printf" in base64
cHJpbnRm
ByaW50Z
wcmludG
# "define" in base64
ZGVmaW5l
RlZmluZ
kZWZpbm
# Obfuscation related code
eval("?>
"base64_decode"
='base'.(32*2).'_de'.'code'
"p"."r"."e"."g"."_"
WSOstripslashes
\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
\x65\x78\x65\x63' /* dec/hex issue? */, // exec
ev\x61l
\x65\166\x61\154\x28' /* dec/hex issue? */,
\x65\x76\x61\x6C' /* case, dec/hex issue? */,
'ev'.'al'.'
eval(base64_decode(
<?php eval
$data = base64_decode("
a,b,c,d,e,f,g
freetellafriend.com
SHELL_PASSWORD
curl_get_from_webpage
edoced_46esab
base=base64_encode
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
YW55cmVzdWx0cy5uZX
FueXJlc3VsdHMubmV0
hbnlyZXN1bHRzLm5ld
ZOBUGTEL
cr"."eat"."e_fun"."cti"."on
gz'.'inf'.'late
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
http://www.fopo.com.ar/
#Malware/Attack specific strings/fingerprints/signatures
MagelangCyber
//rasta//
Baby_Drakon
Net@ddress Mail
Created By EMMA
3xp1r3
NinjaVirus Here
@@ -79,17 +220,66 @@ Zed0x
darkminz
ReaL_PuNiShEr
OoN_Boy
__VIEWSTATEENCRYPTED
M4ll3r
createFilesForInputOutput
Pashkela
== "bindshell"
Webcommander at
YENI3ERI
d3lete
Made by Delorean
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
Cybester90
K!LL3r
MrHazem
BY MMNBOBZ
Hackeado
bgeteam
VOBRA GANGO
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
DX_Header_drawn
Dr.abolalh
C0derz.com
Mr.HiTman
IrSecTeam
FLoodeR
eriuqer
zehirhacker
freetellafriend.com
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
d3b~X
profexor.hell
ZOBUGTEL
The Dark Raver
<kuku>
M4ll3r
itsoknoproblembro
tmhapbzcerff
IndoXploit
FaisaL Ahmed aka rEd X
#Miscellaneous
uname -a
/etc/shadow
/etc/passwd
\x47\x4c\x4f\x42\x41LS
${${
PHPJiaMi
DisablePHP=
moban.html
a,b,c,d,e,f,g
@x0powo
@preg_replace
1@1.com
META http-equiv="refresh" content="0;
="create_";global
Net@ddress Mail
__VIEWSTATEENCRYPTED
createFilesForInputOutput
R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
ayu pr1 pr2 pr3 pr4 pr5 pr6
f0VMRgEBAQA
0d0a0d0a676c6f62616c20246d795f736d7
@@ -97,78 +287,39 @@ etalfnizg
JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
edoced_46esab
VOBRA GANGO
itsoknoproblembro
HTTP flood complete after
exploitcookie
az88pix00q98
The Dark Raver
Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
463839610c000b00800100ffffffffffff21f90401000001002c000
AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
Asmodeus
Cautam fisierele de configurare
BRUTEFORCING
FaTaLisTiCz_Fx Fx29Sh
w4ck1ng shell
private Shell by m4rco
Shell by Mawar_Hitam
LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
zehirhacker
R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
DX_Header_drawn
BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
casus15
temp_r57_table
By Psych0
c99ftpbrutecheck
K!LL3r
MrHazem
BY MMNBOBZ
ConnectBackShell
Hackeado
d3b~X
REREFER_PTTH
Joomla_brute_Force
/usr/sbin/httpd
tmhapbzcerff
IrSecTeam
Spammer
FLoodeR
eriuqer
sshkeys
<kuku>
Backdoor
eggdrop
rwxrwxrwx
profexor.hell
GIF89A;<?php
$sh3llColor
fwrite($fpsetv, getenv("HTTP_COOKIE")
putbot $bot
bind join - *
privmsg $chan
fopen('/etc/passwd
\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
find / \-type f \-name \.htpasswd
find / \-type f \-perm \-02000 \-ls
find / \-type f \-perm \-04000 \-ls
if(''==($df=@ini_get('disable_functions
system\"$cmd 1> /tmp/
ncftpput -u
wsoEx(
WSOsetcookie(
Dr.abolalh
C0derz.com
Mr.HiTman
\x47\x4c\x4f\x42\x41\x4c\x53
@eval($_POST['

68
definitions/patterns_re.txt Normal file
View File

@@ -0,0 +1,68 @@
#eval /* */
eval\/\*[a-z0-9]+\*\/
#
eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);
#
(chr\(\d+\^\d+\)\.){4,}
#
(\$[a-z0-9]{3,}\[\d+\]\.){4,}
#
chr\(\d+\)\.""\.""\.""\.""\.""
#
\$GLOBALS\[\$GLOBALS['[a-z0-9]{4,}'\]\[\d+\]\.\$GLOBALS\['[a-z-0-9]{4,}'\]\[\d+\].
