mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
c6a52dc67e | ||
|
|
3b76a7270e | ||
|
|
f0bdb1f1e1 | ||
|
|
43876b337b | ||
|
|
1fad164790 | ||
|
|
f4d53e89d8 | ||
|
|
34ea02323b |
@@ -36,6 +36,7 @@ Usage: php scan.php -d <directory>
|
||||
-o --output-format Custom defined output format
|
||||
-j --wordpress-version Version of wordpress to get md5 signatures
|
||||
--combined-whitelist Combined whitelist
|
||||
--custom-whitelist Loads whitelist from specified file and merge with existing
|
||||
--disable-stats Disable statistics output
|
||||
```
|
||||
|
||||
|
||||
@@ -180,6 +180,7 @@ kZWZpbm
|
||||
|
||||
# Obfuscation related code
|
||||
eval("?>
|
||||
eval('?>
|
||||
"base64_decode"
|
||||
='base'.(32*2).'_de'.'code'
|
||||
"p"."r"."e"."g"."_"
|
||||
@@ -202,6 +203,8 @@ gz'.'inf'.'late
|
||||
# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
|
||||
http://www.fopo.com.ar/
|
||||
@eval("\
|
||||
";eval(
|
||||
eval(eval(
|
||||
|
||||
#Malware/Attack specific strings/fingerprints/signatures
|
||||
MagelangCyber
|
||||
@@ -374,3 +377,13 @@ ZeroByte
|
||||
# SEO poisoning control site call
|
||||
"http://$xxx
|
||||
?useragent=$botbotbot
|
||||
|
||||
# php://input encoded in base64
|
||||
cGhwOi8vaW5wdXQ=
|
||||
|
||||
# backdoor script
|
||||
<font color="red">Upload Gagal..</font><br />
|
||||
explode('?>',$shell
|
||||
|
||||
# common mobile agent check in SEO poison scripts
|
||||
Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
|
||||
@@ -116,4 +116,23 @@ function\s+_[0-9]{8,}\(
|
||||
create_function\s*\(\s*['"]{2}
|
||||
|
||||
# control concated from cookie at the call
|
||||
(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
|
||||
(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
|
||||
|
||||
# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
|
||||
(\$[A-Z]+\{\d+\}\.){3,}
|
||||
|
||||
# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
|
||||
\$_REQUEST\s*\/\*[A-Za-z]+\*\/\[
|
||||
|
||||
# cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
|
||||
\(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)
|
||||
|
||||
# gzipped payload post process
|
||||
explode\('\|\x01\|\x03\|\x03', gzinflate\(
|
||||
|
||||
# backdoor reported #71
|
||||
@header\(\w{3,5}::\w{1,2}\('_\w{1,3}' \. '\w{1,3}', '_\w{1,3}'\)\);
|
||||
@header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);
|
||||
|
||||
# backdoor reported #72
|
||||
@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
|
||||
39
scan.php
39
scan.php
@@ -42,6 +42,7 @@ class MalwareScanner
|
||||
private $flagScanEverything = false;
|
||||
private $flagCombinedWhitelist = false;
|
||||
private $flagDisableStats = false;
|
||||
private $customWhitelist = array();
|
||||
private $outputFormat = '';
|
||||
private $whitelist = array();
|
||||
private $ignore = array();
|
||||
@@ -191,16 +192,21 @@ class MalwareScanner
|
||||
return $list;
|
||||
}
|
||||
|
||||
//Loads the whitelist file
|
||||
public function loadWhitelist()
|
||||
/**
|
||||
* Loads the whitelist files
|
||||
*/
|
||||
public function loadWhitelists()
|
||||
{
|
||||
if (!is_file(__DIR__ . '/whitelist.txt')) {
|
||||
return;
|
||||
}
|
||||
$fp = fopen(__DIR__ . '/whitelist.txt', 'r');
|
||||
while (!feof($fp)) {
