Little return value fix

Fix multiple bugs and improve robustness

.gitignore

@@ -0,0 +1,3 @@
+.idea/
+whitelist.dat
+vendor/

Dockerfile

@@ -0,0 +1,15 @@
+FROM php:8.2-cli
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    unzip \
+    libzip-dev \
+    && docker-php-ext-install zip
+
+WORKDIR /scanner
+COPY . .
+RUN chmod +x scan
+
+ENTRYPOINT ["./scan"]
+CMD ["/code"] 

README.md

@@ -34,7 +34,7 @@ Usage: php scan.php -d <directory>
     -t                   --time               Show time of last file change
     -L                   --line-number        Display matching pattern line number in file
     -o                   --output-format      Custom defined output format
-    -j                   --wordpress-version  Version of wordpress to get md5 signatures
+    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures
                          --combined-whitelist Combined whitelist
                          --custom-whitelist   Loads whitelist from specified file and merge with existing
                          --disable-stats      Disable statistics output
@@ -146,3 +146,37 @@ Licensing
 ---------
 
 PHP malware scanner is [licensed](https://github.com/scr34m/php-malware-scanner/blob/master/LICENSE.txt) under the GNU General Public License v3.
+
+Docker Usage
+-----------
+
+You can also run the scanner using Docker:
+
+1. Build the image:
+```bash
+docker build -t php-malware-scanner .
+```
+
+2. Scan a directory:
+```bash
+docker run -v /path/to/scan:/code php-malware-scanner -d /code
+```
+
+For example, to scan a WordPress installation:
+```bash
+docker run -v /var/www/html:/code php-malware-scanner -d /code -j 6.4.1
+```
+
+Common usage with flags:
+```bash
+# Show only infected files (hide OK status)
+docker run -v /path/to/scan:/code php-malware-scanner -d /code -k
+
+# Show comments for matched patterns
+docker run -v /path/to/scan:/code php-malware-scanner -d /code -c
+
+# Show MD5 hashes and continue after first match
+docker run -v /path/to/scan:/code php-malware-scanner -d /code -m -s
+```
+
+The `/code` directory inside the container is where your files will be mounted for scanning.

composer.json

@@ -6,7 +6,7 @@
   "license": "GPL-3.0",
   "homepage": "https://github.com/scr34m/php-malware-scanner",
   "require": {
-    "php": ">=5.2.0"
+    "php": ">=5.3.0"
   },
   "autoload": {
   },

definitions/patterns_iraw.txt

@@ -16,7 +16,48 @@ opendns
 phishtank
 sophos
 surfright
-symantec
+# symantec - removed because already a TLD too so generate many false positives
 
 # SEO poison, pharmacy redirect
-dealonline.su
+dealonline.su
+
+# functions escaped as hexadecimal string
+7068705f756e616d65
+70687076657273696f6e
+6368646972
+676574637764
+707265675f73706c6974
+636f7079
+66696c655f6765745f636f6e74656e7473
+6261736536345f6465636f6465
+69735f646972
+6f625f656e645f636c65616e28293b
+756e6c696e6b
+6d6b646972
+63686d6f64
+7363616e646972
+7374725f7265706c616365
+68746d6c7370656369616c6368617273
+7661725f64756d70
+666f70656e
+667772697465
+66636c6f7365
+64617465
+66696c656d74696d65
+737562737472
+737072696e7466
+66696c657065726d73
+746f756368
+66696c655f657869737473
+72656e616d65
+69735f6172726179
+69735f6f626a656374
+737472706f73
+69735f7772697461626c65
+69735f7265616461626c65
+737472746f74696d65
+66696c6573697a65
+726d646972
+6f625f6765745f636c65616e
+7265616466696c65
+617373657274

definitions/patterns_raw.txt

@@ -22,14 +22,23 @@ SHELL_PASSWORD
 ConnectBackShell
 ShellBOT
 == "bindshell"
+".\x00..\x20"
+FM_SESSION_ID
+HACKED BY
+_Mybb
 
 #Remote Code
 curl_get_from_webpage
 file_get_contents('http://codepad.org
 
+#mailers
+leafmailer.pw
 
 #Base64 String Samples.  Each plain text string should have 3 base64 equivalents
 
+# https://
+aHR0cHM6Ly
+
 # "shell" in base64
 c2hlbG
 NoZWxs
@@ -179,15 +188,23 @@ RlZmluZ
 kZWZpbm
 