#
\$GLOBALS\['[a-z0-9]{5,}'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.
#
eval\([a-z0-9_]+\(base64_decode\(
#
\$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\);
#
{\s*eval\s*\(\s*\$
#
Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents
#execute base64 code
eVaL\(\s*trim\(\s*baSe64_deCoDe\(
#
if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text
# Write HTTP Request to File
fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[
# Download Remote Code
echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)
# 'eval' in ascii chr() chars
chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)
#
(\$OOO_O_000_\{\d+\}.){3,}
#Detects the '_' character encoded in a string like "\x5F". '_' is present in many functions that malware would want to hide.
# '_' as "\x5f"
\\[Xx](5[Ff])
#Detects the '_' character placed inside a call to the 'chr()' function
# '_' as 'chr(95)' or 'chr(0x5f)'
chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
#Detects generic base64 strings longer than 260 characters enclosed in quotes ending with 0-3 '=' chars.
#260 was a threshold chosen because strings of 256 characters are common enough. Might increase later to reduce false positives.
#Long base64 quoted string.
['"][A-Za-z0-9+\/]{260,}={0,3}['"]
#Detects long single lines contained within PHP tags.
#We can increase from 1100 later if we need to.
#Long single line of PHP.
^.*<\?php.{1100,}\?>.*$

18
patterns_re.txt
View File

@@ -1,18 +0,0 @@
eval\/\*[a-z0-9]+\*\/
eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);
(chr\(\d+\)\.){4,}
(chr\(\d+\^\d+\)\.){4,}
(\$[a-z0-9]{3,}\[\d+\]\.){4,}
chr\(\d+\)\.""\.""\.""\.""\.""
\$GLOBALS\[\$GLOBALS['[a-z0-9]{4,}'\]\[\d+\]\.\$GLOBALS\['[a-z-0-9]{4,}'\]\[\d+\].
\$GLOBALS\['[a-z0-9]{5,}'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.
eval\([a-z0-9_]+\(base64_decode\(
\$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\);
{\s*eval\s*\(\s*\$
Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents
eVaL\(\s*trim\(\s*baSe64_deCoDe\(
if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text
fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[
echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)
chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)
(\$OOO_O_000_\{\d+\}.){3,}

543
scan.php
View File

@@ -18,74 +18,138 @@
class MalwareScanner
{
const ANSI_GREEN = "\033[32m";
const ANSI_RED = "\033[31m";
const ANSI_YELLOW = "\033[33m";
const ANSI_OFF = "\033[0m";
//Pretty Colors
private $ANSI_GREEN = "\033[32m";
private $ANSI_RED = "\033[31m";
private $ANSI_YELLOW = "\033[33m";
private $ANSI_BLUE = "\033[36m";
private $ANSI_OFF = "\033[0m";
private $extension = '.php';
private $flagHideOk = false;
private $dir = '';
private $extension = '.php';
private $flagBase64 = false;
private $flagChecksum = false;
private $flagComments = false;
private $flagHideOk = false;
private $flagHideWhitelist = false;
private $extraCheck = false;
private $whitelist = array();
private $ignore = array();
private $stat = array(
'directories' => 0,
'files_scanned' => 0,
'files_infected' => 0,
);
private $flagNoStop = false;
private $flagPattern = false;
private $flagTime = false;
private $extraCheck = false;
private $whitelist = array();
private $ignore = array();
private $stat = array(
'directories' => 0,
'files_scanned' => 0,
'files_infected' => 0,
);
private $followSymlink = false;
//Pattern File Attributes
private $patterns_raw = array();
private $patterns_iraw = array();
private $patterns_re = array();
private $patterns_b64functions = array();
private $patterns_b64keywords = array();
//Constructor - Likes to do as little as possible.
public function __construct()
{
$options = getopt('hd:e::i::', array('hide-ok', 'hide-whitelist', 'extra-check', 'follow-symlink'));
if (isset($options['h'])) {
$this->showHelp();
} else {
if (isset($options['e'])) {
$ext = $options['e'];
if ($ext[0] != '.') {
$ext = '.' . $ext;
}
$this->extension = strtolower($ext);
}
if (isset($options['i'])) {
$this->ignore = is_array($options['i']) ? $options['i'] : array($options['i']);
}
if (isset($options['hide-ok'])) {
$this->flagHideOk = true;
}
if (isset($options['hide-whitelist'])) {
$this->flagHideWhitelist = true;
}
if (isset($options['extra-check'])) {
$this->extraCheck = true;
}
if (isset($options['follow-symlink'])) {
$this->followSymlink = true;
}
if (isset($options['d'])) {
$this->run($options['d']);
} else {
$this->out(MalwareScanner::ANSI_RED, 'ER', 'No directory specified');
$this->showHelp();
}
}
//Read Run Options
$this->parseArgs();
//Initiate Scan
$this->run($this->dir);
}
public function run($dir)
//Allows the -n/--no-color flag to easily remove color characters.
private function disableColor()
{
$dir = rtrim($dir, '/');
if (!is_dir($dir)) {
$this->out(self::ANSI_RED, 'ER', 'Specified path is not a directory: ' . $dir);
exit(-1);
}
$start = time();
$this->loadWhitelist();
$this->process($dir . '/');
$this->report($start, $dir . '/');
$this->ANSI_GREEN = '';
$this->ANSI_RED = '';
$this->ANSI_YELLOW = '';
$this->ANSI_BLUE = '';
$this->ANSI_OFF = '';
}
//Prints the passed 'string' in red text, calls showHelp().
