Sample update from #94 and some found in servers

Sample update from #94
Merge remote-tracking branch 'origin/master'
2026-06-16 12:30:35 +00:00 · 2026-02-24 06:58:29 +01:00 · 2025-06-09 20:28:26 +02:00 · 2025-05-15 17:55:32 +02:00 · 2025-05-15 17:55:25 +02:00 · 2024-12-05 06:44:14 +01:00
4 changed files with 97 additions and 5 deletions
--- a/15
+++ b/15
@@ -0,0 +1,15 @@
+FROM php:8.2-cli
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    unzip \
+    libzip-dev \
+    && docker-php-ext-install zip
+
+WORKDIR /scanner
+COPY . .
+RUN chmod +x scan
+
+ENTRYPOINT ["./scan"]
+CMD ["/code"] 
--- a/README.md
+++ b/README.md
@@ -146,3 +146,37 @@ Licensing
 ---------

 PHP malware scanner is [licensed](https://github.com/scr34m/php-malware-scanner/blob/master/LICENSE.txt) under the GNU General Public License v3.
+
+Docker Usage
+-----------
+
+You can also run the scanner using Docker:
+
+1. Build the image:
+```bash
+docker build -t php-malware-scanner .
+```
+
+2. Scan a directory:
+```bash
+docker run -v /path/to/scan:/code php-malware-scanner -d /code
+```
+
+For example, to scan a WordPress installation:
+```bash
+docker run -v /var/www/html:/code php-malware-scanner -d /code -j 6.4.1
+```
+
+Common usage with flags:
+```bash
+# Show only infected files (hide OK status)
+docker run -v /path/to/scan:/code php-malware-scanner -d /code -k
+
+# Show comments for matched patterns
+docker run -v /path/to/scan:/code php-malware-scanner -d /code -c
+
+# Show MD5 hashes and continue after first match
+docker run -v /path/to/scan:/code php-malware-scanner -d /code -m -s
+```
+
+The `/code` directory inside the container is where your files will be mounted for scanning.
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -22,6 +22,10 @@ SHELL_PASSWORD
 ConnectBackShell
 ShellBOT
 == "bindshell"
+".\x00..\x20"
+FM_SESSION_ID
+HACKED BY
+_Mybb

 #Remote Code
 curl_get_from_webpage
@@ -32,6 +36,9 @@ leafmailer.pw

 #Base64 String Samples.  Each plain text string should have 3 base64 equivalents

+# https://
+aHR0cHM6Ly
+
 # "shell" in base64
 c2hlbG
 NoZWxs
@@ -181,15 +188,23 @@ RlZmluZ
 kZWZpbm

 # Obfuscation related code
+'.'6'.'4'.'_'.'
+bas'.'e64_dec
+file'.'_put_co
+fil'.'e_ex
+Pz4=
+L3gvaQ==
 eval("?>
 eval('?>
+@eval(
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
 WSOstripslashes
-\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
-\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
-\x65\x78\x65\x63' /* dec/hex issue? */, // exec
+\x5f\x43\x4f\x4f\x4b\x49\x45
+\x73\x79\x73\x74\x65\x6d
+\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65
+\x65\x78\x65\x63
 ev\x61l
 \x65\166\x61\154\x28' /* dec/hex issue? */,
 \x65\x76\x61\x6C' /* case, dec/hex issue? */,
@@ -202,12 +217,21 @@ base=base64_encode
 'b'.'ase6'.'4_e'.'ncode'
 cr"."eat"."e_fun"."cti"."on
 gz'.'inf'.'late
-# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
-http://www.fopo.com.ar/
@eval("\
 ";eval(
 eval(eval(
@eval(`
+eVaL('?>
+eval($_REQUEST
+convert_uudecode(convert_uuencode
+"64_decode"
+'f' . 'il' . 'e' . '_'
+'co' . 'nt' . 'e' . 'nt'
+'h' . 'tm' . 'l' . 'sp'
+'ha' . 'r' . 's'
+
+# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
+http://www.fopo.com.ar/

 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -266,6 +290,12 @@ smisbot
 smotherbot
 Indonesian Hacker Rulez
 pwetan.com
+iNHUMaN
+Heartzz
+Bye Bye Litespeed
+BunnyInvisible
+SEMOGABERKAH
+BUTERFLYCOUNTRY

 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -363,6 +393,7 @@ php_uname()
 str_split(rawurldecode(str_rot13(
 # generating PHP file name to put content
 substr(md5(time()), 0, 8) . ".php"
+'a:1:{s:13:\"administrator\";b:1;}'

 # webshell
 0byt3m1n1
@@ -381,6 +412,7 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
+[#*#*#]

 # php://input encoded in base64
 cGhwOi8vaW5wdXQ=
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -146,6 +146,8 @@ eval\([A-Za-z0-9]{5,}\(\) \. '
 # eval function return, parameter is a hex string
 eval\([A-Za-z0-9]{5,}\(\"[A-Z0-9]{16,}

+eval\(\s+'\?>'
+
 # gzip payload called by variable named function
 \$[a-zA-Z0-9]{6,}\('\x78\x9C\xAD\x90\x41\x0E

@@ -154,3 +156,12 @@ return @\$[a-z]{2}\d+\[\d+\]\(\$[a-z]{2}\d+\[\d+\],

 # htaccess alternating
 [a-z]{1}\([a-z]{1}\(\$[a-z]{2}\.'\/\.htaccess'\)
+
+# Javascript specific rules
+
+# JS - escaped command
+\.fromCharCode\([0-9,]{4,}\)
+\+-parseInt\(\w\('0x[0-9a-z]+'\)\)\/
+
+# concated hash value
+('[a-z0-9]{2,}'\.){4,}
Author	SHA1	Message	Date
Gabor Gyorvari	ba466dc1ff	Sample update from #94 and some found in servers	2026-02-24 06:58:29 +01:00
Gabor Gyorvari	201ab77516	Sample update from #94	2025-06-09 20:28:26 +02:00
Gabor Gyorvari	46024eca5e	Merge remote-tracking branch 'origin/master'	2025-05-15 17:55:32 +02:00
Gabor Gyorvari	a31cc18dc5	Sample update from #93	2025-05-15 17:55:25 +02:00
Győrvári Gábor	96806c69e9	Merge pull request #92 from edward-rafalovsky/feature/add-docker-support Add Docker support with documentation	2024-12-05 06:44:14 +01:00
Edward Rafalovsky	42c2aad685	Add Docker support with documentation	2024-12-04 23:41:36 +01:00
Gabor Gyorvari	cad03dc3b4	Javascript sample update in #91	2024-07-08 17:55:38 +02:00