base64 sample for "file" too short and causes false positive

Feature flagHideErr #66

README.md

@@ -26,6 +26,7 @@ Usage: php scan.php -d <directory>
     -x                   --extra-check        Adds GoogleBot and htaccess to Scan List
     -l                   --follow-symlink     Follow symlinked directories
     -k                   --hide-ok            Hide results with 'OK' status
+    -r                   --hide-err           Hide results with 'ER' status
     -w                   --hide-whitelist     Hide results with 'WL' status
     -n                   --no-color           Disable color mode
     -s                   --no-stop            Continue scanning file after first hit
@@ -113,6 +114,22 @@ It is guaranteed that IF 'base64_decode' was present in the plain text code, the
 The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.  
 ote the missing edge characters which is due to bit misalignment and character bleed.
 
+Using as library
+----------------
+
+The scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.
+ 
+```php
+<?php
+
+require_once '../scan.php';
+
+$scan = new MalwareScanner();
+$scan->setFlagHideWhitelist(true);
+$scan->setFlagHideOk(true);
+$scan->run('../samples/test');
+```
+
 Resources
 ---------
 

definitions/patterns_iraw.txt

@@ -1,7 +1,7 @@
-#This file contains raw strings that will be matched case-insensitive.
+# This file contains raw strings that will be matched case-insensitive.
-#Comments and whitespace are possible, but comments must have '#' at the first character of the line.
+# Comments and whitespace are possible, but comments must have '#' at the first character of the line.
 
-#List of security service providers that phishers often block.
+# List of security service providers that phishers often block.
 abovenet
 avira
 bitdefender
@@ -17,3 +17,6 @@ phishtank
 sophos
 surfright
 symantec
+
+# SEO poison, pharmacy redirect
+dealonline.su

definitions/patterns_raw.txt

@@ -108,11 +108,6 @@ SFRUUF9VU0VSX0FHRU5U
 hUVFBfVVNFUl9BR0VOV
 IVFRQX1VTRVJfQUdFTl
 
-# "file" in base64
-ZmlsZ
-ZpbG
-maWxl
-
 # "gzinflate" in base64
 Z3ppbmZsYXRl
 d6aW5mbGF0Z
@@ -201,6 +196,7 @@ eval(base64_decode(
 $data = base64_decode("
 edoced_46esab
 base=base64_encode
+'b'.'ase6'.'4_e'.'ncode'
 cr"."eat"."e_fun"."cti"."on
 gz'.'inf'.'late
 # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
@@ -260,6 +256,9 @@ itsoknoproblembro
 tmhapbzcerff
 IndoXploit
 FaisaL Ahmed aka rEd X
+smisbot
+smotherbot
+Indonesian Hacker Rulez
 
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -371,3 +370,7 @@ ZeroByte
 
 # JS escaped: String.fromCharCode(
 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40
+
+# SEO poisoning control site call
+"http://$xxx
+?useragent=$botbotbot

definitions/patterns_re.txt

@@ -4,10 +4,13 @@ eval\/\*[a-z0-9]+\*\/
 #
 eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);
 
-#
+# chr(101).chr(118).chr(97)
 (chr\(\d+\^\d+\)\.){4,}
 
-#
+# $_uU(101).$_uU(118).$_uU(97)
+(\$\_[a-z0-9]{2,}\(\d+\)\.){4,}
+
+# $uUx[101].$uUx[118].$uUx[97]
 (\$[a-z0-9]{3,}\[\d+\]\.){4,}
 
 #
@@ -37,6 +40,9 @@ Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents
 #execute base64 code
 eVaL\(\s*trim\(\s*baSe64_deCoDe\(
 
+# execute escaped code
+exec\("(\\[0-9a-fx]{2,3}){3,}
+
 #
 if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text
 