|
||||
$line = fgets($fp);
|
||||
$this->whitelist[] = substr($line, 0, 32);
|
||||
$a = array_merge([__DIR__ . '/whitelist.txt'], $this->customWhitelist);
|
||||
foreach ($a as $file) {
|
||||
if (is_file($file)) {
|
||||
$fp = fopen($file, 'r');
|
||||
while (!feof($fp)) {
|
||||
$line = fgets($fp);
|
||||
$this->whitelist[] = substr($line, 0, 32);
|
||||
}
|
||||
fclose($fp);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -248,6 +254,7 @@ class MalwareScanner
|
||||
'wordpress-version:',
|
||||
'scan-everything',
|
||||
'combined-whitelist',
|
||||
'custom-whitelist:',
|
||||
'disable-stats'
|
||||
)
|
||||
);
|
||||
@@ -334,6 +341,13 @@ class MalwareScanner
|
||||
if (isset($options['combined-whitelist'])) {
|
||||
$this->setFlagCombinedWhitelist(true);
|
||||
}
|
||||
if (isset($options['custom-whitelist'])) {
|
||||
$a = $options['custom-whitelist'];
|
||||
if (!is_array($a)) {
|
||||
$a = array($a);
|
||||
}
|
||||
$this->setCustomWhitelist(array_unique($a));
|
||||
}
|
||||
if (isset($options['disable-stats'])) {
|
||||
$this->setFlagDisableStats(true);
|
||||
}
|
||||
@@ -435,6 +449,11 @@ class MalwareScanner
|
||||
$this->flagDisableStats = $b;
|
||||
}
|
||||
|
||||
public function setCustomWhitelist($a)
|
||||
{
|
||||
$this->customWhitelist = $a;
|
||||
}
|
||||
|
||||
// @see http://stackoverflow.com/a/13914119
|
||||
private function pathMatches($path, $pattern, $ignoreCase = false)
|
||||
{
|
||||
@@ -626,7 +645,7 @@ class MalwareScanner
|
||||
{
|
||||
$this->initializePatterns();
|
||||
|
||||
$this->loadWhitelist();
|
||||
$this->loadWhitelists();
|
||||
|
||||
if ($this->flagCombinedWhitelist && !$this->updateCombinedWhitelist()) {
|
||||
return false;
|
||||
|
||||
@@ -256,25 +256,31 @@ e45b8afd0b65516c175ed23f7183bab1 /jquery-migrate-1.1.1.min.js
|
||||
dc0102c151c491b8a0f65a520e26e083 /jquery-migrate-1.1.0.min.js
|
||||
1f5980833a26b490296db71951e1024f /jquery-migrate-1.0.0.js
|
||||
dd6f8586a1afae562493e9c7cd1ffeea /jquery-migrate-1.0.0.min.js
|
||||
f2fc939d607b2e861af2701a15d14430 /ace/ace.min.js
|
||||
2954b8d06fd846e81c12b0fd0b3d2d35 /ace/ace/ace.js
|
||||
c333e22e892cd099e776e9384bbbaa63 /ace/ace/ext-beautify.js
|
||||
b391899e17b7aea2cf2998656c40f2c6 /core/components/phpthumbof/model/aws/_compatibility_test/sdk_compatibility_test.php
|
||||
6cfb5a3b2820fe378b73c901ee6fc031 /core/components/phpthumbof/model/aws/sdk.class.php
|
||||
dd894a093463d38f9c9fdbcb7c88cc23 /core/model/aws/sdk.class.php
|
||||
1ed9b9eea82c9f1ead337b67c188206b /core/model/phpthumb/phpthumb.class.php
|
||||
ef55bdc338994e87b650e2cf0f87df45 /core/model/smarty/sysplugins/smarty_internal_template.php
|
||||
f8f2e883e5323ed5935f42b17ceda6ba /core/model/smarty/sysplugins/smarty_template_compiled.php
|
||||
3d84a338c9daaacc711834cb7797ac98 /core/model/smarty/sysplugins/smarty_cacheresource_custom.php
|
||||
d6be1074d266aecb739352150798d97d /core/model/smarty/sysplugins/smarty_cacheresource_keyvaluestore.php
|
||||
c363512229135b182006a97ba43d31e7 /core/model/smarty/sysplugins/smarty_resource_recompiled.php
|
||||
fc8f1e9f0ff666af7beb3f61b055c0e8 /core/model/smarty/sysplugins/smarty_internal_cacheresource_file.php
|
||||
092a5a658bf49a3c1549f9bd809218ea /core/xpdo/compression/pclzip.lib.php
