added working Eitest Regex

2018-05-11 11:49:40 +02:00
parent 1194604cc0
commit 448e75c083
1 changed files with 4 additions and 3 deletions
--- a/scan.py
+++ b/scan.py
@@ -231,7 +231,7 @@ scoring = {
  'PHISHING':                 (10, u'Phishing patterns'),
  'MD5':                      (20, u'md5 strings used in malware'),
  'SOCIALS':                  (50, u'Email addresses, links and social networking'),
-  'EITEST':                    (50, u'Eitest'),
+  'EITEST':                   (65, u'Eitest'),
 }
@@ -325,6 +325,8 @@ def is_hacked(filename):
            score.append(('ACCESS_DENIED', ''))
        if l.find('/bin/host') >= 0:
            score.append(('BIN_HOST', ''))
        if re.compile('<\?php\s*\$([a-z]){1,10}\s*=\s*\'.*\$([a-z]){1,10}=explode\(chr\(\(([0-9]){1,4}[-+]([0-9]){1,4}\)\).*\$([a-z]){1,10}=\(([0-9]){1,4}[-+]([0-9]){1,10}\).*-1;\s*\?>').match(l):
            score.append(('EITEST', ''))
        if ('if( !isset($gCms) ) exit;' in l or
           "if( !defined( '_VALID_MOS' )" in l or
            "if (!defined('IN_PHPBB')" in l or
@@ -530,8 +532,7 @@ def is_hacked(filename):
            or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
            or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
            score.append(('SOCIALS', ''))
-        if re.compile("<\?php \$([a-z]){1,10} = \'.*\$([a-z]){1,10}=explode\(chr\(\(([0-9]){1,4}[-+]([0-9]){1,4}\)\).*\$([a-z]){1,10}=\(([0-9]){1,4}[-+]([0-9]){1,10}\).*-1; \?>") in l:
+
            score.append(('EITEST', ''))
        previous_line = l
    if line_num < 20: