Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new patterns & fixes

Browse Source
This commit is contained in:
Palma Solutions LTD
2018-03-31 13:56:59 +02:00
parent 8e9cffe9db
commit d141467b2b
2 changed files with 55 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
version.php → cms-ver.php
View File

@@ -5,11 +5,6 @@ $versions = array(
array("osCommerce", "/includes/application_top.php", "define('PROJECT_VERSION', 'osCommerce Online Merchant"), array("osCommerce", "/includes/application_top.php", "define('PROJECT_VERSION', 'osCommerce Online Merchant"),
array("ZenCart", "/includes/version.php", "define('PROJECT_VERSION_NAME', 'Zen Cart');"), array("ZenCart", "/includes/version.php", "define('PROJECT_VERSION_NAME', 'Zen Cart');"),
array("Drupal", "/modules/system/system.info", "version = "), array("Drupal", "/modules/system/system.info", "version = "),
array("Joomla 1.0", "/includes/version.php", "\$RELEASE\|\$DEV_LEVEL"),
array("Joomla 1.5", "/libraries/joomla/version.php", "\$RELEASE\ =\|\$DEV_LEVEL\ ="),
array("Joomla 2.5", "/libraries/cms/version.php", "\$RELEASE\ =\|\$DEV_LEVEL\ ="),
array("Joomla 3.x", "/libraries/cms/version/version.php", "\$RELEASE\ =\|\$DEV_LEVEL\ ="),
array("Joomla 3.5+", "/libraries/cms/version/version.php", "const\ RELEASE\ =\|const\ DEV_LEVEL\ ="),
array("phpBB", "/includes/constants.php", "define('PHPBB_VERSION',"), array("phpBB", "/includes/constants.php", "define('PHPBB_VERSION',"),
array("SMF", "/index.php", "\$forum_version = 'SMF"), array("SMF", "/index.php", "\$forum_version = 'SMF"),
array("Gallery", "/modules/gallery/helpers/gallery.php", "const VERSION ="), array("Gallery", "/modules/gallery/helpers/gallery.php", "const VERSION ="),
@@ -178,8 +173,8 @@ foreach($versions as $row){
// scripts installed in subdirectories/subdomains // scripts installed in subdirectories/subdomains
foreach(glob("../{**/*,*}".$row[1], GLOB_BRACE) as $versionfile){ foreach(glob("../{**/*,*}".$row[1], GLOB_BRACE) as $versionfile){
$file = file_get_contents($versionfile); $file = file_get_contents($versionfile);
$pattern = preg_quote($row[2], '/'); $pattern = preg_quote($row[2], '/');
$pattern = "/^.*$pattern.*\$/m"; $pattern = "/^.*$pattern.*\$/m";
if(preg_match_all($pattern, $file, $matches)){ if(preg_match_all($pattern, $file, $matches)){
echo "<br />"; echo "<br />";
@@ -187,9 +182,12 @@ foreach(glob("../{**/*,*}".$row[1], GLOB_BRACE) as $versionfile){
echo implode("<br />", $matches[0]); echo implode("<br />", $matches[0]);
echo "<br />"; echo "<br />";
print_r ("location:".$versionfile); print_r ("location:".$versionfile);
} }
} }
// fix for scripts installed in docroot // fix for scripts installed in docroot
foreach(glob("../".$row[1], GLOB_BRACE) as $versionfile) { foreach(glob("../".$row[1], GLOB_BRACE) as $versionfile) {
$file = file_get_contents($versionfile); $file = file_get_contents($versionfile);
@@ -204,4 +202,51 @@ foreach(glob("../".$row[1], GLOB_BRACE) as $versionfile) {
} }
} }
}
$versiondouble = array (
array("Joomla 1.0", "/includes/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
array("Joomla 1.5", "/libraries/joomla/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
array("Joomla 2.5", "/libraries/cms/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
array("Joomla 3.x", "/libraries/cms/version/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
array("Joomla 3.5+", "/libraries/cms/version/version.php", "const RELEASE =", "const DEV_LEVEL ="),
);
foreach($versiondouble as $raw){
// scripts installed in subdirectories/subdomains
foreach(glob("../{**/*,*}".$raw[1], GLOB_BRACE) as $versionfiles){
$file = file_get_contents($versionfiles);
$pattern1 = preg_quote($raw[2], '/');
$pattern2 = preg_quote($raw[3], '/');
$pattern = "/^.*$pattern1.*\$|^.*$pattern2.*\$/m";
if(preg_match_all($pattern, $file, $matches)){
echo "<br />";
echo "<strong>".$raw[0]." found:</strong><br />";
echo implode("<br />", $matches[0]);
echo "<br />";
print_r ("location:".$versionfiles);
}
}
// fix for scripts installed in docroot
foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfiles) {
$file = file_get_contents($versionfiles);
$pattern = preg_quote($raw[2], '/');
$pattern = "/^.*$pattern.*\$/m";
if(preg_match_all($pattern, $file, $matches)){
echo "<br />";
echo "<strong>".$raw[0]." found:</strong><br />";
echo implode("<br />", $matches[0]);
echo "<br />";
print_r ("location:".$versionfiles);
}
}
} }

3
malware5.pl
View File

@@ -85,6 +85,9 @@ my @regexen = (
qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?<title>\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/title>.+?print\s+\$footer\;.+?exit\(\)\;\s+\?>/is, qr/\%PDF\-\d\.\d.+?<\?php\s+\@include.+?<title>\'\.getenv\(\"HTTP\_HOST\"\)\.\'\s+\~\s+chmod\.php<\/title>.+?print\s+\$footer\;.+?exit\(\)\;\s+\?>/is,
qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/is, qr/<\?\s+eval\(base64\_decode\(.+?\)\)\;\s+\?>/is,
# qr/GIF89a.+?<\?php.+?\?>/is, # qr/GIF89a.+?<\?php.+?\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'\;\$.+?\=\s+\'imp\'\s+\.\'lod\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$.+?\=\s+\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'\;\$.+?\=\s+\'ba\'\s+\.\'se\'\s+\.\'64\'\s+\.\'\_d\'\s+\.\'ec\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,