Sample update

Make it compatible with php 8.1

README.md

@@ -34,8 +34,9 @@ Usage: php scan.php -d <directory>
     -t                   --time               Show time of last file change
     -L                   --line-number        Display matching pattern line number in file
     -o                   --output-format      Custom defined output format
-    -j                   --wordpress-version  Version of wordpress to get md5 signatures
+    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures
                          --combined-whitelist Combined whitelist
+                         --custom-whitelist   Loads whitelist from specified file and merge with existing
                          --disable-stats      Disable statistics output
 ```
 

definitions/patterns_iraw.txt

@@ -16,7 +16,48 @@ opendns
 phishtank
 sophos
 surfright
-symantec
+# symantec - removed because already a TLD too so generate many false positives
 
 # SEO poison, pharmacy redirect
-dealonline.su
+dealonline.su
+
+# functions escaped as hexadecimal string
+7068705f756e616d65
+70687076657273696f6e
+6368646972
+676574637764
+707265675f73706c6974
+636f7079
+66696c655f6765745f636f6e74656e7473
+6261736536345f6465636f6465
+69735f646972
+6f625f656e645f636c65616e28293b
+756e6c696e6b
+6d6b646972
+63686d6f64
+7363616e646972
+7374725f7265706c616365
+68746d6c7370656369616c6368617273
+7661725f64756d70
+666f70656e
+667772697465
+66636c6f7365
+64617465
+66696c656d74696d65
+737562737472
+737072696e7466
+66696c657065726d73
+746f756368
+66696c655f657869737473
+72656e616d65
+69735f6172726179
+69735f6f626a656374
+737472706f73
+69735f7772697461626c65
+69735f7265616461626c65
+737472746f74696d65
+66696c6573697a65
+726d646972
+6f625f6765745f636c65616e
+7265616466696c65
+617373657274

definitions/patterns_raw.txt

@@ -27,6 +27,8 @@ ShellBOT
 curl_get_from_webpage
 file_get_contents('http://codepad.org
 
+#mailers
+leafmailer.pw
 
 #Base64 String Samples.  Each plain text string should have 3 base64 equivalents
 
@@ -180,6 +182,7 @@ kZWZpbm
 
 # Obfuscation related code
 eval("?>
+eval('?>
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
@@ -202,6 +205,9 @@ gz'.'inf'.'late
 # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
 http://www.fopo.com.ar/
 @eval("\
+";eval(
+eval(eval(
+@eval(`
 
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -259,6 +265,7 @@ FaisaL Ahmed aka rEd X
 smisbot
 smotherbot
 Indonesian Hacker Rulez
+pwetan.com
 
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -374,3 +381,58 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
+
+# php://input encoded in base64
+cGhwOi8vaW5wdXQ=
+
+# backdoor script
+<font color="red">Upload Gagal..</font><br />
+explode('?>',$shell
+0.33333333333333+0.33333333333333+0.33333333333333
+0.66666666666667+0.66666666666667+0.66666666666667
+1.3333333333333+1.3333333333333+1.3333333333333
+class _t{private static$_
+'LQ'.'=='
+
+# common mobile agent check in SEO poison scripts
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+
+# eval url decoded string
+eval(rawurldecode('
+eval(htmlspecialchars_decode(
+
+# simple obfuscated function
+'gz'.'unc'.'ompress'
+'create'.'_'.'function'
+'gzinf', 'la', 'te'
+'e_f', 'cti', 'un', 'on', 'cr', 'eat'
+'base', '64_dec', 'ode'
+'cook', 'set', 'ie'
+'repl', 'str_', 'ace'
+"base"."64_"
+'base'.'64_'
+"t"."m"."p"."_"."n"."a"."m"."e"
+"f"."i"."l"."e"."_"."p"."u"."t"
+"f"."i"."l"."e"."_"."g"."e"."t"
+'ode', 'e64_', 'bas', 'dec'
+'unct', 'ion', 'te_f', 'crea'
+'te', 'g', 'nf', 'l', 'a', 'zi'
+'tion', 'e_func', 'creat'
+'64_d', 'se', 'eco', 'de', 'ba'
+'co', 'ki', 'e', 'o', 'set'
+'str', '_rep', 'lace'
+
+# process data from request object directly
+extract($_REQUEST) && @$
+extract($_REQUEST)&&@$
+xtract($_REQUEST)&&@$
+
+# uncompress cafted content
+gzuncompress(strrev(substr(
+
+# disable error reporting
+<?php error_reporting(0);?>
+
+# infected file include attached on the top of a legit file
+<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>
+<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>