//Exits
private function error($msg)
{
echo $this->ANSI_RED . 'Error: ' . $msg . $this->ANSI_OFF . PHP_EOL;
$this->showHelp();
echo PHP_EOL . $this->ANSI_RED . 'Quiting' . PHP_EOL;
exit(-1);
}
//Handles pattern loading and saving to the class object
private function initializePatterns()
{
//Loads either the primary scanning patterns or the base64 patterns depending on -b/--base64 flag
if (!$this->flagBase64) {
$this->patterns_raw = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_raw.txt');
$this->patterns_iraw = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_iraw.txt');
$this->patterns_re = $this->loadPatterns(dirname(__FILE__) . '/definitions/patterns_re.txt');
}
else {
$this->patterns_b64functions = $this->loadPatterns(dirname(__FILE__). '/base64_patterns/php_functions.txt');
$this->patterns_b64keywords = $this->loadPatterns(dirname(__FILE__). '/base64_patterns/php_keywords.txt');
}
//Adds additional checks to patterns_raw
//This may be something to move into a pattern file rather than leave hardcoded.
if ($this->extraCheck) {
$this->patterns_raw['googleBot'] = '# ';
$this->patterns_raw['htaccess'] = '# ';
}
}
//Check if the md5 checksum exists in the whitelist and returns true if it does.
private function inWhitelist($hash)
{
return in_array($hash, $this->whitelist);
}
//Check if -i/--ignore flag listed this path to be omitted.
private function isIgnored($pathname)
{
foreach ($this->ignore as $pattern) {
$match = $this->pathMatches($pathname, $pattern);
if ($match) {
return true;
}
}
return false;
}
//Loads individual pattern files
//Skips blank linese
//Stores most recent comment with the pattern in the list[] array
//Returns an array of patterns:comments in key:value pairs
private function loadPatterns($file)
{
$last_comment = '';
$list = array();
if (is_readable($file)) {
foreach (file($file) as $pattern) {
//Check if the line is only whitespace and skips.
if (strlen(trim($pattern)) == 0) {
continue;
}
//Check if first char in pattern is a '#' which indicates a comment and skips.
//Stores the comment to be stored with the pattern in the list as key:value pairs.
//The pattern is the key and the comment is the value.
if ($pattern[0] === '#') {
$last_comment = $pattern;
continue;
}
$list[trim($pattern)] = trim($last_comment);
}
}
return $list;
}
//Loads the whitelist file
private function loadWhitelist()
{
if (!is_file(__DIR__ . '/whitelist.txt')) {
@@ -98,11 +162,187 @@ class MalwareScanner
}
}
private function inWhitelist($hash)
//Handles the getopt() function call, sets attributes according to flags.
//All flag handling stuff should be setup here.
private function parseArgs()
{
return in_array($hash, $this->whitelist);
$options = getopt( 'd:e:i:abmcxlhkwnspt',
array(
'directory:',
'extension:',
'ignore:',
'all-output',
'base',
'checksum',
'comment',
'extra-check',
'follow-link',
'help',
'hide-ok',
'hide-whitelist',
'no-color',
'no-stop',
'pattern',
'time'
));
//Help Option should be first
if (isset($options['help']) || isset($options['h'])) {
$this->showHelp();
exit;
}
//Options that Require Additional Parameters
if (isset($options['directory']) || isset($options['d'])) {
$this->dir = isset($options['directory']) ? $options['directory'] : $options['d'];
}
if (isset($options['extension']) || isset($options['e'])) {
$ext = isset($options['extension']) ? $options['extension'] : $options['e'];
if ($ext[0] != '.') {
$ext = '.' . $ext;
}
$this->extension = strtolower($ext);
}
if (isset($options['ignore']) || isset($options['i'])) {
$tmp = isset($options['ignore']) ? $options['ignore'] : $options['i'];
$this->ignore = is_array($tmp) ? $tmp : array($tmp);
}
//Simple Flag Options
if (isset($options['all-output']) || isset($options['a'])) {
$this->flagChecksum = true; $this->flagComments = true; $this->flagPattern = true; $this->flagTime = true;
}
if (isset($options['base64']) || isset($options['b'])) {
$this->flagBase64 = true;
}
if (isset($options['checksum']) || isset($options['m'])) {
$this->flagChecksum = true;
}
if (isset($options['comment']) || isset($options['c'])) {
$this->flagComments = true;
}
if (isset($options['extra-check']) || isset($options['x'])) {
$this->extraCheck = true;
}
if (isset($options['follow-symlink']) || isset($options['l'])) {
$this->followSymlink = true;
}
if (isset($options['hide-ok']) || isset($options['k'])) {
$this->flagHideOk = true;
}
if (isset($options['hide-whitelist']) || isset($options['w'])) {
$this->flagHideWhitelist = true;
}
if (isset($options['no-color']) || isset($options['n'])) {
$this->disableColor();
}
if (isset($options['no-stop']) || isset($options['s'])) {
$this->flagNoStop = true;
}
if (isset($options['pattern']) || isset($options['p'])) {
$this->flagPattern = true;
}
if (isset($options['time']) || isset($options['t'])) {
$this->flagTime = true;
}
}
// @see http://stackoverflow.com/a/13914119
private function pathMatches($path, $pattern, $ignoreCase = false)
{
$expr = preg_replace_callback(
'/[\\\\^$.[\\]|()?*+{}\\-\\/]/',
function ($matches) {
switch ($matches[0]) {
case '*':
return '.*';
case '?':
return '.';
default:
return '\\' . $matches[0];
}
},
$pattern
);
$expr = '/' . $expr . '/';
if ($ignoreCase) {
$expr .= 'i';
}
return (bool)preg_match($expr, $path);
}
/*
Formats and prints the scan result output line by line.
