Sample update

Hide error arg fix
Sample update
2026-06-16 12:30:35 +00:00 · 2024-05-22 14:16:44 +02:00 · 2024-05-22 14:04:07 +02:00 · 2024-05-22 14:03:43 +02:00 · 2023-07-26 12:39:34 +02:00 · 2023-05-14 08:59:43 +02:00
3 changed files with 18 additions and 2 deletions
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -27,6 +27,8 @@ ShellBOT
 curl_get_from_webpage
 file_get_contents('http://codepad.org
 #mailers
 leafmailer.pw
 #Base64 String Samples.  Each plain text string should have 3 base64 equivalents
@@ -205,6 +207,7 @@ http://www.fopo.com.ar/
@eval("\
 ";eval(
 eval(eval(
@eval(`
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -396,6 +399,7 @@ Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
 # eval url decoded string
 eval(rawurldecode('
 eval(htmlspecialchars_decode(
 # simple obfuscated function
 'gz'.'unc'.'ompress'
@@ -413,6 +417,10 @@ eval(rawurldecode('
 'ode', 'e64_', 'bas', 'dec'
 'unct', 'ion', 'te_f', 'crea'
 'te', 'g', 'nf', 'l', 'a', 'zi'
 'tion', 'e_func', 'creat'
 '64_d', 'se', 'eco', 'de', 'ba'
 'co', 'ki', 'e', 'o', 'set'
 'str', '_rep', 'lace'
 # process data from request object directly
 extract($_REQUEST) && @$
@@ -421,3 +429,10 @@ xtract($_REQUEST)&&@$
 # uncompress cafted content
 gzuncompress(strrev(substr(
 # disable error reporting
 <?php error_reporting(0);?>
 # infected file include attached on the top of a legit file
 <?php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ?>
 <?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?>
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -79,7 +79,7 @@ chr\s*\(\s*['"]?\s*((95)|(0[Xx]5[Ff]))\s*['"]?\s*\)
 #Escaped path characters: \x2fho\x6de/\x69mp\x75ls\x69oq\x65/w\x77w. or \x2fhome\x2fimpu\x6csioq\x65/www\x2emusc
 (\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}
-#Malware inffected files sometimes marked with comments like /*87cda*/ to avoid infect again
+#Malware infected files sometimes marked with comments like /*87cda*/ to avoid infect again
 \/\*[a-z0-9]{5}\*\/
 # XOR-ed strings with custom math
--- a/scan.php
+++ b/scan.php
@@ -231,7 +231,7 @@ class MalwareScanner
    private function parseArgs()
    {
        $options = getopt(
-            'd:e:i:o:abmcxlhkwnsptLj:E',
+            'd:e:i:o:abmcxlhkrwnsptLj:E',
            array(
                'directory:',
                'extension:',
@@ -244,6 +244,7 @@ class MalwareScanner
                'follow-link',
                'help',
                'hide-ok',
                'hide-err',
                'hide-whitelist',
                'no-color',
                'no-stop',
Author	SHA1	Message	Date
Gabor Gyorvari	c542a745e4	Sample update	2024-05-22 14:16:44 +02:00
Gabor Gyorvari	7ac65c0c8d	Hide error arg fix	2024-05-22 14:04:07 +02:00
Gabor Gyorvari	5061e319e3	Sample update	2024-05-22 14:03:43 +02:00
Gabor Gyorvari	b2b2c4b081	Small typo, fix #88	2023-07-26 12:39:34 +02:00
Gabor Gyorvari	26458d20af	Sample update	2023-05-14 08:59:43 +02:00