Nested function call pattern update

Pattern update about new infections found
Whitelist update and two little pattern fix, reported in #78
2026-06-16 12:30:35 +00:00 · 2022-07-17 08:17:20 +02:00 · 2022-07-14 19:59:23 +02:00 · 2022-07-11 20:03:53 +02:00
4 changed files with 23 additions and 5 deletions
--- a/definitions/patterns_iraw.txt
+++ b/definitions/patterns_iraw.txt
@@ -16,7 +16,7 @@ opendns
 phishtank
 sophos
 surfright
-symantec
+# symantec - removed because already a TLD too so generate many false positives
 # SEO poison, pharmacy redirect
 dealonline.su
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -386,4 +386,11 @@ cGhwOi8vaW5wdXQ=
 explode('?>',$shell
 # common mobile agent check in SEO poison scripts
-Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
 # eval url decoded string
 eval(rawurldecode('
 # simple obfuscated function
 'gz'.'unc'.'ompress'
 'create'.'_'.'function'
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -60,7 +60,7 @@ chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*
 #Detects the '_' character encoded in a string like "\x5F".  '_' is present in many functions that malware would want to hide.
 # '_' as "\x5f"
-\\[Xx](5[Ff])
+# \\[Xx](5[Ff]) - removed because generate many false positives
 #Detects the '_' character placed inside a call to the 'chr()' function
 # '_' as 'chr(95)' or 'chr(0x5f)'
@@ -95,7 +95,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 ("[a-z0-9]+"\.chr\(\d+\)\.){3,}
 # nested function call used variables
-\$[a-z]+\(\$[a-z0-9]+\(
+\$[a-z0-9_]+\(\$[a-z0-9_]+\(
 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x
@@ -138,4 +138,13 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
 # reported #77
-\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
+\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
 # eval function return and concat
 eval\([A-Za-z]{5,}\(\) \. '
 # eval function return, parameter is a hex string
 eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
 # gzip payload called by variable named function
 \$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
--- a/whitelist.txt
+++ b/whitelist.txt
@@ -284,3 +284,5 @@ a54895edc1402cf1b7b5ecd3f5d85e6b wp-includes/formatting.php -> Wordpress Core 6.
 1e2d246c57d2123aa8938c8263cb1d3d wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php -> Yoast SEO plugin 19.2
 cacb5670ebb2de31976a4b2eb06cac86 wp-content/plugins/worker/src/MWP/ServiceContainer/Abstract.php -> managewp plugin 4.9.14 from managewp.com
 ffa76b9ff298702a733747521cfdee69 wp-content/plugins/worker/src/MWP/Action/GetState.php -> managewp plugin 4.9.14 from managewp.com
 ccce5f45d1ac66bd2bebe75d666b5720 wp-content/plugins/redirection/models/regex.php
 ae810d74d638c611d8bd958777c9ac6a wp-content/plugins/ssl-insecure-content-fixer/includes/nonces.php
Author	SHA1	Message	Date
Gabor Gyorvari	bf13288367	Nested function call pattern update	2022-07-17 08:17:20 +02:00
Gabor Gyorvari	088c0761b3	Pattern update about new infections found	2022-07-14 19:59:23 +02:00
Gabor Gyorvari	18b06fc48b	Whitelist update and two little pattern fix, reported in #78	2022-07-11 20:03:53 +02:00