mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
aec0f56af5 | ||
|
|
2e8b9c604f | ||
|
|
802ead97cc | ||
|
|
4666a101f9 | ||
|
|
e4755feeef | ||
|
|
920cf8a4c6 | ||
|
|
aa774f4330 | ||
|
|
cd1164dbb5 | ||
|
|
77ebd8abd7 | ||
|
|
29e6c73558 |
@@ -34,7 +34,7 @@ Usage: php scan.php -d <directory>
|
|||||||
-t --time Show time of last file change
|
-t --time Show time of last file change
|
||||||
-L --line-number Display matching pattern line number in file
|
-L --line-number Display matching pattern line number in file
|
||||||
-o --output-format Custom defined output format
|
-o --output-format Custom defined output format
|
||||||
-j --wordpress-version Version of wordpress to get md5 signatures
|
-j <version> --wordpress-version Version of wordpress to get md5 signatures
|
||||||
--combined-whitelist Combined whitelist
|
--combined-whitelist Combined whitelist
|
||||||
--custom-whitelist Loads whitelist from specified file and merge with existing
|
--custom-whitelist Loads whitelist from specified file and merge with existing
|
||||||
--disable-stats Disable statistics output
|
--disable-stats Disable statistics output
|
||||||
|
|||||||
@@ -20,3 +20,44 @@ surfright
|
|||||||
|
|
||||||
# SEO poison, pharmacy redirect
|
# SEO poison, pharmacy redirect
|
||||||
dealonline.su
|
dealonline.su
|
||||||
|
|
||||||
|
# functions escaped as hexadecimal string
|
||||||
|
7068705f756e616d65
|
||||||
|
70687076657273696f6e
|
||||||
|
6368646972
|
||||||
|
676574637764
|
||||||
|
707265675f73706c6974
|
||||||
|
636f7079
|
||||||
|
66696c655f6765745f636f6e74656e7473
|
||||||
|
6261736536345f6465636f6465
|
||||||
|
69735f646972
|
||||||
|
6f625f656e645f636c65616e28293b
|
||||||
|
756e6c696e6b
|
||||||
|
6d6b646972
|
||||||
|
63686d6f64
|
||||||
|
7363616e646972
|
||||||
|
7374725f7265706c616365
|
||||||
|
68746d6c7370656369616c6368617273
|
||||||
|
7661725f64756d70
|
||||||
|
666f70656e
|
||||||
|
667772697465
|
||||||
|
66636c6f7365
|
||||||
|
64617465
|
||||||
|
66696c656d74696d65
|
||||||
|
737562737472
|
||||||
|
737072696e7466
|
||||||
|
66696c657065726d73
|
||||||
|
746f756368
|
||||||
|
66696c655f657869737473
|
||||||
|
72656e616d65
|
||||||
|
69735f6172726179
|
||||||
|
69735f6f626a656374
|
||||||
|
737472706f73
|
||||||
|
69735f7772697461626c65
|
||||||
|
69735f7265616461626c65
|
||||||
|
737472746f74696d65
|
||||||
|
66696c6573697a65
|
||||||
|
726d646972
|
||||||
|
6f625f6765745f636c65616e
|
||||||
|
7265616466696c65
|
||||||
|
617373657274
|
||||||
@@ -384,6 +384,11 @@ cGhwOi8vaW5wdXQ=
|
|||||||
# backdoor script
|
# backdoor script
|
||||||
<font color="red">Upload Gagal..</font><br />
|
<font color="red">Upload Gagal..</font><br />
|
||||||
explode('?>',$shell
|
explode('?>',$shell
|
||||||
|
0.33333333333333+0.33333333333333+0.33333333333333
|
||||||
|
0.66666666666667+0.66666666666667+0.66666666666667
|
||||||
|
1.3333333333333+1.3333333333333+1.3333333333333
|
||||||
|
class _t{private static$_
|
||||||
|
'LQ'.'=='
|
||||||
|
|
||||||
# common mobile agent check in SEO poison scripts
|
# common mobile agent check in SEO poison scripts
|
||||||
Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
|
Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
|
||||||
@@ -394,3 +399,8 @@ eval(rawurldecode('
|
|||||||
# simple obfuscated function
|
# simple obfuscated function
|
||||||
'gz'.'unc'.'ompress'
|
'gz'.'unc'.'ompress'
|
||||||
'create'.'_'.'function'
|
'create'.'_'.'function'
|
||||||
|
'gzinf', 'la', 'te'