definitions/patterns_re.txt

@@ -60,7 +60,7 @@ chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*
 
 #Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
 # '_' as "\x5f"
-\\[Xx](5[Ff])
+# \\[Xx](5[Ff]) - removed because generate many false positives
 
 #Detects the '_' character placed inside a call to the 'chr()' function
 # '_' as 'chr(95)' or 'chr(0x5f)'
@@ -79,7 +79,7 @@ chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
 #Escaped path characters: \x2fho\x6de/\x69mp\x75ls\x69oq\x65/w\x77w. or \x2fhome\x2fimpu\x6csioq\x65/www\x2emusc
 (\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}
 
-#Malware inffected files sometimes marked with comments like /*87cda*/ to avoid infect again
+#Malware infected files sometimes marked with comments like /*87cda*/ to avoid infect again
 \/\*[a-z0-9]{5}\*\/
 
 # XOR-ed strings with custom math
@@ -95,7 +95,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 ("[a-z0-9]+"\.chr\(\d+\)\.){3,}
 
 # nested function call used variables
-\$[a-z]+\(\$[a-z0-9]+\(
+\$[a-z0-9_]+\(\$[a-z0-9_]+\(
 
 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x
@@ -116,4 +116,41 @@ function\s+_[0-9]{8,}\(
 create_function\s*\(\s*['"]{2}
 
 # control concated from cookie at the call
-(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
+(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
+
+# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
+(\$[A-Z]+\{\d+\}\.){3,}
+
+# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
+\$_REQUEST\s*\/\*[A-Za-z]+\*\/\[
+
+# cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
+\(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)
+
+# gzipped payload post process
+explode\('\|\x01\|\x03\|\x03', gzinflate\(
+
+# backdoor reported #71
+@header\(\w{3,5}::\w{1,2}\('_\w{1,3}' \. '\w{1,3}', '_\w{1,3}'\)\);
+@header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);
+
+# backdoor reported #72
+@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
+
+# reported #77
+\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
+
+# eval function return and concat
+eval\([A-Za-z0-9]{5,}\(\) \. '
+
+# eval function return, parameter is a hex string
+eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
+
+# gzip payload called by variable named function
+\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
+
+# obfuscated code return with error suppression
+return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
+
+# htaccess alternating
+[a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)

scan.php

@@ -42,6 +42,7 @@ class MalwareScanner
     private $flagScanEverything = false;
     private $flagCombinedWhitelist = false;
     private $flagDisableStats = false;
+    private $customWhitelist = array();
     private $outputFormat = '';
     private $whitelist = array();
     private $ignore = array();
@@ -191,16 +192,21 @@ class MalwareScanner
         return $list;
     }
 
-    //Loads the whitelist file
-    public function loadWhitelist()
+    /**
+     * Loads the whitelist files
+     */
+    public function loadWhitelists()
     {
-        if (!is_file(__DIR__ . '/whitelist.txt')) {
-            return;
-        }
-        $fp = fopen(__DIR__ . '/whitelist.txt', 'r');
-        while (!feof($fp)) {
-            $line = fgets($fp);
-            $this->whitelist[] = substr($line, 0, 32);
+        $a = array_merge([__DIR__ . '/whitelist.txt'], $this->customWhitelist);
+        foreach ($a as $file) {
+            if (is_file($file)) {
+                $fp = fopen($file, 'r');
+                while (!feof($fp)) {
+                    $line = fgets($fp);
+                    $this->whitelist[] = substr($line, 0, 32);
+                }
+                fclose($fp);
+            }
         }
     }
 
@@ -225,7 +231,7 @@ class MalwareScanner
     private function parseArgs()
     {
         $options = getopt(
-            'd:e:i:o:abmcxlhkwnsptLj:E',
+            'd:e:i:o:abmcxlhkrwnsptLj:E',
             array(
                 'directory:',
                 'extension:',
@@ -238,6 +244,7 @@ class MalwareScanner