Depending on specified options, it will print:
-Status code
-Last Modified Time
-MD5 Hash
-File Path
-Pattern Matched
-The last comment to appear in the pattern file before this pattern
*/
private function printPath(&$found, &$path, &$pattern, &$comment, &$hash)
{
$output_string = '# ';
//OK
if (!$found) {
if ($this->flagHideOk){return;}
$state = 'OK';
$hash = ' ';
$state_color = $this->ANSI_GREEN;
}
//WL
elseif ($this->inWhitelist($hash)) {
if ($this->flagHideWhitelist) {return;}
$state = 'WL';
$state_color = $this->ANSI_YELLOW;
}
//ER
else {
$state = 'ER';
$state_color = $this->ANSI_RED;
}
$output_string = $state_color . $output_string . $state . $this->ANSI_OFF . ' ';
//Include cTime
if ($this->flagTime) {
$changed_time = filectime($path);
$htime = date('H:i d-m-Y', $changed_time);
$output_string = $output_string . $this->ANSI_BLUE . $htime . $this->ANSI_OFF . ' ';
}
//Include Checksum/Hash
if ($this->flagChecksum) {
$output_string = $output_string . $this->ANSI_BLUE . $hash . $this->ANSI_OFF . ' ';
}
//Append Path
//'#' and {} included to prevent accidental script execution attempts
// in the event that script output is pasted into a root terminal
$opath = '# ' . '{' . $path . '}';
$output_string = $output_string . $opath . ' ';
//'#' added again as code snippets have the potential to be valid shell commands
if ($found) {
if ($this->flagPattern) {
$opatt = "# $pattern ";
$output_string = $output_string . $state_color . $opatt . $this->ANSI_OFF;
}
if ($this->flagComments) {
$output_string = $output_string . $this->ANSI_BLUE . $comment . $this->ANSI_OFF;
}
}
$output_string = $output_string . PHP_EOL;
echo $output_string;
}
//Recursively scales the file system.
//Calls the scan() function for each file found.
private function process($dir)
{
$dh = opendir($dir);
@@ -132,6 +372,7 @@ class MalwareScanner
closedir($dh);
}
//Prints stats on the run.
private function report($start, $dir)
{
$end = time();
@@ -144,124 +385,136 @@ class MalwareScanner
echo 'Total malware identified: ' . $this->stat['files_infected'] . PHP_EOL;
}
private function loadPatterns($file)
{
$list = array();
if (is_readable($file)) {
foreach (file($file) as $pattern) {
$list[] = trim($pattern);
}
//Validates the input directory
//Calls the load pattern and load whitelist functions
//Calls the process and report functions.
private function run($dir)
{
//Make sure a directory was specified.
if ($this->dir === '') {
$this->error('No directory specified');
}
return $list;
//Make sure the input is a valid directory path.