|
||||
761f1578928050a03f4aa4c789f1d136 /manager/assets/fileapi/FileAPI.js
|
||||
3c9137d88a00b1ae0b41ff6a70571615 /assets/components/tinymcewrapper/frontend/imogen_theme/js/jquery.js
|
||||
bb127b5ce56b45e8b4b91de2e60dd9eb /assets/components/googleanalytics/js/mgr/libs/highcharts.js
|
||||
7d7958bb0a9438a8966807f9202d0bce /assets/components/tinymce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
|
||||
3ee0a4d8a06cedc0a56f29e8f351ef72 /pclzip-2-8-2/pclzip.lib.php
|
||||
abfd2987afd1f66e3eed50bebbeb6750 /sucuri-scanner-1.8.24/src/base.lib.php
|
||||
78477b67cb223e4504689fef33119884 /sucuri-scanner-1.8.24/src/sitecheck.lib.php
|
||||
e48460f6ef0c911dc5ad558c57bfd52f /sucuri-scanner-1.8.24/src/integrity.lib.php
|
||||
f2fc939d607b2e861af2701a15d14430 /ace/ace.min.js
|
||||
2954b8d06fd846e81c12b0fd0b3d2d35 /ace/ace/ace.js
|
||||
c333e22e892cd099e776e9384bbbaa63 /ace/ace/ext-beautify.js
|
||||
b391899e17b7aea2cf2998656c40f2c6 /core/components/phpthumbof/model/aws/_compatibility_test/sdk_compatibility_test.php
|
||||
6cfb5a3b2820fe378b73c901ee6fc031 /core/components/phpthumbof/model/aws/sdk.class.php
|
||||
dd894a093463d38f9c9fdbcb7c88cc23 /core/model/aws/sdk.class.php
|
||||
1ed9b9eea82c9f1ead337b67c188206b /core/model/phpthumb/phpthumb.class.php
|
||||
ef55bdc338994e87b650e2cf0f87df45 /core/model/smarty/sysplugins/smarty_internal_template.php
|
||||
f8f2e883e5323ed5935f42b17ceda6ba /core/model/smarty/sysplugins/smarty_template_compiled.php
|
||||
3d84a338c9daaacc711834cb7797ac98 /core/model/smarty/sysplugins/smarty_cacheresource_custom.php
|
||||
d6be1074d266aecb739352150798d97d /core/model/smarty/sysplugins/smarty_cacheresource_keyvaluestore.php
|
||||
c363512229135b182006a97ba43d31e7 /core/model/smarty/sysplugins/smarty_resource_recompiled.php
|
||||
fc8f1e9f0ff666af7beb3f61b055c0e8 /core/model/smarty/sysplugins/smarty_internal_cacheresource_file.php
|
||||
092a5a658bf49a3c1549f9bd809218ea /core/xpdo/compression/pclzip.lib.php
|
||||
761f1578928050a03f4aa4c789f1d136 /manager/assets/fileapi/FileAPI.js
|
||||
3c9137d88a00b1ae0b41ff6a70571615 /assets/components/tinymcewrapper/frontend/imogen_theme/js/jquery.js
|
||||
bb127b5ce56b45e8b4b91de2e60dd9eb /assets/components/googleanalytics/js/mgr/libs/highcharts.js
|
||||
7d7958bb0a9438a8966807f9202d0bce /assets/components/tinymce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
|
||||
3ee0a4d8a06cedc0a56f29e8f351ef72 /pclzip-2-8-2/pclzip.lib.php
|
||||
abfd2987afd1f66e3eed50bebbeb6750 /sucuri-scanner-1.8.24/src/base.lib.php
|
||||
78477b67cb223e4504689fef33119884 /sucuri-scanner-1.8.24/src/sitecheck.lib.php
|
||||
e48460f6ef0c911dc5ad558c57bfd52f /sucuri-scanner-1.8.24/src/integrity.lib.php
|
||||
29f34168b7384cca58ba64885461e115 wp-admin/includes/class-pclzip.php -> Wordpress Core 6.0
|
||||
a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.0
|
||||
178f2fbc6a48f605ed84b156103d5366 wp-content/plugins/wordpress-seo/vendor_prefixed/guzzlehttp/guzzle/src/Middleware.php -> Yoast SEO plugin 19.2
|
||||
1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
|
||||
cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
|
||||
ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
|
||||
|
||||
Reference in New Issue
Block a user