Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added WebAsyst, new patterns, EiTest match

Browse Source
This commit is contained in:
Palma Solutions LTD 2018-05-11 12:16:53 +02:00
parent 448e75c083
commit 202a1a5f20
4 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cms-vss.php
View File

@ -174,6 +174,7 @@
array("Simple PHP Blog", "/scripts/sb_functions.php", "\$sb_info[ 'version' ] =", "EOL"), array("Simple PHP Blog", "/scripts/sb_functions.php", "\$sb_info[ 'version' ] =", "EOL"),
array("Claroline", "/inc/installedVersion.inc.php", "\$new_version =", "EOL"), array("Claroline", "/inc/installedVersion.inc.php", "\$new_version =", "EOL"),
array("Moodle", "/version.php", "\$release =", "Maintained"), array("Moodle", "/version.php", "\$release =", "Maintained"),
array("WebAsyst", "/kernel/wbs.xml", "<WBS VERSION=", "EOL"),
// still need to work on these // still need to work on these

1
malware5.pl
View File

@ -509,6 +509,7 @@ my @regexen = (
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is, qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is, qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
qr/<span style="position:absolute;visibility: collapse;">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
); );

2
malwaresh.pl
View File

@ -992,7 +992,7 @@ my @regexen = (
qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is, qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is, qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
qr/<span style="position:absolute;visibility: collapse;">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
); );

8
scan.py
View File

@ -177,6 +177,14 @@ whitelist = [
'custom-fields/typography/googlefonts-array.php', 'custom-fields/typography/googlefonts-array.php',
'wp-content/uploads/sucuri/sucuri-sitecheck.php', 'wp-content/uploads/sucuri/sucuri-sitecheck.php',
'wp-content/plugins/akeebabackupcore/app/restore.php', 'wp-content/plugins/akeebabackupcore/app/restore.php',
'/includes/utf/data/recode_cjk.php',
'/kernel/includes/smarty/plugins/modifier.base64decode.php',
'/kernel/includes/smarty/plugins/function.mime_decode.php',
'/common/html/scripts/preview.php',
'/html/scripts/core_functions/crypto/crypto_functions.php',
'/html/scripts/getwidget.php',
'/html/scripts/cc_after.php',
] ]
debug = True debug = True