fixes

2020-01-27 16:16:19 +01:00 · 2020-01-27 16:16:19 +01:00 · 755e9112dc
commit 755e9112dc
parent 93f36b35a2
4 changed files with 24 additions and 1 deletions
--- a/cms-ver.php
+++ b/cms-ver.php
@ -212,6 +212,7 @@
        array("ZenTaoPHP", "/config/config.php", "\$config->version", "EOL"),
        array("Glype", "/includes/settings.php", "\$CONFIG\['version'\]", "EOL"), // needs to be checked
        array("Kohana", "/system/core/Kohana.php", "const VERSION", "EOL"),
+        array("Form Tools Core", "/global/library.php", "\$g_current_version", "EOL"),



--- a/cms-vss.php
+++ b/cms-vss.php
@ -226,6 +226,7 @@
        array("ZenTaoPHP", "/config/config.php", "\$config->version", "EOL"),
        array("Glype", "/includes/settings.php", "\$CONFIG['version'] =", "EOL"),
        array("Kohana", "/system/core/Kohana.php", "const VERSION", "EOL"),
+        array("Form Tools Core", "/global/library.php", "\$g_current_version", "EOL"),



--- a/malware.pl
+++ b/malware.pl
@ -1456,6 +1456,12 @@ my @regexen = (
    qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
    qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
    qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
+    qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$.+?=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt_compiler\(\);aWYo.+?\+fwE=/is,
+    qr/<\?php\s+error_reporting\(0\);.+?Database Emails Extractor By SparkyDz.+?return \$result;\s+\}\s+\?>/is,
+    qr/<\?php passthru\(\$_GET\[\'cmd\'\]\); \?>/is,
+    qr/<\?php.+?\$url = \"\(B\)\/\(C\)\-\(A\)\.html\";.+?0=urldecode\(\"\%6.+?\)\);\s+\?>/is,
+    qr/<\?php if\(\$_GET\[\'l\'\]\)\{\@move_uploaded_file\(\$_FILES\[\'f\'\]\[\'tmp_name\'.+?<\/form>\'; \?>/is,
+    qr/<\?php if\(\$_GET\[\"\\x6c\"\]\)\{\@move_uploaded_file\(\$_FILES\[.+?<\/f\\x6frm>\"; \?>/is,
        
 );

--- a/malwaresh.pl
+++ b/malwaresh.pl
@ -26,6 +26,13 @@ print "Content-type: text/html\n\n";
 my $user = $ARGV[0];

 my @regexen = (
+    qr/<\?php\s+\/\*\*\s+\* WordPress DB Class.+?\$_REQUEST = array_merge\(\$_GET, \$_POST, \$_COOKIE\);\s+\$auth = \"([A-z0-9_]{1,40})\";\s+\$sname = \@session_name\(\);.+?\$method = \"create\" \. \"_\" \. \"function\";\s+\$decode = \"base\" \. \"64_de\" \. \"code\";\s+\$reverse = \"str\" \. \"rev\";\s+\$decompress = \"gzun\" \. \"compress\";.+?\$action = \$method\(\'\'\, \$data\);\s+\$action\(\);\s+\}\s+\}\s+\}/is,
+    qr/<\?php  \/\*([A-z0-9_]{1,50})\*\/ \?><\?php \$([A-z0-9_]{1,20}) = \".+?\'\' \)  , \$([A-z0-9_]{1,20})   \)\)\.\"\'.+?\'\"\.([A-z0-9_]{1,20})\( \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\],\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\]\.\$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\], \$([A-z0-9_]{1,20})\[([A-z0-9_]{1,20})\]  \);\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\,array\(\'\'\,\'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\)\);/is,
+    qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/.+?\.js\?.+?\'<\/script>/is,
+    qr/var gfjfgjk = 1; var d=document;var s=d\.createElement\(\'script\'\); s\.type=\'text\/javascript\'; s\.async=true;\s+var pl = String\.fromCharCode\(.+?if \(document\.currentScript\) \{\s+document\.currentScript\.parentNode\.insertBefore\(s\, document\.currentScript\);\s+\} else \{\s+d\.getElementsByTagName\(\'head\'\)\[0\]\.appendChild\(s\);\s+\}/is,
+    qr/<script type=\'text\/javascript\' src=\'https:\/\/snippet\.adsformarket\.com\/same\.js\'><\/script>/is,
+    qr/<script type=text\/javascript src=\'https:\/\/track\.adsformarket\.com\/t\.js\'><\/script>/is,
+    qr/<\?php if\(isset\(\$_POST\[chr\(97\)\.chr\(115\)\..+?\@include\(\$a\);\@unlink\(\$a\);die\(\);  \} \?>/is,    
    qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
    qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
    qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is,
@ -1466,6 +1473,14 @@ my @regexen = (
    qr/<\?php.+?if\(\!function_exists\(.+?=base64_decode\(\$.+?=\(ord\(\$.+?\"\)\);\?>/is,
    qr/<\?php\s+\$.+?eval\(base64_decode\(gzuncompress\(base64_decode\(\$.+?\)\)\)\);\?>/is,
    qr/<\?php \$__FILE__=__FILE__;\$__X__=\'.+?\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/is,
+    qr/<\?php \/\*\*\* WebShellOrb 2\.6 - With PHP 7 \*\*\*\/ \$.+?=file\(\_\_FILE\_\_\);eval\(base64_decode\(\"aWYo.+?\)\)\);\_\_halt_compiler\(\);aWYo.+?\+fwE=/is,
+    qr/<\?php\s+error_reporting\(0\);.+?Database Emails Extractor By SparkyDz.+?return \$result;\s+\}\s+\?>/is,
+    qr/<\?php passthru\(\$_GET\[\'cmd\'\]\); \?>/is,
+    qr/<\?php.+?\$url = \"\(B\)\/\(C\)\-\(A\)\.html\";.+?0=urldecode\(\"\%6.+?\)\);\s+\?>/is,
+    qr/<\?php if\(\$_GET\[\'l\'\]\)\{\@move_uploaded_file\(\$_FILES\[\'f\'\]\[\'tmp_name\'.+?<\/form>\'; \?>/is,
+    qr/<\?php if\(\$_GET\[\"\\x6c\"\]\)\{\@move_uploaded_file\(\$_FILES\[.+?<\/f\\x6frm>\"; \?>/is,
+
+
 );

 my @base64_decodes = (