 # Obfuscation related code
+'.'6'.'4'.'_'.'
+bas'.'e64_dec
+file'.'_put_co
+fil'.'e_ex
+Pz4=
+L3gvaQ==
 eval("?>
 eval('?>
+@eval(
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
 WSOstripslashes
-\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
-\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
-\x65\x78\x65\x63' /* dec/hex issue? */, // exec
+\x5f\x43\x4f\x4f\x4b\x49\x45
+\x73\x79\x73\x74\x65\x6d
+\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65
+\x65\x78\x65\x63
 ev\x61l
 \x65\166\x61\154\x28' /* dec/hex issue? */,
 \x65\x76\x61\x6C' /* case, dec/hex issue? */,
@@ -200,11 +217,21 @@ base=base64_encode
 'b'.'ase6'.'4_e'.'ncode'
 cr"."eat"."e_fun"."cti"."on
 gz'.'inf'.'late
-# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
-http://www.fopo.com.ar/
 @eval("\
 ";eval(
 eval(eval(
+@eval(`
+eVaL('?>
+eval($_REQUEST
+convert_uudecode(convert_uuencode
+"64_decode"
+'f' . 'il' . 'e' . '_'
+'co' . 'nt' . 'e' . 'nt'
+'h' . 'tm' . 'l' . 'sp'
+'ha' . 'r' . 's'
+
+# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
+http://www.fopo.com.ar/
 
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -262,6 +289,13 @@ FaisaL Ahmed aka rEd X
 smisbot
 smotherbot
 Indonesian Hacker Rulez
+pwetan.com
+iNHUMaN
+Heartzz
+Bye Bye Litespeed
+BunnyInvisible
+SEMOGABERKAH
+BUTERFLYCOUNTRY
 
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -359,6 +393,7 @@ php_uname()
 str_split(rawurldecode(str_rot13(
 # generating PHP file name to put content
 substr(md5(time()), 0, 8) . ".php"
+'a:1:{s:13:\"administrator\";b:1;}'
 
 # webshell
 0byt3m1n1
@@ -377,6 +412,7 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
+[#*#*#]
 
 # php://input encoded in base64
 cGhwOi8vaW5wdXQ=
@@ -384,6 +420,51 @@ cGhwOi8vaW5wdXQ=
 # backdoor script
 <font color="red">Upload Gagal..</font><br />
 explode('?>',$shell
+0.33333333333333+0.33333333333333+0.33333333333333
+0.66666666666667+0.66666666666667+0.66666666666667
+1.3333333333333+1.3333333333333+1.3333333333333
+class _t{private static$_
+'LQ'.'=='
 
 # common mobile agent check in SEO poison scripts
-Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+
+# eval url decoded string
+eval(rawurldecode('
+eval(htmlspecialchars_decode(
+
+# simple obfuscated function
+'gz'.'unc'.'ompress'
+'create'.'_'.'function'
+'gzinf', 'la', 'te'
+'e_f', 'cti', 'un', 'on', 'cr', 'eat'
+'base', '64_dec', 'ode'
+'cook', 'set', 'ie'
+'repl', 'str_', 'ace'
+"base"."64_"
+'base'.'64_'
+"t"."m"."p"."_"."n"."a"."m"."e"
+"f"."i"."l"."e"."_"."p"."u"."t"
+"f"."i"."l"."e"."_"."g"."e"."t"
+'ode', 'e64_', 'bas', 'dec'
+'unct', 'ion', 'te_f', 'crea'
+'te', 'g', 'nf', 'l', 'a', 'zi'
+'tion', 'e_func', 'creat'
+'64_d', 'se', 'eco', 'de', 'ba'
+'co', 'ki', 'e', 'o', 'set'
+'str', '_rep', 'lace'
+
+# process data from request object directly
+extract($_REQUEST) && @$
+extract($_REQUEST)&&@$
+xtract($_REQUEST)&&@$
+
+# uncompress cafted content
+gzuncompress(strrev(substr(
+
+# disable error reporting
+<?php error_reporting(0);?>
+
+# infected file include attached on the top of a legit file
+<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>
+<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>

definitions/patterns_re.txt

@@ -60,7 +60,7 @@ chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*
 
 #Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
 # '_' as "\x5f"
-\\[Xx](5[Ff])
+# \\[Xx](5[Ff]) - removed because generate many false positives
 