$dir = rtrim($dir, '/');
if (!is_dir($dir)) {
$this->error('Specified path is not a directory: ' . $dir);
}
//Load Patterns
$this->initializePatterns();
//Load Whitelist
$this->loadWhitelist();
$start = time();
$this->process($dir . '/');
$this->report($start, $dir . '/');
}
//Loads target file contents for scanning
//Initiates the multiple scan types by calling the scanLoop function
private function scan($path)
{
$this->stat['files_scanned']++;
$fileContent = file_get_contents($path);
$found = false;
$hash = '';
$toSearch = '';
$patterns = $this->loadPatterns(dirname(__FILE__) . '/patterns_raw.txt');
if ($this->extraCheck) {
array_push($patterns, "googleBot", "htaccess");
$comment = '';
if (!$this->flagBase64) {
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_raw, $path, $found, $hash);
$this->scanLoop('scanFunc_STRI', $fileContent, $this->patterns_iraw, $path, $found, $hash);
$this->scanLoop('scanFunc_RE', $fileContent, $this->patterns_re, $path, $found, $hash);
}
foreach ($patterns as $toSearch) {
$substrCount = substr_count($fileContent, $toSearch);
if ($substrCount > 0) {
$found = true;
break;
}
else {
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64functions, $path, $found, $hash);
$this->scanLoop('scanFunc_STR', $fileContent, $this->patterns_b64keywords, $path, $found, $hash);
}
if (!$found) {
$patterns = $this->loadPatterns(dirname(__FILE__) . '/patterns_re.txt');
foreach ($patterns as $toSearch) {
if (preg_match('/' . $toSearch . '/is', $fileContent)) {
$found = true;
break;
}
}
}
if (!$found) {
if (!$this->flagHideOk) {
$this->out(self::ANSI_GREEN, 'OK', $path);
}
$this->printPath($found, $path, $toSearch, $comment, $hash);
return false;
}
// file hash is on whithelist hash then skip
$hash = md5($fileContent);
if ($found && $this->inWhitelist($hash)) {
if (!$this->flagHideWhitelist) {
$this->out(self::ANSI_YELLOW, 'WL', $path);
}
return false;
}
if ($found) {
$this->stat['files_infected']++;
$this->out(self::ANSI_RED, 'ER', $path . ' -> ' . $toSearch . ' ' . $hash);
}
$this->stat['files_infected']++;
return true;
}
private function isIgnored($pathname)
//Performs raw string, case sensitive matching.
//Returns true if the raw string exists in the file contents.
private function scanFunc_STR(&$pattern, &$content)
{
foreach ($this->ignore as $pattern) {
$match = $this->pathMatches($pathname, $pattern);
if ($match) {
return true;
return (strpos($content, $pattern) !== false);
}
//Performs raw string, case insensitive matching.
//Returns true if the raw string exists in the file contents, ignoring case.
private function scanFunc_STRI(&$pattern, &$content)
{
return (stripos($content, $pattern) !== false);
}
//Performs regular expression matching.
//Returns true if the Regular Expression matches something in the file.
//Patterns will match multiple lines, though you can use ^$ to match the beginning and end of a line.
private function scanFunc_RE(&$pattern, &$content)
{
return preg_match('/' . $pattern . '/im', $content);
}
//First parameter '$scanFunction' is a defined function name passed as a string.
//This function should accept a pattern string and a content string.
//This function will return true if the pattern exists in the content.
//See 'scanFunc_STR', 'scanFunc_STRI', 'scanFUNC_RE' above as examples.
//Loops through all patterns in a file using the passed function name to determine a match.
//Variables passed by reference for performance and modification access.
private function scanLoop($scanFunction, &$fileContent, &$patterns, &$path, &$found, &$hash)
{
if (!$found || $this->flagNoStop) {
foreach ($patterns as $pattern => $comment) {
//Call the function that is named in $scanFunction
//This allows multiple search/match functions to be used without duplicating the loop code.
if ($this->$scanFunction($pattern, $fileContent)) {
$found = true;
if ($hash === ''){$hash = md5($fileContent);}
$this->printPath($found, $path, $pattern, $comment, $hash);
if (!$this->flagNoStop){return;}
}
}
}
return false;
}
// @see http://stackoverflow.com/a/13914119
private function pathMatches($path, $pattern, $ignoreCase = false)
{
$expr = preg_replace_callback(
'/[\\\\^$.[\\]|()?*+{}\\-\\/]/',
function ($matches) {
switch ($matches[0]) {
case '*':
return '.*';
case '?':
return '.';
default:
return '\\' . $matches[0];
}
},
$pattern
);
$expr = '/' . $expr . '/';
if ($ignoreCase) {
$expr .= 'i';
}
return (bool)preg_match($expr, $path);
}
private function out($color, $serv, $text)
{
echo $color . ' ' . $serv . ' ' . self::ANSI_OFF . $text . PHP_EOL;
}
//Prints out the usage menu options.
