diff --git a/cms-ver.php b/cms-ver.php index 10739c2..b431e96 100644 --- a/cms-ver.php +++ b/cms-ver.php @@ -14,7 +14,7 @@ $versions = array( array("PHPlist", "/admin/connect.php", "define(\"VERSION\","), array("RoundCube", "/program/include/iniset.php", "define('RCMAIL_VERSION',"), array("Squirrel Mail", "/functions/strings.php", "\$version ="), - array("Dede CMS<", "/config_base.php", "\$cfg_soft_enname\|\$cfg_version"), + array("Dede CMS", "/config_base.php", "\$cfg_soft_enname\|\$cfg_version"), array("Sugar CRM", "/sugar_version.php", "\$sugar_version"), array("XOOPS", "/version.php", "XOOPS_VERSION"), array("Concrete5", "/config/concrete.php", "version_installed"), @@ -132,6 +132,7 @@ $versions = array( array("Dokeos", "main/inc/installedVersion.inc.php", "\$dokeos_version"), array("CakePHP","cake/config/config.php","\$config['Cake.version'] ="), array("phpFormGenerator", "/fields.php", "phpFormGenerator v"), // does not escape correctly + array("ZenPhoto", "/zp-core/functions.php", "define('ZENPHOTO_VERSION',"), // still need to work on these array("CubeCart", "/index.php", "CubeCart v"), // may need one more line diff --git a/malware5.pl b/malware5.pl index d492829..ac2ae30 100644 --- a/malware5.pl +++ b/malware5.pl @@ -272,7 +272,15 @@ my @regexen = ( qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is, - + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'\([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is, + qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is, + qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is, + }/is, diff --git a/malwaresh.pl b/malwaresh.pl index e7ee921..fe9ccfb 100644 --- a/malwaresh.pl +++ b/malwaresh.pl @@ -752,7 +752,14 @@ my @regexen = ( qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\,\$([A-z0-9]{1,20})\(null\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\/\*\'\.\s+\'\)\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\(.+?\'\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\'\.\s+\'.+?\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\..+?\'\;/is, - + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?die\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(false\,\/\*.+?\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\).+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\'\.\/\*([A-z0-9]{1,20})\'\.\s+\'\?\*\/([A-z0-9]{1,20})\.\'.+?\*\/\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$.+?\(false\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\=\=\$([A-z0-9]{1,20})\.\/\*([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\(false\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\;.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,array\(\$([A-z0-9]{1,20})\,\/\*([A-z0-9]{1,20})\'\.\s+\'([A-z0-9]{1,20})\*\/\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\,\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'.+?\*\/\$([A-z0-9]{1,20})\)\)\,\$([A-z0-9]{1,20})\)\)exit\;\$([A-z0-9]{1,20})\(\$.+?array\(\(\'.+?\'\;/is, + qr/<\?php\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\W.+?\*\/\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20}).+?\'\@\@\@\@.+?\)\;if\(\!\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\,\/\*\'\..+?\'\;/is, + qr/<\?php\s+\$key\=\"([A-z0-9]{32})\"\;\s+if\(md5\(\$\_COOKIE\[\"key\"\]\)\s+\=\=\s+\$key\)\s+\{\s+eval\s+\(\s+base64\_decode\s+\(\$\_POST\[\"code\"\]\)\)\;\s+\}\s+\?>/is, + qr/<\?php\s+if\s+\(isset\(\$\_POST\[.+?urldecode\(\$\_SERVER\[\'QUERY\_STRING\'\]\)\;.+?\$email\s+\=\s+\@base64\_decode\(\$.+?return\s+jk\_\_\_\(\$url\)\;\s+\}\s+\}\s+\}/is, ); diff --git a/patterns/swag.txt b/patterns/swag.txt index 515d275..85d694a 100644 --- a/patterns/swag.txt +++ b/patterns/swag.txt @@ -1 +1,4 @@ United Bangladeshi Hackers +ubhteam.org +Prappo Prince +prappo-prince.me