@@ -108,3 +114,6 @@ function\s+_[0-9]{8,}\(
 
 # create_function is dangerous as like eval() see http://php.net/manual/en/function.create-function.php
 create_function\s*\(\s*['"]{2}
+
+# control concated from cookie at the call
+(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}

scan.php

@@ -31,6 +31,7 @@ class MalwareScanner
     private $flagChecksum = false;
     private $flagComments = false;
     private $flagHideOk = false;
+    private $flagHideErr = false;
     private $flagHideWhitelist = false;
     private $flagNoStop = false;
     private $flagPattern = false;
@@ -69,16 +70,31 @@ class MalwareScanner
         if ($cli === true) {
             //Read Run Options
             $this->parseArgs();
-            $this->dir = realpath($this->dir);
+
+            $dirs = array();
+            if (is_array($this->dir)) {
+                // allow multiple directory aka. array
+                foreach ($this->dir as $path) {
+                    $dirs[] = realpath($path);
+                }
+            } elseif ($bpos = strpos($this->dir, '{')) {
+                // Check path has a "brace", expand it to subdirectories
+                foreach (glob($this->dir, GLOB_BRACE) as $path) {
+                    $dirs[] = realpath($path);
+                }
+            } else {
+                // only one directory specified
+                $dirs = array (realpath($this->dir));
+            }
 
             //Make sure a directory was specified.
-            if ($this->dir === '') {
+            if (empty($dirs)) {
                 $this->error('No directory specified or directory doesn\'t exist');
                 exit(-1);
             }
 
             //Initiate Scan
-            if (!$this->run($this->dir)) {
+            if (!$this->run($dirs)) {
                 exit(-1);
             }
         }
@@ -188,7 +204,7 @@ class MalwareScanner
         }
     }
 
-    private function addWordpressChecksums($wp_version)
+    public function addWordpressChecksums($wp_version)
     {
         $apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version;
         $json = json_decode(file_get_contents($apiurl));
@@ -283,6 +299,9 @@ class MalwareScanner
         if (isset($options['hide-ok']) || isset($options['k'])) {
             $this->setFlagHideOk(true);
         }
+        if (isset($options['hide-err']) || isset($options['r'])) {
+            $this->setFlagHideErr(true);
+        }
         if (isset($options['hide-whitelist']) || isset($options['w'])) {
             $this->setFlagHideWhitelist(true);
         }
@@ -381,6 +400,11 @@ class MalwareScanner
         $this->flagHideOk = $b;
     }
 
+    public function setFlagHideErr($b)
+    {
+        $this->flagHideErr = $b;
+    }
+
     public function setFlagHideWhitelist($b)
     {
         $this->flagHideWhitelist = $b;
@@ -475,6 +499,9 @@ class MalwareScanner
             $state = 'WL';
             $state_color = $this->ANSI_YELLOW;
         } else {
+            if ($this->flagHideErr) {
+                return;
+            }
             $state = 'ER';
             $state_color = $this->ANSI_RED;
         }
@@ -592,18 +619,11 @@ class MalwareScanner
      * - Fetch and load combined whitelist
      * - Calls the process and report functions.
      *
-     * @param $dir
+     * @param string|array $dir A directory path or a list of paths in array
      * @return bool
      */
     public function run($dir)
     {
-        // Make sure the input is a valid directory path.
-        $dir = rtrim($dir, '/');
-        if (!is_dir($dir)) {
-            $this->error('Specified path is not a directory: ' . $dir);
-            return false;
-        }
-
         $this->initializePatterns();
 
         $this->loadWhitelist();
@@ -613,9 +633,23 @@ class MalwareScanner
         }
 
         $start = time();
-        $this->process($dir . '/');
+
+        if (!is_array($dir)) {
+            $dir = array ($dir);
+        }
+
+        foreach ($dir as $path) {
+            // Make sure the input is a valid directory path.
+            $path = rtrim($path, '/');
+            if (!is_dir($path)) {
+                $this->error('Specified path is not a directory: ' . $path);
+                return false;
+            }
+            $this->process($path . '/');
+        }
+
         if (!$this->flagDisableStats) {
-            $this->report($start, $dir . '/');
+            $this->report($start, implode(', ', $dir));
         }
         return true;
     }
@@ -798,6 +832,7 @@ class MalwareScanner
         echo '    -x                   --extra-check        Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
         echo '    -l                   --follow-symlink     Follow symlinked directories' . PHP_EOL;
         echo '    -k                   --hide-ok            Hide results with \'OK\' status' . PHP_EOL;
+        echo '    -r                   --hide-err           Hide results with \'ER\' status' . PHP_EOL;
         echo '    -w                   --hide-whitelist     Hide results with \'WL\' status' . PHP_EOL;
         echo '    -n                   --no-color           Disable color mode' . PHP_EOL;
         echo '    -s                   --no-stop            Continue scanning file after first hit' . PHP_EOL;