private function showHelp()
{
echo 'Usage scan.php -d <directory> [-i=<directory|file>] [-e=.php] [--hide-ok] [--hide-whitelist]' . PHP_EOL;
echo ' -d Directory for searching' . PHP_EOL;
echo ' -e=.php Extension' . PHP_EOL;
echo ' -i=<directory|file> Directory of file to igonre' . PHP_EOL;
echo ' --hide-ok Hide OK aka not infected messages' . PHP_EOL;
echo ' --hide-whitelist Hide whitelisted messages' . PHP_EOL;
echo ' --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
echo ' --follow-symlink Follow symlinked directories' . PHP_EOL;
echo 'Usage: php scan.php -d <directory>' . PHP_EOL;
echo ' -h --help Show this help message' . PHP_EOL;
echo ' -d <directory> --directory Directory for searching' . PHP_EOL;
echo ' -e <file extension> --extension File Extension to Scan' . PHP_EOL;
echo ' -i <directory|file> --ignore Directory of file to ignore' . PHP_EOL;
echo ' -a --all-output Enables --checksum,--comment,--pattern,--time' . PHP_EOL;
echo ' -b --base64 Scan for base64 encoded PHP keywords' . PHP_EOL;
echo ' -m --checksum Display MD5 Hash/Checksum of file' . PHP_EOL;
echo ' -c --comment Display comments for matched patterns' . PHP_EOL;
echo ' -x --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
echo ' -l --follow-symlink Follow symlinked directories' . PHP_EOL;
echo ' -k --hide-ok Hide results with \'OK\' status' . PHP_EOL;
echo ' -w --hide-whitelist Hide results with \'WL\' status' . PHP_EOL;
echo ' -n --no-color Disable color mode' . PHP_EOL;
echo ' -s --no-stop Continue scanning file after first hit' . PHP_EOL;
echo ' -p --pattern Show Patterns next to the file name' . PHP_EOL;
echo ' -t --time Show time of last file change' . PHP_EOL;
}
}
//Creates a new MalwareScanner object which does all the work.
new MalwareScanner();
?>

71
tools/text2base64.py Normal file
View File

@@ -0,0 +1,71 @@
#!/usr/bin/env python
#Takes a string as an argument and returns 3 base64 encoded string partials.
#One of these strings is guaranteed to be present in the base64 content if
#the original plain-text code contained the (case-sensitive) input string.
#Due to the 8 bit to 6 bit encoding conversion involved in base64 encoding,
#the edges don't always align nicely, so trimming is required as the first
#and last characters may be different depending on the immediate context.
from base64 import b64encode
import sys
def main(input):
L_offset = 0
R_offset = 3 - ((len(input) + L_offset) % 3)
if (R_offset == 3):
R_offset = 0
e1, e2, e3 = encode(input)
e1 = trim(e1, L_offset, R_offset)
L_offset += 1
R_offset = 3 - ((len(input) + L_offset) % 3)
if (R_offset == 3):
R_offset = 0
e2 = trim(e2, L_offset, R_offset)
L_offset += 1
R_offset = 3 - ((len(input) + L_offset) % 3)
if (R_offset == 3):
R_offset = 0
e3 = trim(e3, L_offset, R_offset)
print(e1)
print(e2)
print(e3)
def offset_2_chars(offset):
if (offset == 0):
return 0
elif (offset == 1):
return 2
else:
return 3
def trim(input, L_offset, R_offset):
input = trimL(input, L_offset)
input = trimR(input, R_offset)
return input
def trimL(input, offset):
left_cut = offset_2_chars(offset)
return input[left_cut:]
def trimR(input, offset):
if (offset == 0):
return input
right_cut = offset_2_chars(offset)
return input[:-right_cut]
def encode(input):
e1 = b64encode(input)
e2 = b64encode('0' + input)
e3 = b64encode('00' + input)
return e1, e2, e3
if __name__ == '__main__':
main(sys.argv[1])

106
whitelist.txt
View File

@@ -1,62 +1,62 @@
808a427ba07643d4deaf4dfdcf418e6d wp-includes/class-json.php
60468ee875f1a005008edaa573cf573b wp-includes/functions.php
67a0f4e33e2e3f8e4d6011e8bfdbbc3b mod_templatechooser.php
a7e015a2085227ad95f5f5a6297452ee admin.trash.html.php
e2723c200270f2effd67b4781c520fde admin.events.html.php
8edd98ba2bf1ef851798fcaa0e6b297c com_joomlaxplorer/libraries/Archive/Writer/Zip.php
7ff5a64c2f22419308bcbc22f72eae96 com_joomlaxplorer/libraries/Archive/Predicate/Custom.php
a7a44b247630fee8d7fc20249c72e26d PEAR.php
5ab95e30525ab196c45f7dbfc1625083 com_joomlaxplorer/libraries/lib_zip.php
9cb0169a8305b362fe9a13f4ea08f1f1 admin.menumanager.html.php
123de131caa0f2b9570f6720e6710d04 geshi/php.php
0fd1b837fed4fcaedf3ae469fa4a0781 pcl/zip.lib.php
6a8d1fe91a1f34a7533ffe3a98145b9f pcl/pclzip.lib.php
17226e93e2b740844ce1ccb71da5f728 domit/xml_domit_xpath.php
a7e015a2085227ad95f5f5a6297452ee admin.trash.html.php
f063d5b84d03538b85f05cde9aae8037 civicrm/packages/os/guess.php -> uname -a
