fixes & patterns

cms-ver.php

@@ -130,7 +130,8 @@ $versions = array(
     array("Agora Cart", "/agora.cgi", "\/versions\/"),
     array("CKeditor", "/ckeditor/CHANGES.html", "CKEditor Changelog"),
     array("Dokeos", "main/inc/installedVersion.inc.php", "\$dokeos_version"),
-
+    array("CakePHP","cake/config/config.php","\$config['Cake.version'] ="),
+    
 // still need to work on these
     array("CubeCart", "/index.php", "CubeCart v"), // may need one more line
     array("Soholaunch", "/index.php", "\#\# Soholaunch\(R\) Site Management Tool"), // needs two more lines
@@ -280,7 +281,7 @@ foreach(glob("../{**/*,*}".$rxw[1], GLOB_BRACE) as $versionfilex){
 
 
 // fix for scripts installed in docroot
-foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfilex) {
+foreach(glob("../".$rxw[1], GLOB_BRACE) as $versionfilex) {
     $file = file_get_contents($versionfilex);
     $pattern1 = preg_quote($rxw[2], '/');
     $pattern2 = preg_quote($rxw[3], '/');
@@ -288,7 +289,7 @@ foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfilex) {
 	$pattern = "/^.*$pattern1.*\$|^.*$pattern2.*\$|^.*$pattern3.*\$/m";  
 	if(preg_match_all($pattern, $file, $matches)){
 	echo "<br />";
-   	echo "<strong>".$raw[0]." found:</strong><br />";
+   	echo "<strong>".$rxw[0]." found:</strong><br />";
    	echo implode("<br />", $matches[0]);
    	echo "<br />";
    	print_r ("location:".$versionfilex);

malware5.pl

@@ -204,7 +204,8 @@ my @regexen = (
     qr/<\?php\s+echo.+?\.php\_uname\(\)\..+?Upload.+?Upload.+?Upload.+?\}\s+\}\s+\?>/is,
     qr/<\?php\s+\$.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
-    
+    qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;.+?eval\s+\(gzinflate\(base64\_decode\(\$\w\)\)\)\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_POST\[\'([A-z0-9]{1,20})\'\]\;if\(\$([A-z0-9]{1,20})\!\=\'\'\)\{\$([A-z0-9]{1,20})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\@eval\(\"\\\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\"\)\;\}/is,
 
 );
 

scan.php

@@ -225,7 +225,6 @@ error_reporting(E_ALL);
     "return rawurlencode\(rawurlencode\(",
     "=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(",
     "d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
-    "eval\(gzinflate\(base64_decode\(",
     "eval\(gzinflate\(str_rot13\(base64_decode\(",
     "eval\(gzinflate\(base64_decode\(str_rot13\(",
     "eval\(gzinflate\(base64_decode\(base64_decode\(",
@@ -482,6 +481,8 @@ error_reporting(E_ALL);
     "facebook\.com\/luan\.santo\.5437",
     "wtuds",
     "eval(atob",
+    "PCT4BA6ODSE_",
+    "@base64_decode\(\$",
 );
 
 foreach ($tree as $finfo)