diff --git a/malware5.pl b/malware5.pl index edbfb01..6b6805d 100644 --- a/malware5.pl +++ b/malware5.pl @@ -503,8 +503,11 @@ my @regexen = ( qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is, qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is, qr/\/\/istart.+?\/\/iend/is, - qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is, - + qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is, + qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, + qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is, + qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is, + ); my @base64_decodes = ( diff --git a/malwaresh.pl b/malwaresh.pl index e1c491e..58d4c22 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -986,8 +986,11 @@ my @regexen = ( qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is, qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is, qr/\/\/istart.+?\/\/iend/is, - qr/<\?php\s+if\(\!class\_exists\(.+?\$this->show_xmlsitemap\(\);.+?wp_sysoptions.+?\$jos_opti=new.+?\}\s+\?>/is, - + qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is, + qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is, + qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is, + qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is, + ); my @base64_decodes = ( diff --git a/scan.py b/scan.py index 58e4ed3..2fb8c08 100644 --- a/scan.py +++ b/scan.py @@ -1,18 +1,17 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -# Copyright 2014-2015 Planet-Work -# Source: https://github.com/planet-work/php-malware-scanner -# License: MIT -# https://github.com/planet-work/php-malware-scanner/blob/master/LICENSE +# Original code by Planet-Work +# Forked by Malin Cenusa for Lunarpages (malin.cenusa@lunarpages.com) +# import os import re import fnmatch whitelist = [ - '/lp-msh-scanner/scan.php', - '/lp-msh-scanner/mscan.php', + '/lp-msh-scanner/', + '/lp-msh-scanner/', '/._', 'cache/object/000000/', 'libraries/simplepie/simplepie.php', @@ -414,12 +413,14 @@ def is_hacked(filename): or (line_num == 1 and "@$_COOKIE[" in l and "();}?>" in l) \ or (line_num == 1 and '@move_uploaded_file' in l) \ or ("move_uploaded_file/*;*/" in l) \ - or 'Database Emails Extractor' in l\ + or 'Database Emails Extractor' in l \ or ("

!PhpSend!

" in l) \ or 'Done ==> $userfile_name' in l \ or ('$files=fopen(\'../../../\'.$filepaths.' in l and ',"w+");' in l) \ or "chmod ($_REQUEST['p1'], $_REQUEST['p2']);" in l \ - or "\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65" in l\ + or "\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65" in l \ + or "\\x73\\x74\\x72\\x5f\\x72\\x6f\\x74\\x31\\x33" in l \ + or "\\x67\\x7a\\x75\\x6e\\x63\\x6f\\x6d\\x70\\x72\\x65\\x73\\x73" in l \ or (line_num == 2 and "$ref = $_SERVER['HTTP_USER_AGENT'];" in l) \ or (line_num < 4 and "passthru($_POST[" in l) \ or (line_num == 1 and '$stg="ba"."se"."64_d"."ecode";eval($stg(' in l) \ @@ -493,58 +494,36 @@ def is_hacked(filename): score.append(('XXTEA_ENCRYPT', '')) if 'wp_sysoptions' in l: score.append(('CONCAT_STRING', '')) - if '6006014887a2c09ec470f5b676c8f68a' in l: - score.append(('MD5')) - if 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l: - score.append(('MD5')) - if '5088db39ad7cc4d4fa9f462f74faccb6' in l: - score.append(('MD5')) - if 'eb2d3273ac60f499d82d97da0fa44689' in l: - score.append(('MD5')) - if 'b071e67503e9dcefecafd62e81704ef0' in l: - score.append(('MD5')) - if 'c7a628cba22e28eb17b5f5c6ae2a266a' in l: - score.append(('MD5')) - if 'a13756bf1e2bd46921c135232774fc5f' in l: - score.append(('MD5')) - if '78b45bf662bafae9ac6b66097762c7d5' in l: - score.append(('MD5')) - if 'b0x@hotmail.com' in l: - score.append(('SOCIALS')) - if 'botv3@mrspybotv3.com' in l: - score.append(('SOCIALS')) - if 'sellerolux@gmail.com' in l: - score.append(('SOCIALS')) - if 'nerf.sarcasm007@gmail.com' in l: - score.append(('SOCIALS')) - if 'submit[at]1337day.com' in l: - score.append(('SOCIALS')) - if 'luan.hackingpro123@hotmail.com' in l: - score.append(('SOCIALS')) - if 'Black-ID@W.Cn' in l: - score.append(('SOCIALS')) - if 'facebook.com/007mrspy' in l: - score.append(('SOCIALS')) - if 'Skype: live:zepek_al' in l: - score.append(('SOCIALS')) - if 'facebook.com/luan.santo.5437' in l: - score.append(('SOCIALS')) - if 'Mister Spy' in l: - score.append(('SOCIALS')) - if 'darkshadow-tn' in l: - score.append(('SOCIALS')) - if 'IndoXploit' in l: - score.append(('SOCIALS')) - if 'Black-ID' in l: - score.append(('SOCIALS')) - if 'https://hastebin.com/raw/ifucenaquz' in l: - score.append(('SOCIALS')) - if 'https://hastebin.com/raw/iracirucad' in l: - score.append(('SOCIALS')) - if 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l: - score.append(('SOCIALS')) - if 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l: - score.append(('SOCIALS')) + if '6006014887a2c09ec470f5b676c8f68a' in l \ + or 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l \ + or '5088db39ad7cc4d4fa9f462f74faccb6' in l \ + or 'eb2d3273ac60f499d82d97da0fa44689' in l \ + or 'b071e67503e9dcefecafd62e81704ef0' in l \ + or 'c7a628cba22e28eb17b5f5c6ae2a266a' in l \ + or 'a13756bf1e2bd46921c135232774fc5f' in l \ + or '78b45bf662bafae9ac6b66097762c7d5' in l: + score.append(('MD5', '')) + + if 'b0x@hotmail.com' in l \ + or 'botv3@mrspybotv3.com' in l \ + or 'sellerolux@gmail.com' in l \ + or 'nerf.sarcasm007@gmail.com' in l \ + or 'submit[at]1337day.com' in l \ + or 'luan.hackingpro123@hotmail.com' in l \ + or 'Black-ID@W.Cn' in l \ + or 'facebook.com/007mrspy' in l \ + or 'Skype: live:zepek_al' in l \ + or 'facebook.com/luan.santo.5437' in l \ + or 'Mister Spy' in l \ + or 'darkshadow-tn' in l \ + or 'IndoXploit' in l \ + or 'Black-ID' in l \ + or 'https://hastebin.com/raw/ifucenaquz' in l \ + or 'https://hastebin.com/raw/iracirucad' in l \ + or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \ + or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l: + score.append(('SOCIALS', '')) + previous_line = l if line_num < 20: