From 8a767b8ec3219eae74910e402cc3f45b30e307ee Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 21 Oct 2017 13:54:29 +0200
Subject: [PATCH] bug fixes

---
 scan.php | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/scan.php b/scan.php
index 03813b8..2226a60 100644
--- a/scan.php
+++ b/scan.php
@@ -8,7 +8,7 @@
 /* script variables */
 $version = '3.1';
 $self = basename(__FILE__);
-$current = './'
+$current = basename(__DIR__);
 
 $eroot = '../';
 $print_infected = true;
@@ -34,7 +34,7 @@ set_time_limit(0);
 error_reporting(E_ALL);
 
     $pattern = array(
-    "^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n",
+    "^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)\(\?><\?php\)*\n",
     "eval(\s*)\((.*)base64_decode(\s*)\(",
     "this.form.upload_file.disabled=false",
     "function(\s*)jspw3\(d\,m\,f\)",
@@ -206,7 +206,7 @@ error_reporting(E_ALL);
     "system file do not delete",
     "nslookup -type=MX",
     "\$copyto = explode\(\'wp-content\'\,",
-    "default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(",
+    "default_action =(.*)default_charset =(.*)preg_replace\((.*)\,str_replace\(",
     "\<\?php for\(\$o=0,\$e=",
     "\$felp = explode\(\$kaka",
     "getdata = base64_decode\(\$datacheck\);",
@@ -346,7 +346,7 @@ error_reporting(E_ALL);
     "<\?php\s*include\(\'(.*)\.png\'\);\s*\?>",
     "<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>",
     "<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>",
-    "\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$",
+    "\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*\$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$",
     "\$qV=\"stop_\"",
     "\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";",
     "<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>",
@@ -426,9 +426,9 @@ error_reporting(E_ALL);
     "<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\(\"",
     "\#Coded\s*By\s*Pejvaknuse\s*Socket;",
     "<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>",
-    "OOO000000=urldecode(",
+    "OOO000000=urldecode\(",
     "visitorTracker_isMob",
-    "this->privmsg(",
+    "this->privmsg\(",
     "Starting call",
     /* "Hacked", - removed pattern due to large volume of false positives */
     /* "boff", - removed pattern due to large volume of false positives */
@@ -449,7 +449,7 @@ error_reporting(E_ALL);
     "Sakerhetsniva",
     "0x00 PHP shell",
     "surl = htmlspecialchars",
-    "function echoQueryResult() {",
+    "function echoQueryResult\(\) \{",
     "Safe Mode on/off:",
     "Script for l33t admin job",
     "ONBOOMSHELL V 0.2",
@@ -463,13 +463,9 @@ error_reporting(E_ALL);
 
 foreach ($tree as $finfo)
 {
-    // exclude self
-    if(strpos($finfo['fname'], $self) !== FALSE && realpath(__FILE__) == realpath($finfo['path'].$finfo['fname']))
-    {
-        continue;
-    }
-
-    if(realpath($finfo['path'], $current !== FALSE )
+    // exclude scanner directory from the scan
+    if(realpath(__DIR__) == realpath($finfo['path'].$finfo['dirname']) )    
+    
     {
         continue;
     }
@@ -758,4 +754,4 @@ class e_file
     }
 
 }
-?>
+?>
\ No newline at end of file