 #Detects the '_' character placed inside a call to the 'chr()' function
 # '_' as 'chr(95)' or 'chr(0x5f)'
@@ -79,7 +79,7 @@ chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
 #Escaped path characters: \x2fho\x6de/\x69mp\x75ls\x69oq\x65/w\x77w. or \x2fhome\x2fimpu\x6csioq\x65/www\x2emusc
 (\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}
 
-#Malware inffected files sometimes marked with comments like /*87cda*/ to avoid infect again
+#Malware infected files sometimes marked with comments like /*87cda*/ to avoid infect again
 \/\*[a-z0-9]{5}\*\/
 
 # XOR-ed strings with custom math
@@ -95,7 +95,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 ("[a-z0-9]+"\.chr\(\d+\)\.){3,}
 
 # nested function call used variables
-\$[a-z]+\(\$[a-z0-9]+\(
+\$[a-z0-9_]+\(\$[a-z0-9_]+\(
 
 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x
@@ -135,4 +135,33 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
 @header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);
 
 # backdoor reported #72
-@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
+@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
+
+# reported #77
+\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
+
+# eval function return and concat
+eval\([A-Za-z0-9]{5,}\(\) \. '
+
+# eval function return, parameter is a hex string
+eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
+
+eval\(\s+'\?>'
+
+# gzip payload called by variable named function
+\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
+
+# obfuscated code return with error suppression
+return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
+
+# htaccess alternating
+[a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)
+
+# Javascript specific rules
+
+# JS - escaped command
+\.fromCharCode\([0-9,]{4,}\)
+\+-parseInt\(\w\('0x[0-9a-z]+'\)\)\/
+
+# concated hash value
+('[a-z0-9]{2,}'\.){4,}

scan.php

@@ -203,7 +203,10 @@ class MalwareScanner
                 $fp = fopen($file, 'r');
                 while (!feof($fp)) {
                     $line = fgets($fp);
-                    $this->whitelist[] = substr($line, 0, 32);
+                    $hash = substr($line, 0, 32);
+                    if (strlen($hash) === 32) {
+                        $this->whitelist[] = $hash;
+                    }
                 }
                 fclose($fp);
             }
@@ -212,16 +215,32 @@ class MalwareScanner
 
     public function addWordpressChecksums($wp_version)
     {
-        $apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version;
-        $json = json_decode(file_get_contents($apiurl));
-        $checksums = $json->checksums;
+        if (!preg_match('/^\d+\.\d+(\.\d+)?$/', $wp_version)) {
+            $this->error('Invalid WordPress version format: ' . $wp_version);
+            exit(-1);
+        }
 
-        if ($checksums->$wp_version == false) { #no checksum returned
+        $apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version;
+        $raw = file_get_contents($apiurl);
+        if ($raw === false) {
             $this->error('Cannot load wordpress checksums from: ' . $apiurl);
             exit(-1);
         }
 
