External/php-malware-scanner
1
0
Fork 0
mirror of https://github.com/scr34m/php-malware-scanner.git synced 2026-06-16 12:30:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: External:1.0.1
Branches Tags
External:master External:gh-pages
External:1.0.31 External:1.0.30 External:1.0.29 External:1.0.28 External:1.0.27 External:1.0.26 External:1.0.25 External:1.0.24 External:1.0.23 External:1.0.22 External:1.0.21 External:1.0.20 External:1.0.19 External:1.0.18 External:1.0.17 External:1.0.16 External:1.0.15 External:1.0.14 External:1.0.13 External:1.0.12 External:1.0.11 External:1.0.10 External:1.0.9 External:1.0.8 External:1.0.7 External:1.0.6 External:1.0.5 External:1.0.4 External:1.0.3 External:1.0.2 External:1.0.1 External:1.0.0
..
compare: External:1.0.3
Branches Tags
External:master External:gh-pages
External:1.0.31 External:1.0.30 External:1.0.29 External:1.0.28 External:1.0.27 External:1.0.26 External:1.0.25 External:1.0.24 External:1.0.23 External:1.0.22 External:1.0.21 External:1.0.20 External:1.0.19 External:1.0.18 External:1.0.17 External:1.0.16 External:1.0.15 External:1.0.14 External:1.0.13 External:1.0.12 External:1.0.11 External:1.0.10 External:1.0.9 External:1.0.8 External:1.0.7 External:1.0.6 External:1.0.5 External:1.0.4 External:1.0.3 External:1.0.2 External:1.0.1 External:1.0.0

4 Commits
1.0.1 ... 1.0.3

Author SHA1 Message Date
Gabor Gyorvari
b290826f82 New option to disable statistics 2019-05-28 09:17:11 +02:00
Gabor Gyorvari
8030cec89f PR-47 comment and duplicate fix 2019-05-17 13:21:04 +02:00
Győrvári Gábor
9ec295f80d Merge pull request #47 from cconversion/master 
Update patterns_raw.txt
 2019-05-17 13:16:55 +02:00
cconversion
c1c71bd9ef Update patterns_raw.txt 
Added WP-VCD Malware strings
 2019-02-11 05:53:33 +11:00
4 changed files with 27 additions and 4 deletions
Expand all files Collapse all files

