Merge pull request #52 from cbotsikas/fix-php-support

Use array() instead of the short array syntax []

README.md

@@ -35,6 +35,7 @@ Usage: php scan.php -d <directory>
     -o                   --output-format      Custom defined output format
     -j                   --wordpress-version  Version of wordpress to get md5 signatures
                          --combined-whitelist Combined whitelist
+                         --disable-stats      Disable statistics output
 ```
 
 Ignore argument could be used multiple times and accept glob style matching ex.: "`cache*`", "`??-cache.php`" or "`/cache`" etc.

definitions/patterns_raw.txt

@@ -261,6 +261,14 @@ tmhapbzcerff
 IndoXploit
 FaisaL Ahmed aka rEd X
 
+# WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
+wp-vcd
+class.theme-modules.php
+wp-tmp.php
+tmpcontentx
+function wp_temp_setupx
+derna.top/code.php
+stripos($tmpcontent, $wp_auth_key)
 
 #Miscellaneous
 uname -a
@@ -362,4 +370,4 @@ ZeroByte
 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59
 
 # JS escaped: String.fromCharCode(
-83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40
+83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40

scan.php

@@ -40,6 +40,7 @@ class MalwareScanner
     private $flagLineNumber = false;
     private $flagScanEverything = false;
     private $flagCombinedWhitelist = false;
+    private $flagDisableStats = false;
     private $outputFormat = '';
     private $whitelist = array();
     private $ignore = array();
@@ -230,7 +231,8 @@ class MalwareScanner
                 'output-format:',
                 'wordpress-version:',
                 'scan-everything',
-                'combined-whitelist'
+                'combined-whitelist',
+                'disable-stats'
             )
         );
 
@@ -313,6 +315,9 @@ class MalwareScanner
         if (isset($options['combined-whitelist'])) {
             $this->setFlagCombinedWhitelist(true);
         }
+        if (isset($options['disable-stats'])) {
+            $this->setFlagDisableStats(true);
+        }
     }
 
     public function setExtensions(array $a)
@@ -401,6 +406,11 @@ class MalwareScanner
         $this->flagCombinedWhitelist = $b;
     }
 
+    public function setFlagDisableStats($b)
+    {
+        $this->flagDisableStats = $b;
+    }
+
     // @see http://stackoverflow.com/a/13914119
     private function pathMatches($path, $pattern, $ignoreCase = false)
     {
@@ -501,7 +511,7 @@ class MalwareScanner
         }
 
         if ($this->outputFormat) {
-            $map = [
+            $map = array(
                 '%S' => $state,
                 '%T' => $ctime,
                 '%M' => $hash,
@@ -509,9 +519,9 @@ class MalwareScanner
                 '%P' => $pattern,
                 '%C' => $comment,
                 '%L' => $lineNumber,
-            ];
+            );
         } else {
-            $map = [
+            $map = array(
                 '%S' => $state_color . '# ' . $state . $this->ANSI_OFF,
                 '%T' => $this->ANSI_BLUE . $ctime . $this->ANSI_OFF,
                 '%M' => $this->ANSI_BLUE . $hash . $this->ANSI_OFF,
@@ -519,7 +529,7 @@ class MalwareScanner
                 '%P' => $state_color . '#' . $pattern . $this->ANSI_OFF,
                 '%C' => $this->ANSI_BLUE . $comment . $this->ANSI_OFF,
                 '%L' => $lineNumber,
-            ];
+            );
         }
 
         if ($this->outputFormat) {
@@ -604,7 +614,9 @@ class MalwareScanner
 
         $start = time();
         $this->process($dir . '/');
-        $this->report($start, $dir . '/');
+        if (!$this->flagDisableStats) {
+            $this->report($start, $dir . '/');
+        }
         return true;
     }
 
@@ -757,7 +769,7 @@ class MalwareScanner
         }
 
         $content = gzdecode(file_get_contents($file));
-        $this->combined_whitelist = [];
+        $this->combined_whitelist = array();
         $this->combined_whitelist_count = 0;
         foreach (explode("\n", $content) as $line) { // faster than strtok, but needs more memory
             if ($line) {
@@ -795,6 +807,7 @@ class MalwareScanner
         echo '    -o                   --output-format      Custom defined output format' . PHP_EOL;
         echo '    -j                   --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
         echo '                         --combined-whitelist Combined whitelist' . PHP_EOL;
+        echo '                         --disable-stats      Disable statistics output' . PHP_EOL;
 
     }
 

tools/bigdata/generate.php

@@ -15,6 +15,7 @@ function fetch($url, $file = false)
 
     $headers = array(
         // drupal suxx
+        'Cookie: pxvid=44e1b040-4dde-11e8-b1dc-f15e898556c7; _ga=GA1.2.2042202377.1525247839; _gat=1; _gid=GA1.2.1601332121.1550831838; _px2=eyJ1IjoiZDM3OTk1MDAtMzY4ZC0xMWU5LWI3MDItYTdlMDI1ZWZhZmI2IiwidiI6IjQ0ZTFiMDQwLTRkZGUtMTFlOC1iMWRjLWYxNWU4OTg1NTZjNyIsInQiOjE1NTA4MzIxMzc5MjcsImgiOiJjMjBhNTQzNGIxYWQwNWFiOWUzNTI2OWRjNTM1MjgzNjkxNzg5OTIxNGM4YmIzZDBkZTg5ZTIxMzY0NTc5Zjk3In0=; has_js=1; _pxvid=44e1b040-4dde-11e8-b1dc-f15e898556c7',
         'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15',
     );
     curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
@@ -89,7 +90,7 @@ function fetch_jquery($fp)
     foreach ($m[1] as $k => $file) {
         if (!is_cached($file)) {
             echo 'Downloading: ' . 'https://code.jquery.com/' . $file . PHP_EOL;
-            $data = fetch('https://code.jquery.com/' . $file);
+            $data = fetch('https://code.jquery.com/' . $file) . PHP_EOL;
             if (base64_encode(hash('sha256', $data, true)) != $m[2][$k]) {
                 die('Hash mismatch' . PHP_EOL);
             }