new patterns

cms-ver.php

@@ -38,10 +38,10 @@
         array("XOOPS", "/version.php", "XOOPS_VERSION", ""),
         array("Concrete5", "/config/concrete.php", "version_installed", ""),
         array("Concrete5", "/concrete/config/version.php", "\$APP_VERSION =", ""),
-        array("Serendipity", "/serendipity_config.inc.php", "\$serendipity\['version'\] =", ""),
-        array("OpenBlog", "/application/config/open_blog.php", "\$config\['version'\] =", ""),
+        array("Serendipity", "/serendipity_config.inc.php", "\$serendipity['version'\] =", ""),
+        array("OpenBlog", "/application/config/open_blog.php", "\$config['version'] =", ""),
         array("b2evolution", "/conf/_application.php", "\$app_version =", ""),
-        array("Nucleus", "/nucleus/libs/globalfunctions.php", "\$nucleus\['version'\] =", "EOL"),
+        array("Nucleus", "/nucleus/libs/globalfunctions.php", "\$nucleus['version'] =", "EOL"),
         array("Dotclear", "/inc/prepend.php", "define('DC_VERSION',", ""),
         array("TextPattern", "/textpattern/index.php", "\$thisversion =", ""),
         array("NibbleBlog", "/admin/boot/rules/98-constants.bit", "define('NIBBLEBLOG_VERSION',", "EOL"),
@@ -203,6 +203,15 @@
         array("PHPMyList", "/readme.txt", "PHPMyList V", "EOL"),
         array("Download Engine", "/include/config.inc.php", "define('APP_VERSION',", "EOL"),
         array("GBook - PHP Guestbook", "/gbook.php", "\$settings['verzija'] =", "EOL"),
+        array("The Next Generation of Genealogy Sitebuilding", "/version.php", "\$tng_version", "EOL"),
+        array("Pluck", "/data/inc/variables.all.php", "\$pluck_version", "EOL"),
+        array("ph7cms", "/_protected/app/system/config/config.ini", "version =". "EOL"),
+        array("EGroupWare", "/header.inc.php", "\$GLOBALS['egw_info']['server']['versions']['header'] ", "Maintained"),
+        array("FrontAccounting", "/version.php", "\$src_version =", "EOL"),
+        array("vTiger CRM", "/vtigerversion.php", "\$vtiger_current_version =", "Maintained"), 
+        array("ZenTaoPHP", "/config/config.php", "\$config->version", "EOL"),
+        array("Glype", "/includes/settings.php", "\$CONFIG['version'] =", "EOL"),
+
 
 
 
@@ -336,6 +345,9 @@ foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfiles) {
     array("AbanteCart", "/core/version.php", "define('MASTER_VERSION',", "define('MINOR_VERSION',", "define('VERSION_BUILT',", ""),
     array("DotProj", "/includes/version.php", "\$dp_version_major", "\$dp_version_minor", "\$dp_version_patch", ""), 
     array("web2project", "/includes/version.php", "\$w2p_version_major =", "\$w2p_version_minor =", "\$w2p_version_patch =", "EOL")
+    array("CMSAdmin", "/cmsAdmin/lib/init.php"  "'version'", "'build'", "'id'", "EOL"),
+    array("Etomite", "manager/includes/version.inc.php", "\$small_version", "\$patch_level", "\$release", "EOL"),
+    array("Akaunting", "/config/version.php", "'major'", "'minor'", "'patch'", "EOL"),
 
 );
 

