Sample update

Make it compatible with php 8.1

README.md

@@ -34,7 +34,7 @@ Usage: php scan.php -d <directory>
     -t                   --time               Show time of last file change
     -L                   --line-number        Display matching pattern line number in file
     -o                   --output-format      Custom defined output format
-    -j                   --wordpress-version  Version of wordpress to get md5 signatures
+    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures
                          --combined-whitelist Combined whitelist
                          --custom-whitelist   Loads whitelist from specified file and merge with existing
                          --disable-stats      Disable statistics output

definitions/patterns_iraw.txt

@@ -16,7 +16,48 @@ opendns
 phishtank
 sophos
 surfright
-symantec
+# symantec - removed because already a TLD too so generate many false positives
 
 # SEO poison, pharmacy redirect
-dealonline.su
+dealonline.su
+
+# functions escaped as hexadecimal string
+7068705f756e616d65
+70687076657273696f6e
+6368646972
+676574637764
+707265675f73706c6974
+636f7079
+66696c655f6765745f636f6e74656e7473
+6261736536345f6465636f6465
+69735f646972
+6f625f656e645f636c65616e28293b
+756e6c696e6b
+6d6b646972
+63686d6f64
+7363616e646972
+7374725f7265706c616365
+68746d6c7370656369616c6368617273
+7661725f64756d70
+666f70656e
+667772697465
+66636c6f7365
+64617465
+66696c656d74696d65
+737562737472
+737072696e7466
+66696c657065726d73
+746f756368
+66696c655f657869737473
+72656e616d65
+69735f6172726179
+69735f6f626a656374
+737472706f73
+69735f7772697461626c65
+69735f7265616461626c65
+737472746f74696d65
+66696c6573697a65
+726d646972
+6f625f6765745f636c65616e
+7265616466696c65
+617373657274

definitions/patterns_raw.txt

@@ -205,6 +205,7 @@ http://www.fopo.com.ar/
 @eval("\
 ";eval(
 eval(eval(
+@eval(`
 
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -262,6 +263,7 @@ FaisaL Ahmed aka rEd X
 smisbot
 smotherbot
 Indonesian Hacker Rulez
+pwetan.com
 
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -384,6 +386,43 @@ cGhwOi8vaW5wdXQ=
 # backdoor script
 <font color="red">Upload Gagal..</font><br />
 explode('?>',$shell
+0.33333333333333+0.33333333333333+0.33333333333333
+0.66666666666667+0.66666666666667+0.66666666666667
+1.3333333333333+1.3333333333333+1.3333333333333
+class _t{private static$_
+'LQ'.'=='
 
 # common mobile agent check in SEO poison scripts
-Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+
+# eval url decoded string
+eval(rawurldecode('
+
+# simple obfuscated function
+'gz'.'unc'.'ompress'
+'create'.'_'.'function'
+'gzinf', 'la', 'te'
+'e_f', 'cti', 'un', 'on', 'cr', 'eat'
+'base', '64_dec', 'ode'
+'cook', 'set', 'ie'
+'repl', 'str_', 'ace'
+"base"."64_"
+'base'.'64_'
+"t"."m"."p"."_"."n"."a"."m"."e"
+"f"."i"."l"."e"."_"."p"."u"."t"
+"f"."i"."l"."e"."_"."g"."e"."t"
+'ode', 'e64_', 'bas', 'dec'
+'unct', 'ion', 'te_f', 'crea'
+'te', 'g', 'nf', 'l', 'a', 'zi'
+'tion', 'e_func', 'creat'
+'64_d', 'se', 'eco', 'de', 'ba'
+'co', 'ki', 'e', 'o', 'set'
+'str', '_rep', 'lace'
+
+# process data from request object directly
+extract($_REQUEST) && @$
+extract($_REQUEST)&&@$
+xtract($_REQUEST)&&@$
+
+# uncompress cafted content
+gzuncompress(strrev(substr(

definitions/patterns_re.txt

@@ -60,7 +60,7 @@ chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*
 
 #Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
 # '_' as "\x5f"
-\\[Xx](5[Ff])
+# \\[Xx](5[Ff]) - removed because generate many false positives
 
 #Detects the '_' character placed inside a call to the 'chr()' function
 # '_' as 'chr(95)' or 'chr(0x5f)'
@@ -95,7 +95,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 ("[a-z0-9]+"\.chr\(\d+\)\.){3,}
 
 # nested function call used variables
-\$[a-z]+\(\$[a-z0-9]+\(
+\$[a-z0-9_]+\(\$[a-z0-9_]+\(
 
 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x
@@ -135,4 +135,22 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
 @header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);
 
 # backdoor reported #72
-@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
+@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
+
+# reported #77
+\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
+
+# eval function return and concat
+eval\([A-Za-z0-9]{5,}\(\) \. '
+
+# eval function return, parameter is a hex string
+eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
+
+# gzip payload called by variable named function
+\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
+
+# obfuscated code return with error suppression
+return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
+
+# htaccess alternating
+[a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)

scan.php

@@ -622,8 +622,8 @@ class MalwareScanner
     private function report($start, $dir)
     {
         $end = time();
-        echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
-        echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
+        echo 'Start time: ' . date('Y-m-d H:m:s', $start) . PHP_EOL;
+        echo 'End time: ' . date('Y-m-d H:m:s', $end) . PHP_EOL;
         echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
         echo 'Base directory: ' . $dir . PHP_EOL;
         echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
@@ -709,14 +709,14 @@ class MalwareScanner
     //Returns true if the raw string exists in the file contents.
     private function scanFunc_STR(&$pattern, &$content)
     {
-        return strpos($content, $pattern);
+        return strpos($content, (string)$pattern);
     }
 
     //Performs raw string, case insensitive matching.
     //Returns true if the raw string exists in the file contents, ignoring case.
     private function scanFunc_STRI(&$pattern, &$content)
     {
-        return stripos($content, $pattern);
+        return stripos($content, (string)$pattern);
     }
 
     //Performs regular expression matching.
@@ -859,7 +859,7 @@ class MalwareScanner
         echo '    -t                   --time               Show time of last file change' . PHP_EOL;
         echo '    -L                   --line-number        Display matching pattern line number in file' . PHP_EOL;
         echo '    -o                   --output-format      Custom defined output format' . PHP_EOL;
-        echo '    -j                   --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
+        echo '    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
         echo '                         --combined-whitelist Combined whitelist' . PHP_EOL;
         echo '                         --disable-stats      Disable statistics output' . PHP_EOL;
 

whitelist.txt

@@ -284,3 +284,5 @@ a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.
 1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
 cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
 ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
+ccce5f45d1ac66bd2bebe75d666b5720 wp-content/plugins/redirection/models/regex.php
+ae810d74d638c611d8bd958777c9ac6a wp-content/plugins/ssl-insecure-content-fixer/includes/nonces.php