new patterns
This commit is contained in:
Palma Solutions LTD
99
scan.py
99
scan.py
@@ -1,18 +1,17 @@
|
||||
#!/usr/bin/env python
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
# Copyright 2014-2015 Planet-Work <f.vanniere@planet-work.com>
|
||||
# Source: https://github.com/planet-work/php-malware-scanner
|
||||
# License: MIT
|
||||
# https://github.com/planet-work/php-malware-scanner/blob/master/LICENSE
|
||||
# Original code by Planet-Work <f.vanniere@planet-work.com>
|
||||
# Forked by Malin Cenusa for Lunarpages (malin.cenusa@lunarpages.com)
|
||||
#
|
||||
|
||||
import os
|
||||
import re
|
||||
import fnmatch
|
||||
|
||||
whitelist = [
|
||||
'/lp-msh-scanner/scan.php',
|
||||
'/lp-msh-scanner/mscan.php',
|
||||
'/lp-msh-scanner/',
|
||||
'/lp-msh-scanner/',
|
||||
'/._',
|
||||
'cache/object/000000/',
|
||||
'libraries/simplepie/simplepie.php',
|
||||
@@ -414,12 +413,14 @@ def is_hacked(filename):
|
||||
or (line_num == 1 and "@$_COOKIE[" in l and "();}?>" in l) \
|
||||
or (line_num == 1 and '@move_uploaded_file' in l) \
|
||||
or ("move_uploaded_file/*;*/" in l) \
|
||||
or 'Database Emails Extractor' in l\
|
||||
or 'Database Emails Extractor' in l \
|
||||
or ("<h4>!PhpSend!</h4>" in l) \
|
||||
or '<b>Done ==> $userfile_name</b></center>' in l \
|
||||
or ('$files=fopen(\'../../../\'.$filepaths.' in l and ',"w+");' in l) \
|
||||
or "chmod ($_REQUEST['p1'], $_REQUEST['p2']);" in l \
|
||||
or "\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65" in l\
|
||||
or "\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65" in l \
|
||||
or "\\x73\\x74\\x72\\x5f\\x72\\x6f\\x74\\x31\\x33" in l \
|
||||
or "\\x67\\x7a\\x75\\x6e\\x63\\x6f\\x6d\\x70\\x72\\x65\\x73\\x73" in l \
|
||||
or (line_num == 2 and "$ref = $_SERVER['HTTP_USER_AGENT'];" in l) \
|
||||
or (line_num < 4 and "passthru($_POST[" in l) \
|
||||
or (line_num == 1 and '$stg="ba"."se"."64_d"."ecode";eval($stg(' in l) \
|
||||
@@ -493,58 +494,36 @@ def is_hacked(filename):
|
||||
score.append(('XXTEA_ENCRYPT', ''))
|
||||
if 'wp_sysoptions' in l:
|
||||
score.append(('CONCAT_STRING', ''))
|
||||
if '6006014887a2c09ec470f5b676c8f68a' in l:
|
||||
score.append(('MD5'))
|
||||
if 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l:
|
||||
score.append(('MD5'))
|
||||
if '5088db39ad7cc4d4fa9f462f74faccb6' in l:
|
||||
score.append(('MD5'))
|
||||
if 'eb2d3273ac60f499d82d97da0fa44689' in l:
|
||||
score.append(('MD5'))
|
||||
if 'b071e67503e9dcefecafd62e81704ef0' in l:
|
||||
score.append(('MD5'))
|
||||
if 'c7a628cba22e28eb17b5f5c6ae2a266a' in l:
|
||||
score.append(('MD5'))
|
||||
if 'a13756bf1e2bd46921c135232774fc5f' in l:
|
||||
score.append(('MD5'))
|
||||
if '78b45bf662bafae9ac6b66097762c7d5' in l:
|
||||
score.append(('MD5'))
|
||||
if 'b0x@hotmail.com' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'botv3@mrspybotv3.com' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'sellerolux@gmail.com' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'nerf.sarcasm007@gmail.com' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'submit[at]1337day.com' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'luan.hackingpro123@hotmail.com' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'Black-ID@W.Cn' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'facebook.com/007mrspy' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'Skype: live:zepek_al' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'facebook.com/luan.santo.5437' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'Mister Spy' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'darkshadow-tn' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'IndoXploit' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'Black-ID' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'https://hastebin.com/raw/ifucenaquz' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'https://hastebin.com/raw/iracirucad' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
|
||||
score.append(('SOCIALS'))
|
||||
if '6006014887a2c09ec470f5b676c8f68a' in l \
|
||||
or 'cdd6e3ab65dac2b0d8bcf8cb5ce31185' in l \
|
||||
or '5088db39ad7cc4d4fa9f462f74faccb6' in l \
|
||||
or 'eb2d3273ac60f499d82d97da0fa44689' in l \
|
||||
or 'b071e67503e9dcefecafd62e81704ef0' in l \
|
||||
or 'c7a628cba22e28eb17b5f5c6ae2a266a' in l \
|
||||
or 'a13756bf1e2bd46921c135232774fc5f' in l \
|
||||
or '78b45bf662bafae9ac6b66097762c7d5' in l:
|
||||
score.append(('MD5', ''))
|
||||
|
||||
if 'b0x@hotmail.com' in l \
|
||||
or 'botv3@mrspybotv3.com' in l \
|
||||
or 'sellerolux@gmail.com' in l \
|
||||
or 'nerf.sarcasm007@gmail.com' in l \
|
||||
or 'submit[at]1337day.com' in l \
|
||||
or 'luan.hackingpro123@hotmail.com' in l \
|
||||
or 'Black-ID@W.Cn' in l \
|
||||
or 'facebook.com/007mrspy' in l \
|
||||
or 'Skype: live:zepek_al' in l \
|
||||
or 'facebook.com/luan.santo.5437' in l \
|
||||
or 'Mister Spy' in l \
|
||||
or 'darkshadow-tn' in l \
|
||||
or 'IndoXploit' in l \
|
||||
or 'Black-ID' in l \
|
||||
or 'https://hastebin.com/raw/ifucenaquz' in l \
|
||||
or 'https://hastebin.com/raw/iracirucad' in l \
|
||||
or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
|
||||
or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
|
||||
score.append(('SOCIALS', ''))
|
||||
|
||||
previous_line = l
|
||||
|
||||
if line_num < 20:
|
||||
|
||||
Reference in New Issue
Block a user