1
README.md
View File

@@ -35,6 +35,7 @@ Usage: php scan.php -d <directory>
-o --output-format Custom defined output format -o --output-format Custom defined output format
-j --wordpress-version Version of wordpress to get md5 signatures -j --wordpress-version Version of wordpress to get md5 signatures
--combined-whitelist Combined whitelist --combined-whitelist Combined whitelist
--disable-stats Disable statistics output
``` ```
Ignore argument could be used multiple times and accept glob style matching ex.: "`cache*`", "`??-cache.php`" or "`/cache`" etc. Ignore argument could be used multiple times and accept glob style matching ex.: "`cache*`", "`??-cache.php`" or "`/cache`" etc.

10
definitions/patterns_raw.txt
View File

@@ -261,6 +261,14 @@ tmhapbzcerff
IndoXploit IndoXploit
FaisaL Ahmed aka rEd X FaisaL Ahmed aka rEd X
# WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
wp-vcd
class.theme-modules.php
wp-tmp.php
tmpcontentx
function wp_temp_setupx
derna.top/code.php
stripos($tmpcontent, $wp_auth_key)
#Miscellaneous #Miscellaneous
uname -a uname -a
@@ -362,4 +370,4 @@ ZeroByte
100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59
# JS escaped: String.fromCharCode( # JS escaped: String.fromCharCode(
83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40

17
scan.php
View File

@@ -40,6 +40,7 @@ class MalwareScanner
private $flagLineNumber = false; private $flagLineNumber = false;
private $flagScanEverything = false; private $flagScanEverything = false;
private $flagCombinedWhitelist = false; private $flagCombinedWhitelist = false;
private $flagDisableStats = false;
private $outputFormat = ''; private $outputFormat = '';
private $whitelist = array(); private $whitelist = array();
private $ignore = array(); private $ignore = array();
@@ -230,7 +231,8 @@ class MalwareScanner
'output-format:', 'output-format:',
'wordpress-version:', 'wordpress-version:',
'scan-everything', 'scan-everything',
'combined-whitelist' 'combined-whitelist',
'disable-stats'
) )
); );
@@ -313,6 +315,9 @@ class MalwareScanner
if (isset($options['combined-whitelist'])) { if (isset($options['combined-whitelist'])) {
$this->setFlagCombinedWhitelist(true); $this->setFlagCombinedWhitelist(true);
} }
if (isset($options['disable-stats'])) {
$this->setFlagDisableStats(true);
}
} }
public function setExtensions(array $a) public function setExtensions(array $a)
@@ -401,6 +406,11 @@ class MalwareScanner
$this->flagCombinedWhitelist = $b; $this->flagCombinedWhitelist = $b;
} }
public function setFlagDisableStats($b)
{
$this->flagDisableStats = $b;
}
// @see http://stackoverflow.com/a/13914119 // @see http://stackoverflow.com/a/13914119
private function pathMatches($path, $pattern, $ignoreCase = false) private function pathMatches($path, $pattern, $ignoreCase = false)
{ {
@@ -604,7 +614,9 @@ class MalwareScanner
$start = time(); $start = time();
$this->process($dir . '/'); $this->process($dir . '/');
$this->report($start, $dir . '/'); if (!$this->flagDisableStats) {
$this->report($start, $dir . '/');
}
return true; return true;
} }
@@ -795,6 +807,7 @@ class MalwareScanner
echo ' -o --output-format Custom defined output format' . PHP_EOL; echo ' -o --output-format Custom defined output format' . PHP_EOL;
echo ' -j --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL; echo ' -j --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL;
echo ' --combined-whitelist Combined whitelist' . PHP_EOL; echo ' --combined-whitelist Combined whitelist' . PHP_EOL;
echo ' --disable-stats Disable statistics output' . PHP_EOL;
} }

3
tools/bigdata/generate.php
View File

@@ -15,6 +15,7 @@ function fetch($url, $file = false)
$headers = array( $headers = array(
// drupal suxx // drupal suxx
'Cookie: pxvid=44e1b040-4dde-11e8-b1dc-f15e898556c7; _ga=GA1.2.2042202377.1525247839; _gat=1; _gid=GA1.2.1601332121.1550831838; _px2=eyJ1IjoiZDM3OTk1MDAtMzY4ZC0xMWU5LWI3MDItYTdlMDI1ZWZhZmI2IiwidiI6IjQ0ZTFiMDQwLTRkZGUtMTFlOC1iMWRjLWYxNWU4OTg1NTZjNyIsInQiOjE1NTA4MzIxMzc5MjcsImgiOiJjMjBhNTQzNGIxYWQwNWFiOWUzNTI2OWRjNTM1MjgzNjkxNzg5OTIxNGM4YmIzZDBkZTg5ZTIxMzY0NTc5Zjk3In0=; has_js=1; _pxvid=44e1b040-4dde-11e8-b1dc-f15e898556c7',
'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15', 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15',
); );
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
@@ -89,7 +90,7 @@ function fetch_jquery($fp)
foreach ($m[1] as $k => $file) { foreach ($m[1] as $k => $file) {
if (!is_cached($file)) { if (!is_cached($file)) {
echo 'Downloading: ' . 'https://code.jquery.com/' . $file . PHP_EOL; echo 'Downloading: ' . 'https://code.jquery.com/' . $file . PHP_EOL;
$data = fetch('https://code.jquery.com/' . $file); $data = fetch('https://code.jquery.com/' . $file) . PHP_EOL;
if (base64_encode(hash('sha256', $data, true)) != $m[2][$k]) { if (base64_encode(hash('sha256', $data, true)) != $m[2][$k]) {
die('Hash mismatch' . PHP_EOL); die('Hash mismatch' . PHP_EOL);
} }