Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bug fixes

Browse Source
This commit is contained in:
Palma Solutions LTD 2017-10-21 13:54:29 +02:00
parent deb66ad01c
commit 8a767b8ec3
1 changed files with 11 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
scan.php
View File

@ -8,7 +8,7 @@
/* script variables */ /* script variables */
$version = '3.1'; $version = '3.1';
$self = basename(__FILE__); $self = basename(__FILE__);
$current = './' $current = basename(__DIR__);
$eroot = '../'; $eroot = '../';
$print_infected = true; $print_infected = true;
@ -34,7 +34,7 @@ set_time_limit(0);
error_reporting(E_ALL); error_reporting(E_ALL);
$pattern = array( $pattern = array(
"^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n", "^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)\(\?><\?php\)*\n",
"eval(\s*)\((.*)base64_decode(\s*)\(", "eval(\s*)\((.*)base64_decode(\s*)\(",
"this.form.upload_file.disabled=false", "this.form.upload_file.disabled=false",
"function(\s*)jspw3\(d\,m\,f\)", "function(\s*)jspw3\(d\,m\,f\)",
@ -206,7 +206,7 @@ error_reporting(E_ALL);
"system file do not delete", "system file do not delete",
"nslookup -type=MX", "nslookup -type=MX",
"\$copyto = explode\(\'wp-content\'\,", "\$copyto = explode\(\'wp-content\'\,",
"default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(", "default_action =(.*)default_charset =(.*)preg_replace\((.*)\,str_replace\(",
"\<\?php for\(\$o=0,\$e=", "\<\?php for\(\$o=0,\$e=",
"\$felp = explode\(\$kaka", "\$felp = explode\(\$kaka",
"getdata = base64_decode\(\$datacheck\);", "getdata = base64_decode\(\$datacheck\);",
@ -346,7 +346,7 @@ error_reporting(E_ALL);
"<\?php\s*include\(\'(.*)\.png\'\);\s*\?>", "<\?php\s*include\(\'(.*)\.png\'\);\s*\?>",
"<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>", "<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>",
"<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>", "<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>",
"\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$", "\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*\$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$",
"\$qV=\"stop_\"", "\$qV=\"stop_\"",
"\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";", "\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";",
"<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>", "<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>",
@ -426,9 +426,9 @@ error_reporting(E_ALL);
"<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\(\"", "<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\(\"",
"\#Coded\s*By\s*Pejvaknuse\s*Socket;", "\#Coded\s*By\s*Pejvaknuse\s*Socket;",
"<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>", "<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>",
"OOO000000=urldecode(", "OOO000000=urldecode\(",
"visitorTracker_isMob", "visitorTracker_isMob",
"this->privmsg(", "this->privmsg\(",
"Starting call", "Starting call",
/* "Hacked", - removed pattern due to large volume of false positives */ /* "Hacked", - removed pattern due to large volume of false positives */
/* "boff", - removed pattern due to large volume of false positives */ /* "boff", - removed pattern due to large volume of false positives */
@ -449,7 +449,7 @@ error_reporting(E_ALL);
"Sakerhetsniva", "Sakerhetsniva",
"0x00 PHP shell", "0x00 PHP shell",
"surl = htmlspecialchars", "surl = htmlspecialchars",
"function echoQueryResult() {", "function echoQueryResult\(\) \{",
"Safe Mode on/off:", "Safe Mode on/off:",
"Script for l33t admin job", "Script for l33t admin job",
"ONBOOMSHELL V 0.2", "ONBOOMSHELL V 0.2",
@ -463,13 +463,9 @@ error_reporting(E_ALL);
foreach ($tree as $finfo) foreach ($tree as $finfo)
{ {
// exclude self // exclude scanner directory from the scan
if(strpos($finfo['fname'], $self) !== FALSE && realpath(__FILE__) == realpath($finfo['path'].$finfo['fname'])) if(realpath(__DIR__) == realpath($finfo['path'].$finfo['dirname']) )
{
continue;
}
if(realpath($finfo['path'], $current !== FALSE )
{ {
continue; continue;
} }
@ -758,4 +754,4 @@ class e_file
} }
} }
?> ?>