cms-vss.php

@@ -32,7 +32,7 @@
         array("Wordpress", "/wp-includes/version.php", "\$wp_version =", "Maintained"),
         array("Drupal 6/7", "/modules/system/system.info", "version = ", "EOL"),
         array("Drupal 8", "/core/modules/system/system.info.yml", "version: '", "Maintained"),
-        array("osCommerce", "/includes/application_top.php", "define('PROJECT_VERSION', 'osCommerce Online Merchant", "Maintained"),
+        array("osCommerce", "/includes/application_top.php", "define('PROJECT_VERSION', 'osCommerce", "Maintained"),
         array("phpBB", "/includes/constants.php", "define('PHPBB_VERSION',", "Maintained"),
         array("SMF", "/index.php", "\$forum_version = 'SMF", "Maintained"),
         array("Gallery2", "/modules/gallery/helpers/gallery.php", "const VERSION =", "EOL"),
@@ -217,6 +217,14 @@
         array("PHPMyList", "/readme.txt", "PHPMyList V", "EOL"),
         array("Download Engine", "/include/config.inc.php", "define('APP_VERSION',", "EOL"),
         array("GBook - PHP Guestbook", "/gbook.php", "\$settings['verzija'] =", "EOL"),
+        array("The Next Generation of Genealogy Sitebuilding", "/version.php", "\$tng_version", "EOL"),
+        array("Pluck", "/data/inc/variables.all.php", "\$pluck_version", "EOL"),
+        array("ph7cms", "/_protected/app/system/config/config.ini", "version =". "EOL"),
+        array("EGroupWare", "/header.inc.php", "\$GLOBALS['egw_info']['server']['versions']['header'] ", "Maintained"),
+        array("FrontAccounting", "/version.php", "\$src_version =", "EOL"),
+        array("vTiger CRM", "/vtigerversion.php", "\$vtiger_current_version =", "Maintained"), 
+        array("ZenTaoPHP", "/config/config.php", "\$config->version", "EOL"),
+        array("Glype", "/includes/settings.php", "\$CONFIG['version'] =", "EOL"),
 
 
 // still need to work on these
@@ -353,7 +361,10 @@ foreach(glob("/home/".$argv[1]."/public_html/{**/*,*}".$raw[1], GLOB_BRACE) as $
     array("Magento", "/app/Mage.php", "'major'     =>", "'minor'     =>", "'revision'  =>", ""),
     array("AbanteCart", "/core/version.php", "define('MASTER_VERSION',", "define('MINOR_VERSION',", "define('VERSION_BUILT',", ""),
     array("DotProj", "/includes/version.php", "\$dp_version_major", "\$dp_version_minor", "\$dp_version_patch", ""), 
-    array("web2project", "/includes/version.php", "\$w2p_version_major =", "\$w2p_version_minor =", "\$w2p_version_patch =", "EOL")
+    array("web2project", "/includes/version.php", "\$w2p_version_major =", "\$w2p_version_minor =", "\$w2p_version_patch =", "EOL"),
+    array("CMSAdmin", "/cmsAdmin/lib/init.php"  "'version'", "'build'", "'id'", "EOL"),
+    array("Etomite", "manager/includes/version.inc.php", "\$small_version", "\$patch_level", "\$release", "EOL"),
+    array("Akaunting", "/config/version.php", "'major'", "'minor'", "'patch'", "EOL"),
 );
 
 foreach($versiontriple as $rxw){

malware.pl

@@ -1393,7 +1393,18 @@ my @regexen = (
     qr/<\?php\s+\@include_once\(\"tetete\.php\"\);\s+\?>/is,
     qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
     qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
-
+    qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{.+?class KF\{public \$url=\"\\x68.+?init\(\$uri,\$ua\);\}/is,
+    qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\).+?#rogerbot\|exabot\|mj12bot\|dotbot.+?\$ratel=new KF;\$ratel->init\(\$uri,\$ua\);\}/is,
+    qr/<script type=\'text\/javascript\' async src=\'https\:\/\/setforspecialdomain\.com\/.+?\'><\/script>/is,
+    qr/<\?php\s+ignore_user_abort\(true\);set_time_limit\(0\);error_reporting\(0\);define\(.+?\[0x00000e\]\(\$.+?CURLOPT_RETURNTRANSFER,0x001\);\$.+?\[0x0002a\]\)\);\}\?>/is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}).+?return \$([A-z0-9_]{1,20}); \}\s+\/\*([A-z0-9_]{50,})\*\/\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'o\'\.\'i\'\.\'t\'.+?\(\);\s+\/\*([A-z0-9_]{50,})\*\//is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\';\s+\$([A-z0-9_]{1,20})=\'wp-content\';\s+\$([A-z0-9_]{1,20})=base64_decode\(\".+?\[\"\\x4f\\x4f\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x5f\\x5f\"\]\(\);\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=\"\\150\\145\\x61d\\x65\\x72\".+?<html>\s+<head><meta http-equiv=\"Content-Type\" content=\"text\/html; charset=utf-8\">.+?echo \$([A-z0-9_]{1,20}); \} \} \} \?>/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20}) = \"\\x63\\x68\\x72\"; \$([A-z0-9_]{1,20}) = \"\\x69\\x6e\\x74\\x76\\x61\\x6c\";.+?\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\); include_once\(\$([A-z0-9_]{1,20})\); \?><\?php \@include_once\(\"index\.php\"\); \?>/is,
+    qr/<\?php error_reporting\(0\);.+?ini_set\(\"error_log\", "\/dev\/null\"\);.+?\$contents = \@file_get_contents\(\$url, false, \$context\); \} \} return \$contents; \} \?>/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{32})\";\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,\$([A-z0-9_]{1,20})\)\{\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\);\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\).+?\);__halt_compiler\(\);
([A-z0-9_]{1,20})/is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\, \$([A-z0-9_]{1,20}) = \"\\61\\x32\\63\"\) .+?\(\"n\"\.\"o\"\.\"i\"\.\"t\"\..+?\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
+        
 );
 
