From 755e9112dc23d07c3d2db5a0c325615e1f9131f0 Mon Sep 17 00:00:00 2001
From: root <root@devops.palmasolutions.net>
Date: Mon, 27 Jan 2020 16:16:19 +0100
Subject: [PATCH] fixes

---
 cms-ver.php  |  1 +
 cms-vss.php  |  1 +
 malware.pl   |  8 +++++++-
 malwaresh.pl | 15 +++++++++++++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/cms-ver.php b/cms-ver.php
index c3b569a..1023464 100644
--- a/cms-ver.php
+++ b/cms-ver.php
@@ -212,6 +212,7 @@
         array("ZenTaoPHP", "/config/config.php", "\$config->version", "EOL"),
         array("Glype", "/includes/settings.php", "\$CONFIG\['version'\]", "EOL"), // needs to be checked
         array("Kohana", "/system/core/Kohana.php", "const VERSION", "EOL"),
+        array("Form Tools Core", "/global/library.php", "\$g_current_version", "EOL"),
 
 
 
diff --git a/cms-vss.php b/cms-vss.php
index 6e96d54..2acfad8 100644
--- a/cms-vss.php
+++ b/cms-vss.php
@@ -226,6 +226,7 @@
         array("ZenTaoPHP", "/config/config.php", "\$config->version", "EOL"),
         array("Glype", "/includes/settings.php", "\$CONFIG['version'] =", "EOL"),
         array("Kohana", "/system/core/Kohana.php", "const VERSION", "EOL"),
+        array("Form Tools Core", "/global/library.php", "\$g_current_version", "EOL"),
 
 
 
diff --git a/malware.pl b/malware.pl
index c9c59a0..5217953 100644
--- a/malware.pl
+++ b/malware.pl
@@ -1456,7 +1456,13 @@ my @regexen = (
     qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
     qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
     qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
-    
+    qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$.+?=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt_compiler\(\);aWYo.+?\+fwE=/is,
+    qr/<\?php\s+error_reporting\(0\);.+?Database Emails Extractor By SparkyDz.+?return \$result;\s+\}\s+\?>/is,
+    qr/<\?php passthru\(\$_GET\[\'cmd\'\]\); \?>/is,
+    qr/<\?php.+?\$url = \"\(B\)\/\(C\)\-\(A\)\.html\";.+?0=urldecode\(\"\%6.+?\)\);\s+\?>/is,
+    qr/<\?php if\(\$_GET\[\'l\'\]\)\{\@move_uploaded_file\(\$_FILES\[\'f\'\]\[\'tmp_name\'.+?<\/form>\'; \?>/is,
+    qr/<\?php if\(\$_GET\[\"\\x6c\"\]\)\{\@move_uploaded_file\(\$_FILES\[.+?<\/f\\x6frm>\"; \?>/is,
+        
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 05e3edc..72d4445 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -26,6 +26,13 @@ print "Content-type: text/html\n\n";
 my $user = $ARGV[0];
 
 my @regexen = (
+    qr/<\?php\s+\/\*\*\s+\* WordPress DB Class.+?\$_REQUEST = array_merge\(\$_GET, \$_POST, \$_COOKIE\);\s+\$auth = \"([A-z0-9_]{1,40})\";\s+\$sname = \@session_name\(\);.+?\$method = \"create\" \. \"_\" \. \"function\";\s+\$decode = \"base\" \. \"64_de\" \. \"code\";\s+\$reverse = \"str\" \. \"rev\";\s+\$decompress = \"gzun\" \. \"compress\";.+?\$action = \$method\(\'\'\, \$data\);\s+\$action\(\);\s+\}\s+\}\s+\}/is,
+    qr/<\?php  \/\*([A-z0-9_]{1,50})\*\/ \?><\?php \$([A-z0-9_]{1,20}) = \".+?\'\' \)  , \$([A-z0-9_]{1,20})   \)\)\.\"\'.+?\'\"\.([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\],\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\]\.\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\], \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\]  \);\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,array\(\'\'\,\'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\)\);/is,
+    qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/.+?\.js\?.+?\'<\/script>/is,
+    qr/var gfjfgjk = 1; var d=document;var s=d\.createElement\(\'script\'\); s\.type=\'text\/javascript\'; s\.async=true;\s+var pl = String\.fromCharCode\(.+?if \(document\.currentScript\) \{\s+document\.currentScript\.parentNode\.insertBefore\(s\, document\.currentScript\);\s+\} else \{\s+d\.getElementsByTagName\(\'head\'\)\[0\]\.appendChild\(s\);\s+\}/is,
+    qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/same\.js\'><\/script>/is,
+    qr/<script type=text\/javascript src=\'https:\/\/track\.adsformarket\.com\/t\.js\'><\/script>/is,
+    qr/<\?php if\(isset\(\$_POST\[chr\(97\)\.chr\(115\)\..+?\@include\(\$a\);\@unlink\(\$a\);die\(\);  \} \?>/is,    
     qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
     qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
     qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is,
@@ -1466,6 +1473,14 @@ my @regexen = (
     qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
     qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
     qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
+    qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$.+?=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt_compiler\(\);aWYo.+?\+fwE=/is,
+    qr/<\?php\s+error_reporting\(0\);.+?Database Emails Extractor By SparkyDz.+?return \$result;\s+\}\s+\?>/is,
+    qr/<\?php passthru\(\$_GET\[\'cmd\'\]\); \?>/is,
+    qr/<\?php.+?\$url = \"\(B\)\/\(C\)\-\(A\)\.html\";.+?0=urldecode\(\"\%6.+?\)\);\s+\?>/is,
+    qr/<\?php if\(\$_GET\[\'l\'\]\)\{\@move_uploaded_file\(\$_FILES\[\'f\'\]\[\'tmp_name\'.+?<\/form>\'; \?>/is,
+    qr/<\?php if\(\$_GET\[\"\\x6c\"\]\)\{\@move_uploaded_file\(\$_FILES\[.+?<\/f\\x6frm>\"; \?>/is,
+
+
 );
 
 my @base64_decodes = (