Backdoor reported in #72

Backdoor reported in #71
Pattern updates from new infections
2026-06-16 12:30:35 +00:00 · 2022-03-24 18:46:58 +01:00 · 2021-12-13 18:09:02 +01:00 · 2021-05-27 06:57:08 +02:00 · 2021-05-27 06:57:08 +02:00 · 2021-05-27 06:57:08 +02:00
4 changed files with 63 additions and 16 deletions
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ Usage: php scan.php -d <directory>
    -o                   --output-format      Custom defined output format
    -j                   --wordpress-version  Version of wordpress to get md5 signatures
                         --combined-whitelist Combined whitelist
+                         --custom-whitelist   Loads whitelist from specified file and merge with existing
                         --disable-stats      Disable statistics output
 ```

--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -108,11 +108,6 @@ SFRUUF9VU0VSX0FHRU5U
 hUVFBfVVNFUl9BR0VOV
 IVFRQX1VTRVJfQUdFTl

-# "file" in base64
-ZmlsZ
-ZpbG
-maWxl
-
 # "gzinflate" in base64
 Z3ppbmZsYXRl
 d6aW5mbGF0Z
@@ -185,6 +180,7 @@ kZWZpbm

 # Obfuscation related code
 eval("?>
+eval('?>
 "base64_decode"
 ='base'.(32*2).'_de'.'code'
 "p"."r"."e"."g"."_"
@@ -207,6 +203,8 @@ gz'.'inf'.'late
 # fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
 http://www.fopo.com.ar/
@eval("\
+";eval(
+eval(eval(

 #Malware/Attack specific strings/fingerprints/signatures
 MagelangCyber
@@ -379,3 +377,13 @@ ZeroByte
 # SEO poisoning control site call
 "http://$xxx
 ?useragent=$botbotbot
+
+# php://input encoded in base64
+cGhwOi8vaW5wdXQ=
+
+# backdoor script
+<font color="red">Upload Gagal..</font><br />
+explode('?>',$shell
+
+# common mobile agent check in SEO poison scripts
+Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -116,4 +116,23 @@ function\s+_[0-9]{8,}\(
 create_function\s*\(\s*['"]{2}

 # control concated from cookie at the call
-(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
+(\$[a-z]{2,}=urldecode\(\$_COOKIE\['[a-z]{2,}'\]\);){3,}
+
+# ${$O{18}.$O{7}.$O{24}.$O{2}.$O{50}.$O{8}
+(\$[A-Z]+\{\d+\}\.){3,}
+
+# comment in variable name $_REQUEST /*YUsrqpbzvXTSa...QpDNTPYQvLSFPCqsSnWNVqPdSIAYaQj*/[
+\$_REQUEST\s*\/\*[A-Za-z]+\*\/\[
+
+# cookie payload if(isset($_COOKIE)){$p=$_COOKIE;(count($p)==55&&in_array(gettype($p).count($p),$p))?(($p[68]=$p[68].$p[22])&&($p[35]=$p[68]($p[35]))&&($p=$p[35]($p[13],$p[68]($p[45])))&&$p()):$p;}
+\(count\(\$p\)==\d+&&in_array\(gettype\(\$p\)\.count\(\$p\),\$p\)\)
+
+# gzipped payload post process
+explode\('\|\x01\|\x03\|\x03', gzinflate\(
+
+# backdoor reported #71
+@header\(\w{3,5}::\w{1,2}\('_\w{1,3}' \. '\w{1,3}', '_\w{1,3}'\)\);
+@header\(\w{3,5}::\w{1,2}\('_\w{1,3}', '_' \. '\w{1,3}' . '\w{1,3}'\)\);
+
+# backdoor reported #72
+@\$[a-z]{1}\[\d+\]\(\$[a-z]{1}\[\d+\]\);
--- a/scan.php
+++ b/scan.php
@@ -42,6 +42,7 @@ class MalwareScanner
    private $flagScanEverything = false;
    private $flagCombinedWhitelist = false;
    private $flagDisableStats = false;
+    private $customWhitelist = array();
    private $outputFormat = '';
    private $whitelist = array();
    private $ignore = array();
@@ -191,16 +192,21 @@ class MalwareScanner
        return $list;
    }

-    //Loads the whitelist file
-    public function loadWhitelist()
+    /**
+     * Loads the whitelist files
+     */
+    public function loadWhitelists()
    {
-        if (!is_file(__DIR__ . '/whitelist.txt')) {
-            return;
-        }
-        $fp = fopen(__DIR__ . '/whitelist.txt', 'r');
-        while (!feof($fp)) {
-            $line = fgets($fp);
-            $this->whitelist[] = substr($line, 0, 32);
+        $a = array_merge([__DIR__ . '/whitelist.txt'], $this->customWhitelist);
+        foreach ($a as $file) {
+            if (is_file($file)) {
+                $fp = fopen($file, 'r');
+                while (!feof($fp)) {
+                    $line = fgets($fp);
+                    $this->whitelist[] = substr($line, 0, 32);
+                }
+                fclose($fp);
+            }
        }
    }

@@ -248,6 +254,7 @@ class MalwareScanner
                'wordpress-version:',
                'scan-everything',
                'combined-whitelist',
+                'custom-whitelist:',
                'disable-stats'
            )
        );
@@ -334,6 +341,13 @@ class MalwareScanner
        if (isset($options['combined-whitelist'])) {
            $this->setFlagCombinedWhitelist(true);
        }
+        if (isset($options['custom-whitelist'])) {
+            $a = $options['custom-whitelist'];
+            if (!is_array($a)) {
+                $a = array($a);
+            }
+            $this->setCustomWhitelist(array_unique($a));
+        }
        if (isset($options['disable-stats'])) {
            $this->setFlagDisableStats(true);
        }
@@ -435,6 +449,11 @@ class MalwareScanner
        $this->flagDisableStats = $b;
    }

+    public function setCustomWhitelist($a)
+    {
+        $this->customWhitelist = $a;
+    }
+
    // @see http://stackoverflow.com/a/13914119
    private function pathMatches($path, $pattern, $ignoreCase = false)
    {
@@ -626,7 +645,7 @@ class MalwareScanner
    {
        $this->initializePatterns();

-        $this->loadWhitelist();
+        $this->loadWhitelists();

        if ($this->flagCombinedWhitelist && !$this->updateCombinedWhitelist()) {
            return false;
Author	SHA1	Message	Date
Gabor Gyorvari	3b76a7270e	Backdoor reported in #72	2022-03-24 18:46:58 +01:00
Gabor Gyorvari	f0bdb1f1e1	Backdoor reported in #71	2021-12-13 18:09:02 +01:00
Gabor Gyorvari	43876b337b	Pattern updates from new infections	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	1fad164790	gzipped payload	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	f4d53e89d8	Pattern updates from new infections	2021-05-27 06:57:08 +02:00
Gabor Gyorvari	34ea02323b	New flag to specify custom white list file	2021-04-01 12:44:15 +02:00
Gabor Gyorvari	b74494a4f1	base64 sample for "file" too short and causes false positive	2021-02-26 13:27:58 +01:00