mirror of
https://github.com/scr34m/php-malware-scanner.git
synced 2026-06-16 12:30:35 +00:00
Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
26458d20af | ||
|
|
70edc4210d | ||
|
|
aec0f56af5 | ||
|
|
2e8b9c604f | ||
|
|
802ead97cc | ||
|
|
4666a101f9 | ||
|
|
e4755feeef | ||
|
|
920cf8a4c6 | ||
|
|
aa774f4330 | ||
|
|
cd1164dbb5 | ||
|
|
77ebd8abd7 |
@@ -34,7 +34,7 @@ Usage: php scan.php -d <directory>
|
||||
-t --time Show time of last file change
|
||||
-L --line-number Display matching pattern line number in file
|
||||
-o --output-format Custom defined output format
|
||||
-j --wordpress-version Version of wordpress to get md5 signatures
|
||||
-j <version> --wordpress-version Version of wordpress to get md5 signatures
|
||||
--combined-whitelist Combined whitelist
|
||||
--custom-whitelist Loads whitelist from specified file and merge with existing
|
||||
--disable-stats Disable statistics output
|
||||
|
||||
@@ -205,6 +205,7 @@ http://www.fopo.com.ar/
|
||||
@eval("\
|
||||
";eval(
|
||||
eval(eval(
|
||||
@eval(`
|
||||
|
||||
#Malware/Attack specific strings/fingerprints/signatures
|
||||
MagelangCyber
|
||||
@@ -262,6 +263,7 @@ FaisaL Ahmed aka rEd X
|
||||
smisbot
|
||||
smotherbot
|
||||
Indonesian Hacker Rulez
|
||||
pwetan.com
|
||||
|
||||
# WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
|
||||
wp-vcd
|
||||
@@ -384,6 +386,11 @@ cGhwOi8vaW5wdXQ=
|
||||
# backdoor script
|
||||
<font color="red">Upload Gagal..</font><br />
|
||||
explode('?>',$shell
|
||||
0.33333333333333+0.33333333333333+0.33333333333333
|
||||
0.66666666666667+0.66666666666667+0.66666666666667
|
||||
1.3333333333333+1.3333333333333+1.3333333333333
|
||||
class _t{private static$_
|
||||
'LQ'.'=='
|
||||
|
||||
# common mobile agent check in SEO poison scripts
|
||||
Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
|
||||
@@ -393,4 +400,29 @@ eval(rawurldecode('
|
||||
|
||||
# simple obfuscated function
|
||||
'gz'.'unc'.'ompress'
|
||||
'create'.'_'.'function'
|
||||
'create'.'_'.'function'
|
||||
'gzinf', 'la', 'te'
|
||||
'e_f', 'cti', 'un', 'on', 'cr', 'eat'
|
||||
'base', '64_dec', 'ode'
|
||||
'cook', 'set', 'ie'
|
||||
'repl', 'str_', 'ace'
|
||||
"base"."64_"
|
||||
'base'.'64_'
|
||||
"t"."m"."p"."_"."n"."a"."m"."e"
|
||||
"f"."i"."l"."e"."_"."p"."u"."t"
|
||||
"f"."i"."l"."e"."_"."g"."e"."t"
|
||||
'ode', 'e64_', 'bas', 'dec'
|
||||
'unct', 'ion', 'te_f', 'crea'
|
||||
'te', 'g', 'nf', 'l', 'a', 'zi'
|
||||
'tion', 'e_func', 'creat'
|
||||
'64_d', 'se', 'eco', 'de', 'ba'
|
||||
'co', 'ki', 'e', 'o', 'set'
|
||||
'str', '_rep', 'lace'
|
||||
|
||||
# process data from request object directly
|
||||
extract($_REQUEST) && @$
|
||||
extract($_REQUEST)&&@$
|
||||
xtract($_REQUEST)&&@$
|
||||
|
||||
# uncompress cafted content
|
||||
gzuncompress(strrev(substr(
|
||||
|
||||
@@ -141,10 +141,16 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
|
||||
\$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
|
||||
|
||||
# eval function return and concat
|
||||
eval\([A-Za-z]{5,}\(\) \. '
|
||||
eval\([A-Za-z0-9]{5,}\(\) \. '
|
||||
|
||||
# eval function return, parameter is a hex string
|
||||
eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
|
||||
|
||||
# gzip payload called by variable named function
|
||||
\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
|
||||
\$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
|
||||
|
||||
# obfuscated code return with error suppression
|
||||
return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
|
||||
|
||||
# htaccess alternating
|
||||
[a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)
|
||||
|
||||
10
scan.php
10
scan.php
@@ -622,8 +622,8 @@ class MalwareScanner
|
||||
private function report($start, $dir)
|
||||
{
|
||||
$end = time();
|
||||
echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
|
||||
echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
|
||||
echo 'Start time: ' . date('Y-m-d H:m:s', $start) . PHP_EOL;
|
||||
echo 'End time: ' . date('Y-m-d H:m:s', $end) . PHP_EOL;
|
||||
echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
|
||||
echo 'Base directory: ' . $dir . PHP_EOL;
|
||||
echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
|
||||
@@ -709,14 +709,14 @@ class MalwareScanner
|
||||
//Returns true if the raw string exists in the file contents.
|
||||
private function scanFunc_STR(&$pattern, &$content)
|
||||
{
|
||||
return strpos($content, $pattern);
|
||||
return strpos($content, (string)$pattern);
|
||||
}
|
||||
|
||||
//Performs raw string, case insensitive matching.
|
||||
//Returns true if the raw string exists in the file contents, ignoring case.
|
||||
private function scanFunc_STRI(&$pattern, &$content)
|
||||
{
|
||||
return stripos($content, $pattern);
|
||||
return stripos($content, (string)$pattern);
|
||||
}
|
||||
|
||||
//Performs regular expression matching.
|
||||
@@ -859,7 +859,7 @@ class MalwareScanner
|
||||
echo ' -t --time Show time of last file change' . PHP_EOL;
|
||||
echo ' -L --line-number Display matching pattern line number in file' . PHP_EOL;
|
||||
echo ' -o --output-format Custom defined output format' . PHP_EOL;
|
||||
echo ' -j --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL;
|
||||
echo ' -j <version> --wordpress-version Version of wordpress to get md5 signatures' . PHP_EOL;
|
||||
echo ' --combined-whitelist Combined whitelist' . PHP_EOL;
|
||||
echo ' --disable-stats Disable statistics output' . PHP_EOL;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user