 my @base64_decodes = (

malwaresh.pl

@@ -1403,6 +1403,21 @@ my @regexen = (
     qr/<\?php\s+\@include_once\(\"tetete\.php\"\);\s+\?>/is,
     qr/<\?php.+?Simple Plugin.+?\$a = chr\(.+?\@array_diff_ukey\(\@array\(\(string\)\(\$a\) => 1\), \@array\(\(string\)\(\$b\) => 2\), \$c\);\s+\@include\(\$a\);\s+\@unlink\(\$a\);/is,
     qr/<script type=\'text\/javascript\' async src=\'https:\/\/somelandingpage\.com\/.+?\'><\/script>/is,
+    qr/<\?php if\(\!class_exists\(\'KF\'\)\)\{if\(function_exists\(\'is_user_logged_in\'\)\)\{.+?class KF\{public \$url=\"\\x68.+?init\(\$uri,\$ua\);\}/is,
+    qr/<script type=\'text\/javascript\' async src=\'https\:\/\/setforspecialdomain\.com\/.+?\'><\/script>/is,
+    qr/<\?php\s+ignore_user_abort\(true\);set_time_limit\(0\);error_reporting\(0\);define\(.+?\[0x00000e\]\(\$.+?CURLOPT_RETURNTRANSFER,0x001\);\$.+?\[0x0002a\]\)\);\}\?>/is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}).+?return \$([A-z0-9_]{1,20}); \}\s+\/\*([A-z0-9_]{50,})\*\/\s+\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20})\(\'n\'\.\'\'\.\'o\'\.\'i\'\.\'t\'.+?\(\);\s+\/\*([A-z0-9_]{50,})\*\//is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20})=\'([A-z0-9_]{1,20})\';\s+\$([A-z0-9_]{1,20})=\'wp-content\';\s+\$([A-z0-9_]{1,20})=base64_decode\(\".+?\[\"\\x4f\\x4f\\x4f\\x30\\x30\\x5f\\x4f\\x30\\x5f\\x5f\"\]\(\);\?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=\"\\150\\145\\x61d\\x65\\x72\".+?<html>\s+<head><meta http-equiv=\"Content-Type\" content=\"text\/html; charset=utf-8\">.+?echo \$([A-z0-9_]{1,20}); \} \} \} \?>/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20}) = \"\\x63\\x68\\x72\"; \$([A-z0-9_]{1,20}) = \"\\x69\\x6e\\x74\\x76\\x61\\x6c\";.+?\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\); include_once\(\$([A-z0-9_]{1,20})\); \?><\?php \@include_once\(\"index\.php\"\); \?>/is,
+    qr/<\?php error_reporting\(0\);.+?ini_set\(\"error_log\", "\/dev\/null\"\);.+?\$contents = \@file_get_contents\(\$url, false, \$context\); \} \} return \$contents; \} \?>/is,
+    qr/<\?php\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{32})\";\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,\$([A-z0-9_]{1,20})\)\{\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\);\$([A-z0-9_]{1,20})=strlen\(\$([A-z0-9_]{1,20})\).+?\);__halt_compiler\(\);
([A-z0-9_]{1,20})/is,
+    qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\, \$([A-z0-9_]{1,20}) = \"\\61\\x32\\63\"\) .+?\(\"n\"\.\"o\"\.\"i\"\.\"t\"\..+?\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is,
+    qr/<\?php if\(!class_exists\(\'Ratel\'\)\)\{.+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
+    qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$lock\(stripslashes\(\$shall\)\) \&\& exit; if\(!class_exists\(\'Ratel\'\)\).+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
+    qr/<\?php\s+if\(!class_exists\(\'Ratel\'\)\).+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
+    qr/if\(!class_exists\(\'Ratel\'\)\)\{.+?\$ratel->init\(\$ruri,\$host,\$is_bot\);\}/is,
+
 
 );