Whitelist update, reported in #76

Backdoor reported in #72
Backdoor reported in #71
2026-06-16 12:30:35 +00:00 · 2022-06-30 20:55:37 +02:00 · 2022-03-24 18:46:58 +01:00 · 2021-12-13 18:09:02 +01:00 · 2021-05-27 06:57:08 +02:00 · 2021-05-27 06:57:08 +02:00
3 changed files with 61 additions and 23 deletions
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -180,6 +180,7 @@ kZWZpbm

 # Obfuscation related code
 eval("?>
+eval('?>
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
@@ -202,6 +203,8 @@ gz'.'inf'.'late
 # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
 http://www.fopo.com.ar/
@eval("\
+";eval(
+eval(eval(

 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -374,3 +377,13 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
+
+# php://input encoded in base64
+cGhwOi8vaW5wdXQ=
+
+# backdoor script
+<font color="red">Upload Gagal..</font><br />
+explode('?>',$shell
+
+# common mobile agent check in SEO poison scripts
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -116,4 +116,23 @@ function\s+_[0-9]{8,}\(
 create_function\s*\(\s*['"]{2}

 # control concated from cookie at the call
-(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
+(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
+
+# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
+(\$[A-Z]+\{\d+\}\.){3,}
+
+# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
+\$_REQUEST\s*\/\*[A-Za-z]+\*\/\[
+
+# cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
+\(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)
+
+# gzipped payload post process
+explode\('\|\x01\|\x03\|\x03', gzinflate\(
+
+# backdoor reported #71
+@header\(\w{3,5}::\w{1,2}\('_\w{1,3}' \. '\w{1,3}', '_\w{1,3}'\)\);
+@header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);
+
+# backdoor reported #72
+@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -256,25 +256,31 @@ e45b8afd0b65516c175ed23f7183bab1 /jquery-migrate-1.1.1.min.js
 dc0102c151c491b8a0f65a520e26e083 /jquery-migrate-1.1.0.min.js
 1f5980833a26b490296db71951e1024f /jquery-migrate-1.0.0.js
 dd6f8586a1afae562493e9c7cd1ffeea /jquery-migrate-1.0.0.min.js
-f2fc939d607b2e861af2701a15d14430  /ace/ace.min.js
-2954b8d06fd846e81c12b0fd0b3d2d35  /ace/ace/ace.js
-c333e22e892cd099e776e9384bbbaa63  /ace/ace/ext-beautify.js
-b391899e17b7aea2cf2998656c40f2c6  /core/components/phpthumbof/model/aws/_compatibility_test/sdk_compatibility_test.php
-6cfb5a3b2820fe378b73c901ee6fc031  /core/components/phpthumbof/model/aws/sdk.class.php
-dd894a093463d38f9c9fdbcb7c88cc23  /core/model/aws/sdk.class.php
-1ed9b9eea82c9f1ead337b67c188206b  /core/model/phpthumb/phpthumb.class.php
-ef55bdc338994e87b650e2cf0f87df45  /core/model/smarty/sysplugins/smarty_internal_template.php
-f8f2e883e5323ed5935f42b17ceda6ba  /core/model/smarty/sysplugins/smarty_template_compiled.php
-3d84a338c9daaacc711834cb7797ac98  /core/model/smarty/sysplugins/smarty_cacheresource_custom.php
-d6be1074d266aecb739352150798d97d  /core/model/smarty/sysplugins/smarty_cacheresource_keyvaluestore.php
-c363512229135b182006a97ba43d31e7  /core/model/smarty/sysplugins/smarty_resource_recompiled.php
-fc8f1e9f0ff666af7beb3f61b055c0e8  /core/model/smarty/sysplugins/smarty_internal_cacheresource_file.php
-092a5a658bf49a3c1549f9bd809218ea  /core/xpdo/compression/pclzip.lib.php
-761f1578928050a03f4aa4c789f1d136  /manager/assets/fileapi/FileAPI.js