|
||||||
|
'e_f', 'cti', 'un', 'on', 'cr', 'eat'
|
||||||
|
'base', '64_dec', 'ode'
|
||||||
|
'cook', 'set', 'ie'
|
||||||
|
'repl', 'str_', 'ace'
|
||||||
|
|||||||
@@ -148,3 +148,6 @@ eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
|
|||||||
|
|
||||||
# gzip payload called by variable named function
|
# gzip payload called by variable named function
|
||||||
\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
|
\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
|
||||||
|
|
||||||
|
# obfuscated code return with error suppression
|
||||||
|
return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
|
||||||
10
scan.php
10
scan.php
@@ -622,8 +622,8 @@ class MalwareScanner
|
|||||||
private function report($start, $dir)
|
private function report($start, $dir)
|
||||||
{
|
{
|
||||||
$end = time();
|
$end = time();
|
||||||
echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
|
echo 'Start time: ' . date('Y-m-d H:m:s', $start) . PHP_EOL;
|
||||||
echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
|
echo 'End time: ' . date('Y-m-d H:m:s', $end) . PHP_EOL;
|
||||||
echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
|
echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
|
||||||
echo 'Base directory: ' . $dir . PHP_EOL;
|
echo 'Base directory: ' . $dir . PHP_EOL;
|
||||||
echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
|
echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
|
||||||
@@ -709,14 +709,14 @@ class MalwareScanner
|
|||||||
//Returns true if the raw string exists in the file contents.
|
//Returns true if the raw string exists in the file contents.
|
||||||
private function scanFunc_STR(&$pattern, &$content)
|
private function scanFunc_STR(&$pattern, &$content)
|
||||||
{
|
{
|
||||||
return strpos($content, $pattern);
|
return strpos($content, (string)$pattern);
|
||||||
}
|
}
|
||||||
|
|
||||||
//Performs raw string, case insensitive matching.
|
//Performs raw string, case insensitive matching.
|
||||||
//Returns true if the raw string exists in the file contents, ignoring case.
|
//Returns true if the raw string exists in the file contents, ignoring case.
|
||||||
private function scanFunc_STRI(&$pattern, &$content)
|
private function scanFunc_STRI(&$pattern, &$content)
|
||||||
{
|
{
|
||||||
return stripos($content, $pattern);
|
return stripos($content, (string)$pattern);
|
||||||
}
|
}
|
||||||
|
|
||||||
//Performs regular expression matching.
|
//Performs regular expression matching.
|
||||||
@@ -859,7 +859,7 @@ class MalwareScanner
|
|||||||
echo ' -t --time Show time of last file change' . PHP_EOL;
|
echo ' -t --time Show time of last file change' . PHP_EOL;
|
||||||
echo ' -L --line-number Display matching pattern line number in file' . PHP_EOL;
|
echo ' -L --line-number Display matching pattern line number in file' . PHP_EOL;
|
||||||
echo ' -o --output-format Custom defined output format' . PHP_EOL;
|
echo ' -o --output-format Custom defined output format' . PHP_EOL;
|
||||||
echo ' -j --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL;
|
echo ' -j <version> --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL;
|
||||||
echo ' --combined-whitelist Combined whitelist' . PHP_EOL;
|
echo ' --combined-whitelist Combined whitelist' . PHP_EOL;
|
||||||
echo ' --disable-stats Disable statistics output' . PHP_EOL;
|
echo ' --disable-stats Disable statistics output' . PHP_EOL;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user