Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bug fixes

Browse Source
This commit is contained in:
Palma Solutions LTD 2017-10-21 13:54:29 +02:00
parent deb66ad01c
commit 8a767b8ec3
1 changed files with 11 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
scan.php
View File

@ -8,7 +8,7 @@
/* script variables */
$version = '3.1';
$self = basename(__FILE__);
$current = './'
$current = basename(__DIR__);
$eroot = '../';
$print_infected = true;
@ -34,7 +34,7 @@ set_time_limit(0);
error_reporting(E_ALL);
$pattern = array(
"^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n",
"^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)\(\?><\?php\)*\n",
"eval(\s*)\((.*)base64_decode(\s*)\(",
"this.form.upload_file.disabled=false",
"function(\s*)jspw3\(d\,m\,f\)",
@ -206,7 +206,7 @@ error_reporting(E_ALL);
"system file do not delete",
"nslookup -type=MX",
"\$copyto = explode\(\'wp-content\'\,",
"default_action =(.*)default_charset =(.*)preg_replace\((/*)\,str_replace\(",
"default_action =(.*)default_charset =(.*)preg_replace\((.*)\,str_replace\(",
"\<\?php for\(\$o=0,\$e=",
"\$felp = explode\(\$kaka",
"getdata = base64_decode\(\$datacheck\);",
@ -346,7 +346,7 @@ error_reporting(E_ALL);
"<\?php\s*include\(\'(.*)\.png\'\);\s*\?>",
"<\?php\s*include\(\'(.*)\.jpg\'\);\s*\?>",
"<\?php\s*include\(\'(.*)\.gif\'\);\s*\?>",
"\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$",
"\$GLOBALS\[(.*)\$GLOBALS\[(.*)\}\s*\}\s*return\s*\$(.*)\$GLOBALS\[(.*)\}\s*return\s*\$",
"\$qV=\"stop_\"",
"\$GD_get_img\s*=\s*\"p\"\.\s*\"r\"\.\"eg\"\.\"_r\"\.\"ep\"\.\"l\"\.\"ace\";",
"<\?php\s*\$array\s*=\s*array\(\'(.*)=\s*implode\(\"\"\,\s*\$array\)\;\$(.*)eval\(\$(.*)\)\)\)\);\?>",
@ -426,9 +426,9 @@ error_reporting(E_ALL);
"<\?php\s*\$wp__wp=\'base\'\.\(32\*2\)\.\'_de\'\.\'code\';\$wp__wp=\$wp__wp\(str_replace\(\"",
"\#Coded\s*By\s*Pejvaknuse\s*Socket;",
"<\?php\s*\(\$www=\s*\$_POST\[\'yt\'\]\)\s*\&\&\s*\@preg_replace\(\'\/ad\/e\'\,\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\$www\)\'\,\s*\'add\'\);\?>",
"OOO000000=urldecode(",
"OOO000000=urldecode\(",
"visitorTracker_isMob",
"this->privmsg(",
"this->privmsg\(",
"Starting call",
/* "Hacked", - removed pattern due to large volume of false positives */
/* "boff", - removed pattern due to large volume of false positives */
@ -449,7 +449,7 @@ error_reporting(E_ALL);
"Sakerhetsniva",
"0x00 PHP shell",
"surl = htmlspecialchars",
"function echoQueryResult() {",
"function echoQueryResult\(\) \{",
"Safe Mode on/off:",
"Script for l33t admin job",
"ONBOOMSHELL V 0.2",
@ -463,13 +463,9 @@ error_reporting(E_ALL);
foreach ($tree as $finfo)
{
// exclude self
if(strpos($finfo['fname'], $self) !== FALSE && realpath(__FILE__) == realpath($finfo['path'].$finfo['fname']))
{
continue;
}
// exclude scanner directory from the scan
if(realpath(__DIR__) == realpath($finfo['path'].$finfo['dirname']) )
if(realpath($finfo['path'], $current !== FALSE )
{
continue;
}