diff --git a/cms-ver.php b/cms-ver.php index 8f47a3b..349b0d3 100644 --- a/cms-ver.php +++ b/cms-ver.php @@ -182,6 +182,7 @@ array("ELGG", "/vendor/elgg/elgg/composer.json", "\"version\":", "Maintained"), array("Grav CMS", "/system/defines.php", "define('GRAV_VERSION',", "Maintained"), array("CuteNews", "/inc/functions.inc.php", "\$config_version_name = \"CuteNews v", "EOL"), + array("UCenter", "/index.php", "define('UC_VERSION',", "EOL"), // still need to work on these array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review diff --git a/cms-vss.php b/cms-vss.php index ac24d12..c2b46d3 100644 --- a/cms-vss.php +++ b/cms-vss.php @@ -196,7 +196,8 @@ array("ELGG", "/vendor/elgg/elgg/composer.json", "\"version\":", "Maintained"), array("Grav CMS", "/system/defines.php", "define('GRAV_VERSION',", "Maintained"), array("CuteNews", "/inc/functions.inc.php", "\$config_version_name = \"CuteNews v", "EOL"), - + array("UCenter", "/index.php", "define('UC_VERSION',", "EOL"), + // still need to work on these array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review array("Croogo", "/Vendor/croogo/croogo/VERSION.txt", "*"), // needs further review diff --git a/malware6.pl b/malware6.pl index 4f8ba79..0798c8b 100644 --- a/malware6.pl +++ b/malware6.pl @@ -237,6 +237,7 @@ my @regexen = ( qr/<\?php\s+ignore_user_abort\(\);.+?system\(base64_decode\(.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is, qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is, qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&\"\/><\/form>/is, + qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is, diff --git a/malwaresh.pl b/malwaresh.pl index e99de7a..a86067c 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -26,6 +26,7 @@ print "Content-type: text/html\n\n"; my $user = $ARGV[0]; my @regexen = ( + qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is, qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is, qr/<\?php\s+\/\/header\(.+?\$([A-z0_]{1,20})=urldecode\(.+?\]\(\);\?>/is, qr/<\?php\s+if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?\?>\s+([A-z0-9_]{50,})\Z/is, @@ -1224,8 +1225,7 @@ my @regexen = ( qr/<\?php\s+ignore_user_abort\(\);.+?system\(base64_decode\(.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is, qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is, qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&\"\/><\/form>/is, - - + qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,