From d141467b2bc155249d11b59d4130d5c85972063e Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Sat, 31 Mar 2018 13:56:59 +0200 Subject: [PATCH] new patterns & fixes --- version.php => cms-ver.php | 59 +++++++++++++++++++++++++++++++++----- malware5.pl | 3 ++ 2 files changed, 55 insertions(+), 7 deletions(-) rename version.php => cms-ver.php (91%) diff --git a/version.php b/cms-ver.php similarity index 91% rename from version.php rename to cms-ver.php index 9326db0..e68f549 100644 --- a/version.php +++ b/cms-ver.php @@ -5,11 +5,6 @@ $versions = array( array("osCommerce", "/includes/application_top.php", "define('PROJECT_VERSION', 'osCommerce Online Merchant"), array("ZenCart", "/includes/version.php", "define('PROJECT_VERSION_NAME', 'Zen Cart');"), array("Drupal", "/modules/system/system.info", "version = "), - array("Joomla 1.0", "/includes/version.php", "\$RELEASE\|\$DEV_LEVEL"), - array("Joomla 1.5", "/libraries/joomla/version.php", "\$RELEASE\ =\|\$DEV_LEVEL\ ="), - array("Joomla 2.5", "/libraries/cms/version.php", "\$RELEASE\ =\|\$DEV_LEVEL\ ="), - array("Joomla 3.x", "/libraries/cms/version/version.php", "\$RELEASE\ =\|\$DEV_LEVEL\ ="), - array("Joomla 3.5+", "/libraries/cms/version/version.php", "const\ RELEASE\ =\|const\ DEV_LEVEL\ ="), array("phpBB", "/includes/constants.php", "define('PHPBB_VERSION',"), array("SMF", "/index.php", "\$forum_version = 'SMF"), array("Gallery", "/modules/gallery/helpers/gallery.php", "const VERSION ="), @@ -178,8 +173,8 @@ foreach($versions as $row){ // scripts installed in subdirectories/subdomains foreach(glob("../{**/*,*}".$row[1], GLOB_BRACE) as $versionfile){ - $file = file_get_contents($versionfile); - $pattern = preg_quote($row[2], '/'); + $file = file_get_contents($versionfile); + $pattern = preg_quote($row[2], '/'); $pattern = "/^.*$pattern.*\$/m"; if(preg_match_all($pattern, $file, $matches)){ echo "
"; @@ -187,9 +182,12 @@ foreach(glob("../{**/*,*}".$row[1], GLOB_BRACE) as $versionfile){ echo implode("
", $matches[0]); echo "
"; print_r ("location:".$versionfile); + + } } + // fix for scripts installed in docroot foreach(glob("../".$row[1], GLOB_BRACE) as $versionfile) { $file = file_get_contents($versionfile); @@ -204,4 +202,51 @@ foreach(glob("../".$row[1], GLOB_BRACE) as $versionfile) { } } + } +$versiondouble = array ( + array("Joomla 1.0", "/includes/version.php", "\$RELEASE =", "\$DEV_LEVEL ="), + array("Joomla 1.5", "/libraries/joomla/version.php", "\$RELEASE =", "\$DEV_LEVEL ="), + array("Joomla 2.5", "/libraries/cms/version.php", "\$RELEASE =", "\$DEV_LEVEL ="), + array("Joomla 3.x", "/libraries/cms/version/version.php", "\$RELEASE =", "\$DEV_LEVEL ="), + array("Joomla 3.5+", "/libraries/cms/version/version.php", "const RELEASE =", "const DEV_LEVEL ="), + + ); + +foreach($versiondouble as $raw){ + +// scripts installed in subdirectories/subdomains +foreach(glob("../{**/*,*}".$raw[1], GLOB_BRACE) as $versionfiles){ + + $file = file_get_contents($versionfiles); + $pattern1 = preg_quote($raw[2], '/'); + $pattern2 = preg_quote($raw[3], '/'); + $pattern = "/^.*$pattern1.*\$|^.*$pattern2.*\$/m"; + if(preg_match_all($pattern, $file, $matches)){ + echo "
"; + echo "".$raw[0]." found:
"; + echo implode("
", $matches[0]); + echo "
"; + print_r ("location:".$versionfiles); + + + } + } + + +// fix for scripts installed in docroot +foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfiles) { + $file = file_get_contents($versionfiles); + $pattern = preg_quote($raw[2], '/'); + $pattern = "/^.*$pattern.*\$/m"; + if(preg_match_all($pattern, $file, $matches)){ + echo "
"; + echo "".$raw[0]." found:
"; + echo implode("
", $matches[0]); + echo "
"; + print_r ("location:".$versionfiles); + } + } + + +} \ No newline at end of file diff --git a/malware5.pl b/malware5.pl index 22fe55c..f08ddbf 100644 --- a/malware5.pl +++ b/malware5.pl @@ -85,6 +85,9 @@ my @regexen = ( qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/title>.+?print\s+\$footer\;.+?exit\(\)\;\s+\?>/is, qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/is, # qr/GIF89a.+?<\?php.+?\?>/is, + qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is, + qr/<\?php\s+\$.+?\=\s+\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'\;\$.+?\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is, +