ff5377c902545fbde188dbd49947eb9c class.ezpdf.php
a93613b6acf4cc90ce0b47298f564211 patTemplate/patTemplate/Modifier/Expression.php
f43cb20a9f9b629c24c835bf1f9851a6 PEAR/PEAR.php
7ff5a64c2f22419308bcbc22f72eae96 com_joomlaxplorer/libraries/Archive/Predicate/Custom.php
8edd98ba2bf1ef851798fcaa0e6b297c com_joomlaxplorer/libraries/Archive/Writer/Zip.php
5ab95e30525ab196c45f7dbfc1625083 com_joomlaxplorer/libraries/lib_zip.php
17226e93e2b740844ce1ccb71da5f728 domit/xml_domit_xpath.php
123de131caa0f2b9570f6720e6710d04 geshi/php.php
0a25de138e3db72c29a56e97c98820fd mod_naplement.php
bf18aba9b916a5cc48ae8790793419bc wp-content/plugins/contact-form-7-to-database-extension/CFDBFilterParser.php
3db2e647a23035f1c3ddef601b5dae18 wp-content/plugins/wp-filebase/classes/Item.php
d539f65804806585a7ed470f46465333 wp-content/plugins/wp-filebase/classes/TplLib.php
a6cce6be28fd8c451e54280aaa88bfcc wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/datamapper/package.module.datamapper.php
6d9afe2a2e7ecf99ba71ef327989c0a1 wp-content/plugins/nextgen-gallery/pope/lib/class.extensibleobject.php
834d22f8b68a2c5c01866a43eb24efc4 wp-admin/includes/class-pclzip.php
16312a9542e3f4fc39dcbde1ac5dcb33 wp-includes/class-json.php
73e90cd5d7580cba2f599d39f9351865 wp-includes/functions.php
e9cf6421fe6afc7b724bf0372697e1c4 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
eb034c991aee49aa232f6d50372f8b4a wp-content/themes/enfold/framework/php/function-set-avia-frontend.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
279d3f9add6b50ccdb7e07803e713618 wp-content/plugins/wp-simple-firewall/src/common/googleauthenticator/googleauthenticator.php -> (chr\(\d+\)\.){4,}
1d1490c6c99b8ea03688428d8a22bb4a wp-content/plugins/wp-simple-firewall/src/features/firewall.php -> /etc/passwd
7b41326263c3868548a54d34eb595750 wp-content/plugins/google-calendar-events/vendor/mexitek/phpcolors/src/Mexitek/PHPColors/Color.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
f4e049f25bf7affcbf8d2cd99166d867 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
68cbd184451abe2a8427421125fd2d10 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
8268eaaad7d3dfa81480276500ffbf27 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
fa38cd66e5affb09324ece9fdafde98b smarty/SmartyBC.class.php -> {\s*eval\s*\(\s*\$
0f48a8c36e1b295545c9d4232c398ea4 smarty/sysplugins/smarty_cacheresource_keyvaluestore.php -> eval("?>
ae98a8bb6651b95c5bcb1c9c2139610e smarty/sysplugins/smarty_internal_template.php -> eval("?>
dde809382f87ac708cbda79254a05cc1 smarty/sysplugins/smarty_cacheresource_custom.php -> eval("?>
2781a19943e9ba76d30143708d3dc04c smarty/sysplugins/smarty_internal_templatebase.php -> eval("?>
26f93373fd5f05bb3432e153e294c844 x5engine.php -> "base64_decode"
67a0f4e33e2e3f8e4d6011e8bfdbbc3b mod_templatechooser.php
a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
633af7bb3b31b39324bac96eca848668 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
a74724b2a02b50afb0e71f78b7661a4c owncloud/3rdparty/OS/Guess.php -> uname -a
b3c71065cb5420e15a8bd1aeac63b00d owncloud/3rdparty/smb4php/smb.php -> /etc/passwd
f063d5b84d03538b85f05cde9aae8037 civicrm/packages/os/guess.php -> uname -a
f10b143d678bff74c4f3b69543472d6d wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
db08c00ae52f4408393789ee7f927939 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
341b2bf7bbc2fbc9d756d8793be3c2ee wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
9dc68d6e080fccf0b8867ef44f3a8620 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
ebb2fe179c852ce247418925743ee7b0 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
d77cecbe949c76a1d54a70cba5bf8df0 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
1a8664f9385c28fc01c4224c51fcb72c wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
edd1548e1908e445eeae6ca465d1c259 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
7f95646cc4c16b9b5e1c1d3f7e6bb1df wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
124ee8826072a166503ccca21b954e48 wp-content/plugins/ultimate-security-checker/securitycheck.class.php -> uname -a
380ae5f3190f2b2e38477e2d52c09a3b wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace
241ea527ed67992dd4a19d274a1403c3 wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace
b2f59fc0fcc1e40561e3ca485d5569a2 wp-content/plugins/s2member/includes/classes/tracking-codes.inc.php -> eval("?>