                 'follow-link',
                 'help',
                 'hide-ok',
+                'hide-err',
                 'hide-whitelist',
                 'no-color',
                 'no-stop',
@@ -248,6 +255,7 @@ class MalwareScanner
                 'wordpress-version:',
                 'scan-everything',
                 'combined-whitelist',
+                'custom-whitelist:',
                 'disable-stats'
             )
         );
@@ -334,6 +342,13 @@ class MalwareScanner
         if (isset($options['combined-whitelist'])) {
             $this->setFlagCombinedWhitelist(true);
         }
+        if (isset($options['custom-whitelist'])) {
+            $a = $options['custom-whitelist'];
+            if (!is_array($a)) {
+                $a = array($a);
+            }
+            $this->setCustomWhitelist(array_unique($a));
+        }
         if (isset($options['disable-stats'])) {
             $this->setFlagDisableStats(true);
         }
@@ -435,6 +450,11 @@ class MalwareScanner
         $this->flagDisableStats = $b;
     }
 
+    public function setCustomWhitelist($a)
+    {
+        $this->customWhitelist = $a;
+    }
+
     // @see http://stackoverflow.com/a/13914119
     private function pathMatches($path, $pattern, $ignoreCase = false)
     {
@@ -603,8 +623,8 @@ class MalwareScanner
     private function report($start, $dir)
     {
         $end = time();
-        echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
-        echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
+        echo 'Start time: ' . date('Y-m-d H:m:s', $start) . PHP_EOL;
+        echo 'End time: ' . date('Y-m-d H:m:s', $end) . PHP_EOL;
         echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
         echo 'Base directory: ' . $dir . PHP_EOL;
         echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
@@ -626,7 +646,7 @@ class MalwareScanner
     {
         $this->initializePatterns();
 
-        $this->loadWhitelist();
+        $this->loadWhitelists();
 
         if ($this->flagCombinedWhitelist && !$this->updateCombinedWhitelist()) {
             return false;
@@ -690,14 +710,14 @@ class MalwareScanner
     //Returns true if the raw string exists in the file contents.
     private function scanFunc_STR(&$pattern, &$content)
     {
-        return strpos($content, $pattern);
+        return strpos($content, (string)$pattern);
     }
 
     //Performs raw string, case insensitive matching.
     //Returns true if the raw string exists in the file contents, ignoring case.
     private function scanFunc_STRI(&$pattern, &$content)
     {
-        return stripos($content, $pattern);
+        return stripos($content, (string)$pattern);
     }
 
     //Performs regular expression matching.
@@ -840,7 +860,7 @@ class MalwareScanner
         echo '    -t                   --time               Show time of last file change' . PHP_EOL;
         echo '    -L                   --line-number        Display matching pattern line number in file' . PHP_EOL;
         echo '    -o                   --output-format      Custom defined output format' . PHP_EOL;
-        echo '    -j                   --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
+        echo '    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
         echo '                         --combined-whitelist Combined whitelist' . PHP_EOL;
         echo '                         --disable-stats      Disable statistics output' . PHP_EOL;
 

whitelist.txt

@@ -256,25 +256,33 @@ e45b8afd0b65516c175ed23f7183bab1 /jquery-migrate-1.1.1.min.js
 dc0102c151c491b8a0f65a520e26e083 /jquery-migrate-1.1.0.min.js
 1f5980833a26b490296db71951e1024f /jquery-migrate-1.0.0.js
 dd6f8586a1afae562493e9c7cd1ffeea /jquery-migrate-1.0.0.min.js
-f2fc939d607b2e861af2701a15d14430  /ace/ace.min.js
-2954b8d06fd846e81c12b0fd0b3d2d35  /ace/ace/ace.js
-c333e22e892cd099e776e9384bbbaa63  /ace/ace/ext-beautify.js
-b391899e17b7aea2cf2998656c40f2c6  /core/components/phpthumbof/model/aws/_compatibility_test/sdk_compatibility_test.php
