Small example how to use as library, fix #61

Change addWordpressChecksums to public, fix #58
Signature update from new infections
2026-06-16 12:30:35 +00:00 · 2020-10-05 13:34:16 +02:00 · 2020-10-05 10:59:13 +02:00 · 2020-10-01 11:26:02 +02:00 · 2020-09-30 17:02:33 +02:00
5 changed files with 39 additions and 7 deletions
--- a/README.md
+++ b/README.md
@@ -113,6 +113,22 @@ It is guaranteed that IF 'base64_decode' was present in the plain text code, the
 The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.  
 ote the missing edge characters which is due to bit misalignment and character bleed.

+Using as library
+----------------
+
+The scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.
+ 
+```php
+<?php
+
+require_once '../scan.php';
+
+$scan = new MalwareScanner();
+$scan->setFlagHideWhitelist(true);
+$scan->setFlagHideOk(true);
+$scan->run('../samples/test');
+```
+
 Resources
 ---------

--- a/definitions/patterns_iraw.txt
+++ b/definitions/patterns_iraw.txt
@@ -1,7 +1,7 @@
-#This file contains raw strings that will be matched case-insensitive.
-#Comments and whitespace are possible, but comments must have '#' at the first character of the line.
+# This file contains raw strings that will be matched case-insensitive.
+# Comments and whitespace are possible, but comments must have '#' at the first character of the line.

-#List of security service providers that phishers often block.
+# List of security service providers that phishers often block.
 abovenet
 avira
 bitdefender
@@ -17,3 +17,6 @@ phishtank
 sophos
 surfright
 symantec
+
+# SEO poison, pharmacy redirect
+dealonline.su
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -371,3 +371,7 @@ ZeroByte

 # JS escaped: String.fromCharCode(
 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40
+
+# SEO poisoning control site call
+"http://$xxx
+?useragent=$botbotbot
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -4,10 +4,13 @@ eval\/\*[a-z0-9]+\*\/
 #
 eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);

-#
+# chr(101).chr(118).chr(97)
 (chr\(\d+\^\d+\)\.){4,}

-#
+# $_uU(101).$_uU(118).$_uU(97)
+(\$\_[a-z0-9]{2,}\(\d+\)\.){4,}
+
+# $uUx[101].$uUx[118].$uUx[97]
 (\$[a-z0-9]{3,}\[\d+\]\.){4,}

 #
@@ -37,6 +40,9 @@ Googlebot['"]{0,1}\s*\)\){echo\s+file_get_contents
 #execute base64 code
 eVaL\(\s*trim\(\s*baSe64_deCoDe\(

+# execute escaped code
+exec\("(\\[0-9a-fx]{2,3}){3,}
+
 #
 if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text

@@ -107,4 +113,7 @@ function\s+_[0-9]{8,}\(
@include ".*?(\\x[0-9a-f]{2,}.*?){2,}.*?";

 # create_function is dangerous as like eval() see http://php.net/manual/en/function.create-function.php
-create_function\s*\(\s*['"]{2}
+create_function\s*\(\s*['"]{2}
+
+# control concated from cookie at the call
+(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
--- a/scan.php
+++ b/scan.php
@@ -203,7 +203,7 @@ class MalwareScanner
        }
    }

-    private function addWordpressChecksums($wp_version)
+    public function addWordpressChecksums($wp_version)
    {
        $apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version;
        $json = json_decode(file_get_contents($apiurl));
Author	SHA1	Message	Date
Gabor Gyorvari	5883c68f54	Small example how to use as library, fix #61	2020-10-05 13:34:16 +02:00
Gabor Gyorvari	22b51a1ee3	Change addWordpressChecksums to public, fix #58	2020-10-05 10:59:13 +02:00
Gabor Gyorvari	2b1a0c1266	Signature update from new infections	2020-10-01 11:26:02 +02:00
Gabor Gyorvari	c495cc822c	Signature update for a pattern $_uU(101).$_uU(118).$_uU(97)	2020-09-30 17:02:33 +02:00