diff --git a/cms-ver.php b/cms-ver.php index 8e5b1dd..82c5920 100644 --- a/cms-ver.php +++ b/cms-ver.php @@ -196,6 +196,10 @@ array("phpGedView", "/config.php", "\$CONFIG_VERSION =", "EOL"), array("Dolphin", "/inc/header.inc.php", "\$site['ver']", "Maintained"), array("SQLBuddy", "/functions.php", "define(\"VERSION_NUMBER\"", "EOL"), + array("Dolibarr", "/filefunc.inc.php", "define('DOL_VERSION',", "EOL"), // needs to be checked + array("Mambo", "/version.php", "DEFINE( '_RELEASE',", "EOL"), + array("ViArt Shop", "/index.php", "*** ViArt Shop", "EOL"), + // still need to work on these array("Silverstripe", "/cms/silverstripe_version", "*"), //needs review diff --git a/cms-vss.php b/cms-vss.php index 41a371c..d09dabf 100644 --- a/cms-vss.php +++ b/cms-vss.php @@ -210,6 +210,9 @@ array("phpGedView", "/config.php", "\$CONFIG_VERSION =", "EOL"), array("Dolphin", "/inc/header.inc.php", "\$site['ver']", "Maintained"), array("SQLBuddy", "/functions.php", "define(\"VERSION_NUMBER\"", "EOL"), + array("Dolibarr", "/filefunc.inc.php", "if (! defined('DOL_VERSION')) define('DOL_VERSION',", "EOL"), + array("Mambo", "/version.php", "DEFINE( '_RELEASE',", "EOL"), + array("ViArt Shop", "/index.php", "*** ViArt Shop", "EOL"), // still need to work on these diff --git a/malware6.pl b/malware6.pl index 771c241..16e469a 100644 --- a/malware6.pl +++ b/malware6.pl @@ -1377,7 +1377,8 @@ my @regexen = ( qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is, qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is, qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is, - + qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is, + qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is, diff --git a/malwaresh.pl b/malwaresh.pl index f0e7ed5..c97e9b7 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -1387,7 +1387,9 @@ my @regexen = ( qr/<\?php\s+\$.+?if\(!function_exists\(\'str_ireplace\'\)\)\{function str_ireplace\(\$from,\$to,\$string\)\{return trim\(preg_replace\(\"\/\"\.addcslashes\(\$from,\"\?\:\\\\\/\*\^\$\"\)\.\"\/si\",\$to,\$string\)\);\}\};\$.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}\[\"\\x4f\\x4f\\x4f\\x30\\x4f\\x5f\\x30\\x30\\x5f\\x5f\"\]\(\);\?>/is, qr/<\?php.+?\$filter = \'base\'\.\'6\'\.\'4\'\.\'_decode\';.+?\$prepare_func = \'g\'\.\'z\'\.\'inflate\';.+?return \@\$prepare_func\( \$filter \);.+?\}\s+wp_admin_bar_header\(\);/is, qr/<\?php if\(isset\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\)\)\{\$myvar = base64_decode\(\$_REQUEST\[\"([A-z0-9_]{1,20})\"\]\); eval\(\$myvar\);\}\?>/is, - + qr/<\?php\s+if \(isset\(\$_GET\[\'([A-z0-9_]{1,20})\'\]\)\)\{die\(\'OK\'\);\}.+?function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\]; \} \} return \$([A-z0-9_]{1,20}); \}\s+\/\*.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is, + qr/<\?php\s+function ([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20}), \$([A-z0-9_]{1,20}) = \"\\x.+?\*\/\s+\$([A-z0-9_]{1,20}) = \".+?\)\)\);\s+\$([A-z0-9_]{1,20})\(\);\s+\/\*.+?\*\//is, + qr/<\?php\s+\$([A-z0-9_]{1,20})=\"\\x61\"\.\"\\x75\"\.chr\(116\)\.\"h\"\.\"\\x5f\"\.\"p\"\.\"a\"\.\"\\x73\"\.\"\\x73\";.+?\)\)\);\s+#############################################################################/is, );