-        foreach ($checksums->$wp_version as $file => $checksum) {
+        $json = json_decode($raw);
+        if ($json === null || !isset($json->checksums)) {
+            $this->error('Invalid response from WordPress checksums API');
+            exit(-1);
+        }
+
+        $checksums = $json->checksums;
+        if ($checksums === false || empty((array)$checksums)) {
+            $this->error('No checksums returned for WordPress version: ' . $wp_version);
+            exit(-1);
+        }
+
+        $entries = isset($checksums->$wp_version) ? $checksums->$wp_version : $checksums;
+        foreach ($entries as $file => $checksum) {
             $this->whitelist[] = $checksum;
         }
     }
@@ -231,7 +250,7 @@ class MalwareScanner
     private function parseArgs()
     {
         $options = getopt(
-            'd:e:i:o:abmcxlhkwnsptLj:E',
+            'd:e:i:o:abmcxlhkrwnsptLj:E',
             array(
                 'directory:',
                 'extension:',
@@ -244,6 +263,7 @@ class MalwareScanner
                 'follow-link',
                 'help',
                 'hide-ok',
+                'hide-err',
                 'hide-whitelist',
                 'no-color',
                 'no-stop',
@@ -622,8 +642,8 @@ class MalwareScanner
     private function report($start, $dir)
     {
         $end = time();
-        echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
-        echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
+        echo 'Start time: ' . date('Y-m-d H:i:s', $start) . PHP_EOL;
+        echo 'End time: ' . date('Y-m-d H:i:s', $end) . PHP_EOL;
         echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
         echo 'Base directory: ' . $dir . PHP_EOL;
         echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
@@ -679,6 +699,12 @@ class MalwareScanner
     {
         $this->stat['files_scanned']++;
         $fileContent = file_get_contents($path);
+        if ($fileContent === false) {
+            if (!$this->flagHideErr) {
+                echo $this->ANSI_RED . '# ER' . $this->ANSI_OFF . ' # {' . $path . '} (unreadable)' . PHP_EOL;
+            }
+            return false;
+        }
         $found = false;
         $inWhitelist = false;
         $hash = md5($fileContent);
@@ -709,14 +735,14 @@ class MalwareScanner
     //Returns true if the raw string exists in the file contents.
     private function scanFunc_STR(&$pattern, &$content)
     {
-        return strpos($content, $pattern);
+        return strpos($content, (string)$pattern);
     }
 
     //Performs raw string, case insensitive matching.
     //Returns true if the raw string exists in the file contents, ignoring case.
     private function scanFunc_STRI(&$pattern, &$content)
     {
-        return stripos($content, $pattern);
+        return stripos($content, (string)$pattern);
     }
 
     //Performs regular expression matching.
@@ -724,7 +750,10 @@ class MalwareScanner
     //Patterns will match multiple lines, though you can use ^$ to match the beginning and end of a line.
     private function scanFunc_RE(&$pattern, &$content)
     {
-        $ret = preg_match('/' . $pattern . '/im', $content, $match, PREG_OFFSET_CAPTURE);
+        $ret = @preg_match('/' . $pattern . '/im', $content, $match, PREG_OFFSET_CAPTURE);
+        if ($ret === false) {
+            return false;
+        }
         if ($ret) {
             return $match[0][1];
         }
@@ -789,11 +818,14 @@ class MalwareScanner
 
     private function updateCombinedWhitelist($url = 'https://scr34m.github.io/php-malware-scanner')
     {
-        $latest_hash = trim(file_get_contents($url . '/database/compressed.sha256'));
+        $ctx = stream_context_create(array('http' => array('timeout' => 30)));
+
+        $latest_hash = file_get_contents($url . '/database/compressed.sha256', false, $ctx);
         if ($latest_hash === false) {
             $this->error('Unable to download database checksum');
             return false;
         }
+        $latest_hash = trim($latest_hash);
 
         $file = __DIR__ . '/whitelist.dat';
         if (is_readable($file)) {
@@ -808,7 +840,7 @@ class MalwareScanner
         }
 
         if ($download) {
-            $data = file_get_contents($url . '/database/compressed.dat');
+            $data = file_get_contents($url . '/database/compressed.dat', false, $ctx);
             if ($data === false) {
                 $this->error('Unable to download database');
                 return false;
@@ -818,6 +850,7 @@ class MalwareScanner
             $hash = hash_file('sha256', $file);
             if ($hash != $latest_hash) {
                 $this->error('Downloaded database hash mismatch');
+                return false;
             }
         }
 
@@ -859,7 +892,7 @@ class MalwareScanner
         echo '    -t                   --time               Show time of last file change' . PHP_EOL;
         echo '    -L                   --line-number        Display matching pattern line number in file' . PHP_EOL;
         echo '    -o                   --output-format      Custom defined output format' . PHP_EOL;
-        echo '    -j                   --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
+        echo '    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
         echo '                         --combined-whitelist Combined whitelist' . PHP_EOL;
         echo '                         --disable-stats      Disable statistics output' . PHP_EOL;
 

whitelist.txt

@@ -284,3 +284,5 @@ a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.
 1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
 cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
 ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
+ccce5f45d1ac66bd2bebe75d666b5720 wp-content/plugins/redirection/models/regex.php
+ae810d74d638c611d8bd958777c9ac6a wp-content/plugins/ssl-insecure-content-fixer/includes/nonces.php