Sample update

Make it compatible with php 8.1

README.md

@@ -34,7 +34,7 @@ Usage: php scan.php -d <directory>
     -t                   --time               Show time of last file change
     -L                   --line-number        Display matching pattern line number in file
     -o                   --output-format      Custom defined output format
-    -j                   --wordpress-version  Version of wordpress to get md5 signatures
+    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures
                          --combined-whitelist Combined whitelist
                          --custom-whitelist   Loads whitelist from specified file and merge with existing
                          --disable-stats      Disable statistics output

definitions/patterns_raw.txt

@@ -27,6 +27,8 @@ ShellBOT
 curl_get_from_webpage
 file_get_contents('http://codepad.org
 
+#mailers
+leafmailer.pw
 
 #Base64 String Samples.  Each plain text string should have 3 base64 equivalents
 
@@ -205,6 +207,7 @@ http://www.fopo.com.ar/
 @eval("\
 ";eval(
 eval(eval(
+@eval(`
 
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -262,6 +265,7 @@ FaisaL Ahmed aka rEd X
 smisbot
 smotherbot
 Indonesian Hacker Rulez
+pwetan.com
 
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -395,6 +399,7 @@ Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
 
 # eval url decoded string
 eval(rawurldecode('
+eval(htmlspecialchars_decode(
 
 # simple obfuscated function
 'gz'.'unc'.'ompress'
@@ -404,3 +409,30 @@ eval(rawurldecode('
 'base', '64_dec', 'ode'
 'cook', 'set', 'ie'
 'repl', 'str_', 'ace'
+"base"."64_"
+'base'.'64_'
+"t"."m"."p"."_"."n"."a"."m"."e"
+"f"."i"."l"."e"."_"."p"."u"."t"
+"f"."i"."l"."e"."_"."g"."e"."t"
+'ode', 'e64_', 'bas', 'dec'
+'unct', 'ion', 'te_f', 'crea'
+'te', 'g', 'nf', 'l', 'a', 'zi'
+'tion', 'e_func', 'creat'
+'64_d', 'se', 'eco', 'de', 'ba'
+'co', 'ki', 'e', 'o', 'set'
+'str', '_rep', 'lace'
+
+# process data from request object directly
+extract($_REQUEST) && @$
+extract($_REQUEST)&&@$
+xtract($_REQUEST)&&@$
+
+# uncompress cafted content
+gzuncompress(strrev(substr(
+
+# disable error reporting
+<?php error_reporting(0);?>
+
+# infected file include attached on the top of a legit file
+<?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>
+<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>

definitions/patterns_re.txt

@@ -79,7 +79,7 @@ chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
 #Escaped path characters: \x2fho\x6de/\x69mp\x75ls\x69oq\x65/w\x77w. or \x2fhome\x2fimpu\x6csioq\x65/www\x2emusc
 (\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}
 
-#Malware inffected files sometimes marked with comments like /*87cda*/ to avoid infect again
+#Malware infected files sometimes marked with comments like /*87cda*/ to avoid infect again
 \/\*[a-z0-9]{5}\*\/
 
 # XOR-ed strings with custom math
@@ -141,10 +141,16 @@ explode\('\|\x01\|\x03\|\x03', gzinflate\(
 \$[a-z]11 \^ [a-z]8\(\$[a-z]6, \$[a-z]14, \$[a-z]6\[13\]\(\$[a-z]11\)\)\)\);
 
 # eval function return and concat
-eval\([A-Za-z]{5,}\(\) \. '
+eval\([A-Za-z0-9]{5,}\(\) \. '
 
 # eval function return, parameter is a hex string
 eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}
 
 # gzip payload called by variable named function
 \$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E
+
+# obfuscated code return with error suppression
+return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],
+
+# htaccess alternating
+[a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)

scan.php

@@ -231,7 +231,7 @@ class MalwareScanner
     private function parseArgs()
     {
         $options = getopt(
-            'd:e:i:o:abmcxlhkwnsptLj:E',
+            'd:e:i:o:abmcxlhkrwnsptLj:E',
             array(
                 'directory:',
                 'extension:',
@@ -244,6 +244,7 @@ class MalwareScanner
                 'follow-link',
                 'help',
                 'hide-ok',
+                'hide-err',
                 'hide-whitelist',
                 'no-color',
                 'no-stop',
@@ -622,8 +623,8 @@ class MalwareScanner
     private function report($start, $dir)
     {
         $end = time();
-        echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
+        echo 'Start time: ' . date('Y-m-d H:m:s', $start) . PHP_EOL;
-        echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
+        echo 'End time: ' . date('Y-m-d H:m:s', $end) . PHP_EOL;
         echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
         echo 'Base directory: ' . $dir . PHP_EOL;
         echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
@@ -859,7 +860,7 @@ class MalwareScanner
         echo '    -t                   --time               Show time of last file change' . PHP_EOL;
         echo '    -L                   --line-number        Display matching pattern line number in file' . PHP_EOL;
         echo '    -o                   --output-format      Custom defined output format' . PHP_EOL;
-        echo '    -j                   --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
+        echo '    -j <version>         --wordpress-version  Version of wordpress to get md5 signatures' . PHP_EOL;
         echo '                         --combined-whitelist Combined whitelist' . PHP_EOL;
         echo '                         --disable-stats      Disable statistics output' . PHP_EOL;