diff --git a/cms-ver.php b/cms-ver.php
index ed9707b..8c0791d 100644
--- a/cms-ver.php
+++ b/cms-ver.php
@@ -130,7 +130,8 @@ $versions = array(
array("Agora Cart", "/agora.cgi", "\/versions\/"),
array("CKeditor", "/ckeditor/CHANGES.html", "CKEditor Changelog"),
array("Dokeos", "main/inc/installedVersion.inc.php", "\$dokeos_version"),
-
+ array("CakePHP","cake/config/config.php","\$config['Cake.version'] ="),
+
// still need to work on these
array("CubeCart", "/index.php", "CubeCart v"), // may need one more line
array("Soholaunch", "/index.php", "\#\# Soholaunch\(R\) Site Management Tool"), // needs two more lines
@@ -280,7 +281,7 @@ foreach(glob("../{**/*,*}".$rxw[1], GLOB_BRACE) as $versionfilex){
// fix for scripts installed in docroot
-foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfilex) {
+foreach(glob("../".$rxw[1], GLOB_BRACE) as $versionfilex) {
$file = file_get_contents($versionfilex);
$pattern1 = preg_quote($rxw[2], '/');
$pattern2 = preg_quote($rxw[3], '/');
@@ -288,7 +289,7 @@ foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfilex) {
$pattern = "/^.*$pattern1.*\$|^.*$pattern2.*\$|^.*$pattern3.*\$/m";
if(preg_match_all($pattern, $file, $matches)){
echo "
";
- echo "".$raw[0]." found:
";
+ echo "".$rxw[0]." found:
";
echo implode("
", $matches[0]);
echo "
";
print_r ("location:".$versionfilex);
diff --git a/malware5.pl b/malware5.pl
index e19a132..54d9c19 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -204,7 +204,8 @@ my @regexen = (
qr/<\?php\s+echo.+?\.php\_uname\(\)\..+?Upload.+?Upload.+?Upload.+?\}\s+\}\s+\?>/is,
qr/<\?php\s+\$.+?\'gz\'\.\s+\'un\'\.\s+\'co\'\.\s+\'mp\'\.\s+\'re\'\.\s+\'ss\'.+?\'bas\'\s+\.\'e64\'\s+\.\'\_de\'\s+\.\'cod\'\s+\.\'e\'.+?\'i\'\s+\.\'m\'\s+\.\'p\'\s+\.\'l\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'.+?array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'et\'\.\'al\'\.\'fn\'\.\'iz\'\.\'g\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
-
+ qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;.+?eval\s+\(gzinflate\(base64\_decode\(\$\w\)\)\)\;/is,
+ qr/<\?php\s+\$([A-z0-9]{1,20})\=\$\_POST\[\'([A-z0-9]{1,20})\'\]\;if\(\$([A-z0-9]{1,20})\!\=\'\'\)\{\$([A-z0-9]{1,20})\=base64\_decode\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\@eval\(\"\\\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\;\"\)\;\}/is,
);
diff --git a/scan.php b/scan.php
index df52805..c143074 100644
--- a/scan.php
+++ b/scan.php
@@ -225,7 +225,6 @@ error_reporting(E_ALL);
"return rawurlencode\(rawurlencode\(",
"=array_map\(\"ba\".\"se6\".\"4\".\"_decode\",array\(\'\',str_replace\(",
"d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
- "eval\(gzinflate\(base64_decode\(",
"eval\(gzinflate\(str_rot13\(base64_decode\(",
"eval\(gzinflate\(base64_decode\(str_rot13\(",
"eval\(gzinflate\(base64_decode\(base64_decode\(",
@@ -482,6 +481,8 @@ error_reporting(E_ALL);
"facebook\.com\/luan\.santo\.5437",
"wtuds",
"eval(atob",
+ "PCT4BA6ODSE_",
+ "@base64_decode\(\$",
);
foreach ($tree as $finfo)