633af7bb3b31b39324bac96eca848668 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
8268eaaad7d3dfa81480276500ffbf27 owncloud/apps/files_external/3rdparty/smb4php/smb.php -> /etc/passwd
a93613b6acf4cc90ce0b47298f564211 patTemplate/patTemplate/Modifier/Expression.php
6a8d1fe91a1f34a7533ffe3a98145b9f pcl/pclzip.lib.php
0fd1b837fed4fcaedf3ae469fa4a0781 pcl/zip.lib.php
f43cb20a9f9b629c24c835bf1f9851a6 PEAR/PEAR.php
a7a44b247630fee8d7fc20249c72e26d PEAR.php
fa38cd66e5affb09324ece9fdafde98b smarty/SmartyBC.class.php -> {\s*eval\s*\(\s*\$
dde809382f87ac708cbda79254a05cc1 smarty/sysplugins/smarty_cacheresource_custom.php -> eval("?>
0f48a8c36e1b295545c9d4232c398ea4 smarty/sysplugins/smarty_cacheresource_keyvaluestore.php -> eval("?>
2781a19943e9ba76d30143708d3dc04c smarty/sysplugins/smarty_internal_templatebase.php -> eval("?>
ae98a8bb6651b95c5bcb1c9c2139610e smarty/sysplugins/smarty_internal_template.php -> eval("?>
834d22f8b68a2c5c01866a43eb24efc4 wp-admin/includes/class-pclzip.php
0af39249db48e6c5c274cb0a085b530d wp-content/plugins/buddypress/bp-forums/bbpress/bb-includes/backpress/functions.formatting.php -> (chr\(\d+\)\.){4,}
db0f55370d091c3960929f653c0a986d wp-content/plugins/tracking-code-manager/includes/classes/utils/Utils.php -> =urldecode
62300c057b53b6fc5ff8cf7ebe210c44 wp-content/plugins/contact-form-7/admin/includes/welcome-panel.php -> Spammer
bf18aba9b916a5cc48ae8790793419bc wp-content/plugins/contact-form-7-to-database-extension/CFDBFilterParser.php
7b41326263c3868548a54d34eb595750 wp-content/plugins/google-calendar-events/vendor/mexitek/phpcolors/src/Mexitek/PHPColors/Color.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
6d9afe2a2e7ecf99ba71ef327989c0a1 wp-content/plugins/nextgen-gallery/pope/lib/class.extensibleobject.php
a6cce6be28fd8c451e54280aaa88bfcc wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/datamapper/package.module.datamapper.php
b2f59fc0fcc1e40561e3ca485d5569a2 wp-content/plugins/s2member/includes/classes/tracking-codes.inc.php -> eval("?>
db0f55370d091c3960929f653c0a986d wp-content/plugins/tracking-code-manager/includes/classes/utils/Utils.php -> =urldecode
124ee8826072a166503ccca21b954e48 wp-content/plugins/ultimate-security-checker/securitycheck.class.php -> uname -a
241ea527ed67992dd4a19d274a1403c3 wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace
380ae5f3190f2b2e38477e2d52c09a3b wp-content/plugins/wordfence/lib/wordfenceURLHoover.php -> @preg_replace
3db2e647a23035f1c3ddef601b5dae18 wp-content/plugins/wp-filebase/classes/Item.php
d539f65804806585a7ed470f46465333 wp-content/plugins/wp-filebase/classes/TplLib.php
279d3f9add6b50ccdb7e07803e713618 wp-content/plugins/wp-simple-firewall/src/common/googleauthenticator/googleauthenticator.php -> (chr\(\d+\)\.){4,}
1d1490c6c99b8ea03688428d8a22bb4a wp-content/plugins/wp-simple-firewall/src/features/firewall.php -> /etc/passwd
eb034c991aee49aa232f6d50372f8b4a wp-content/themes/enfold/framework/php/function-set-avia-frontend.php -> (\$[a-z0-9]{3,}\[\d+\]\.){4,}
16312a9542e3f4fc39dcbde1ac5dcb33 wp-includes/class-json.php
808a427ba07643d4deaf4dfdcf418e6d wp-includes/class-json.php
1a8664f9385c28fc01c4224c51fcb72c wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
341b2bf7bbc2fbc9d756d8793be3c2ee wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
5311094f43c7252b22c71fd4dee43f03 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
68cbd184451abe2a8427421125fd2d10 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
7f95646cc4c16b9b5e1c1d3f7e6bb1df wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
9dc68d6e080fccf0b8867ef44f3a8620 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
d77cecbe949c76a1d54a70cba5bf8df0 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
db08c00ae52f4408393789ee7f927939 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
e9cf6421fe6afc7b724bf0372697e1c4 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
ebb2fe179c852ce247418925743ee7b0 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
edd1548e1908e445eeae6ca465d1c259 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
f10b143d678bff74c4f3b69543472d6d wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
f4e049f25bf7affcbf8d2cd99166d867 wp-includes/formatting.php -> (chr\(\d+\)\.){4,}
60468ee875f1a005008edaa573cf573b wp-includes/functions.php
73e90cd5d7580cba2f599d39f9351865 wp-includes/functions.php
26f93373fd5f05bb3432e153e294c844 x5engine.php -> "base64_decode"