-3c9137d88a00b1ae0b41ff6a70571615  /assets/components/tinymcewrapper/frontend/imogen_theme/js/jquery.js
-bb127b5ce56b45e8b4b91de2e60dd9eb  /assets/components/googleanalytics/js/mgr/libs/highcharts.js
-7d7958bb0a9438a8966807f9202d0bce  /assets/components/tinymce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
-3ee0a4d8a06cedc0a56f29e8f351ef72  /pclzip-2-8-2/pclzip.lib.php
-abfd2987afd1f66e3eed50bebbeb6750  /sucuri-scanner-1.8.24/src/base.lib.php
-78477b67cb223e4504689fef33119884  /sucuri-scanner-1.8.24/src/sitecheck.lib.php
-e48460f6ef0c911dc5ad558c57bfd52f  /sucuri-scanner-1.8.24/src/integrity.lib.php
+f2fc939d607b2e861af2701a15d14430 /ace/ace.min.js
+2954b8d06fd846e81c12b0fd0b3d2d35 /ace/ace/ace.js
+c333e22e892cd099e776e9384bbbaa63 /ace/ace/ext-beautify.js
+b391899e17b7aea2cf2998656c40f2c6 /core/components/phpthumbof/model/aws/_compatibility_test/sdk_compatibility_test.php
+6cfb5a3b2820fe378b73c901ee6fc031 /core/components/phpthumbof/model/aws/sdk.class.php
+dd894a093463d38f9c9fdbcb7c88cc23 /core/model/aws/sdk.class.php
+1ed9b9eea82c9f1ead337b67c188206b /core/model/phpthumb/phpthumb.class.php
+ef55bdc338994e87b650e2cf0f87df45 /core/model/smarty/sysplugins/smarty_internal_template.php
+f8f2e883e5323ed5935f42b17ceda6ba /core/model/smarty/sysplugins/smarty_template_compiled.php
+3d84a338c9daaacc711834cb7797ac98 /core/model/smarty/sysplugins/smarty_cacheresource_custom.php
+d6be1074d266aecb739352150798d97d /core/model/smarty/sysplugins/smarty_cacheresource_keyvaluestore.php
+c363512229135b182006a97ba43d31e7 /core/model/smarty/sysplugins/smarty_resource_recompiled.php
+fc8f1e9f0ff666af7beb3f61b055c0e8 /core/model/smarty/sysplugins/smarty_internal_cacheresource_file.php
+092a5a658bf49a3c1549f9bd809218ea /core/xpdo/compression/pclzip.lib.php
+761f1578928050a03f4aa4c789f1d136 /manager/assets/fileapi/FileAPI.js
+3c9137d88a00b1ae0b41ff6a70571615 /assets/components/tinymcewrapper/frontend/imogen_theme/js/jquery.js
+bb127b5ce56b45e8b4b91de2e60dd9eb /assets/components/googleanalytics/js/mgr/libs/highcharts.js
+7d7958bb0a9438a8966807f9202d0bce /assets/components/tinymce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php
+3ee0a4d8a06cedc0a56f29e8f351ef72 /pclzip-2-8-2/pclzip.lib.php
+abfd2987afd1f66e3eed50bebbeb6750 /sucuri-scanner-1.8.24/src/base.lib.php
+78477b67cb223e4504689fef33119884 /sucuri-scanner-1.8.24/src/sitecheck.lib.php
+e48460f6ef0c911dc5ad558c57bfd52f /sucuri-scanner-1.8.24/src/integrity.lib.php
+29f34168b7384cca58ba64885461e115 wp-admin/includes/class-pclzip.php -> Wordpress Core 6.0
+a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.0
+178f2fbc6a48f605ed84b156103d5366 wp-content/plugins/wordpress-seo/vendor_prefixed/guzzlehttp/guzzle/src/Middleware.php -> Yoast SEO plugin 19.2
+1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
+cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
+ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
Author	SHA1	Message	Date
Gabor Gyorvari	c6a52dc67e	Whitelist update, reported in #76	2022-06-30 20:55:37 +02:00
Gabor Gyorvari	3b76a7270e	Backdoor reported in #72	2022-03-24 18:46:58 +01:00
Gabor Gyorvari	f0bdb1f1e1	Backdoor reported in #71	2021-12-13 18:09:02 +01:00
Gabor Gyorvari	43876b337b	Pattern updates from new infections	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	1fad164790	gzipped payload	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	f4d53e89d8	Pattern updates from new infections	2021-05-27 06:57:08 +02:00