From dd7008aa7a8786946282360cc9fa6a749c50e79f Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 15 May 2017 12:04:33 +0200
Subject: [PATCH] moved cryptoPHP to main scanner

---
 sc.php   |  5 ++---
 scan.php | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/sc.php b/sc.php
index 7332a8e..e69e4c8 100644
--- a/sc.php
+++ b/sc.php
@@ -33,7 +33,6 @@ $error = "Fatal error: Allowed memory size of 134217728 bytes exhausted (tried t
     <li><a href="?run=iframe" style="color: #ff0000;">malicious IFRAME scan</a></li>
     <li><a href="?run=checklarge" style="color: #ff0000;">Check Files With Large Lines</b></a></li>
     <li><a href="?run=newscan" style="color: #ff0000;">Database String Scanner</a></li>
-    <li><a href="?run=cryptophp" style="color: #ff0000;">CryptoPHP Scanner</a></li>
     <li><a href="?run=findbot" style="color: #ff0000;">Run Findbot.PL</a></li>
     <li><a href="?run=insecplug" style="color: #ff0000;">Insecure WP plugins</a></li>
     <li><a href="?run=custom" style="color: #ff0000;">Custom string scanner</b></a></li>
@@ -224,7 +223,7 @@ if (file_exists("../wp-content"))
 $output = shell_exec('find ./ -type f -name "*.php" -print -exec grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" --color {} \;');
 echo "<pre>$output</pre>"; */
 
-/* let's scan and clean cryptoPHP */
+/* let's scan and clean cryptoPHP - moved to the main scanner - needs testing 
 function cryptophp(){
     echo "Scanning for cryptoPHP in social.png files\n";
            system("find ../ -type f -iname \"social*.png\" -exec grep -E -o 'php.{0,80}' {} \; -print");
@@ -232,7 +231,7 @@ function cryptophp(){
     echo "\nScanning for cryptoPHP in all PNG files\n";
            system("find ../ -type f -iname '*.png' -print0 | xargs -0 file | grep \"PHP script\"");
 }
-
+*/
 /* Execute The Malware Scanner */
 function scanme(){
 
diff --git a/scan.php b/scan.php
index bee0a4f..09c3543 100644
--- a/scan.php
+++ b/scan.php
@@ -499,6 +499,31 @@ foreach ($tree as $finfo)
         }
 
     }
+
+    elseif('png' == $ext && preg_match('\"PHP script\"', $tmp))
+    {
+        $counter_infected++;
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "\n";
+        {
+            print "...INFECTED (cryptoPHP)\n";
+
+        }
+
+    }
+
+    elseif('png' == $ext && preg_match('php.{0,80}', $tmp))
+    {
+        $counter_infected++;
+        if($print_infected) print "{$finfo['path']}{$finfo['fname']}";
+        if($print_infected || $print_all) print "\n";
+        {
+            print "...INFECTED (cryptoPHP)\n";
+
+        }
+
+    }
+
     elseif('jpeg' == $ext && preg_match('/<\?php/i', $tmp))
     {
         $counter_infected++;