-6cfb5a3b2820fe378b73c901ee6fc031  /core/components/phpthumbof/model/aws/sdk.class.php
-dd894a093463d38f9c9fdbcb7c88cc23  /core/model/aws/sdk.class.php
-1ed9b9eea82c9f1ead337b67c188206b  /core/model/phpthumb/phpthumb.class.php
-ef55bdc338994e87b650e2cf0f87df45  /core/model/smarty/sysplugins/smarty_internal_template.php
-f8f2e883e5323ed5935f42b17ceda6ba  /core/model/smarty/sysplugins/smarty_template_compiled.php
-3d84a338c9daaacc711834cb7797ac98  /core/model/smarty/sysplugins/smarty_cacheresource_custom.php
-d6be1074d266aecb739352150798d97d  /core/model/smarty/sysplugins/smarty_cacheresource_keyvaluestore.php
-c363512229135b182006a97ba43d31e7  /core/model/smarty/sysplugins/smarty_resource_recompiled.php
-fc8f1e9f0ff666af7beb3f61b055c0e8  /core/model/smarty/sysplugins/smarty_internal_cacheresource_file.php
-092a5a658bf49a3c1549f9bd809218ea  /core/xpdo/compression/pclzip.lib.php
-761f1578928050a03f4aa4c789f1d136  /manager/assets/fileapi/FileAPI.js
-3c9137d88a00b1ae0b41ff6a70571615  /assets/components/tinymcewrapper/frontend/imogen_theme/js/jquery.js
-bb127b5ce56b45e8b4b91de2e60dd9eb  /assets/components/googleanalytics/js/mgr/libs/highcharts.js
-7d7958bb0a9438a8966807f9202d0bce  /assets/components/tinymce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
-3ee0a4d8a06cedc0a56f29e8f351ef72  /pclzip-2-8-2/pclzip.lib.php
-abfd2987afd1f66e3eed50bebbeb6750  /sucuri-scanner-1.8.24/src/base.lib.php
-78477b67cb223e4504689fef33119884  /sucuri-scanner-1.8.24/src/sitecheck.lib.php
-e48460f6ef0c911dc5ad558c57bfd52f  /sucuri-scanner-1.8.24/src/integrity.lib.php
+f2fc939d607b2e861af2701a15d14430 /ace/ace.min.js
+2954b8d06fd846e81c12b0fd0b3d2d35 /ace/ace/ace.js
+c333e22e892cd099e776e9384bbbaa63 /ace/ace/ext-beautify.js
+b391899e17b7aea2cf2998656c40f2c6 /core/components/phpthumbof/model/aws/_compatibility_test/sdk_compatibility_test.php
+6cfb5a3b2820fe378b73c901ee6fc031 /core/components/phpthumbof/model/aws/sdk.class.php
+dd894a093463d38f9c9fdbcb7c88cc23 /core/model/aws/sdk.class.php
+1ed9b9eea82c9f1ead337b67c188206b /core/model/phpthumb/phpthumb.class.php
+ef55bdc338994e87b650e2cf0f87df45 /core/model/smarty/sysplugins/smarty_internal_template.php
+f8f2e883e5323ed5935f42b17ceda6ba /core/model/smarty/sysplugins/smarty_template_compiled.php
+3d84a338c9daaacc711834cb7797ac98 /core/model/smarty/sysplugins/smarty_cacheresource_custom.php
+d6be1074d266aecb739352150798d97d /core/model/smarty/sysplugins/smarty_cacheresource_keyvaluestore.php
+c363512229135b182006a97ba43d31e7 /core/model/smarty/sysplugins/smarty_resource_recompiled.php
+fc8f1e9f0ff666af7beb3f61b055c0e8 /core/model/smarty/sysplugins/smarty_internal_cacheresource_file.php
+092a5a658bf49a3c1549f9bd809218ea /core/xpdo/compression/pclzip.lib.php
+761f1578928050a03f4aa4c789f1d136 /manager/assets/fileapi/FileAPI.js
+3c9137d88a00b1ae0b41ff6a70571615 /assets/components/tinymcewrapper/frontend/imogen_theme/js/jquery.js
+bb127b5ce56b45e8b4b91de2e60dd9eb /assets/components/googleanalytics/js/mgr/libs/highcharts.js
+7d7958bb0a9438a8966807f9202d0bce /assets/components/tinymce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
+3ee0a4d8a06cedc0a56f29e8f351ef72 /pclzip-2-8-2/pclzip.lib.php
+abfd2987afd1f66e3eed50bebbeb6750 /sucuri-scanner-1.8.24/src/base.lib.php
+78477b67cb223e4504689fef33119884 /sucuri-scanner-1.8.24/src/sitecheck.lib.php
+e48460f6ef0c911dc5ad558c57bfd52f /sucuri-scanner-1.8.24/src/integrity.lib.php
+29f34168b7384cca58ba64885461e115 wp-admin/includes/class-pclzip.php -> Wordpress Core 6.0
+a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.0
+178f2fbc6a48f605ed84b156103d5366 wp-content/plugins/wordpress-seo/vendor_prefixed/guzzlehttp/guzzle/src/Middleware.php -> Yoast SEO plugin 19.2
+1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
+cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
+ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
+ccce5f45d1ac66bd2bebe75d666b5720 wp-content/plugins/redirection/models/regex.php
+ae810d74d638c611d8bd958777c9ac6a wp-content/plugins/ssl-insecure-content-fixer/includes/nonces.php