fixes & new patterns

cms-ver.php

@@ -207,8 +207,8 @@ foreach(glob("../".$row[1], GLOB_BRACE) as $versionfile) {
 $versiondouble = array (
         array("Joomla 1.0", "/includes/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
     array("Joomla 1.5", "/libraries/joomla/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
-    array("Joomla 2.5", "/libraries/cms/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
-    array("Joomla 3.x", "/libraries/cms/version/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
+    array("Joomla 1.6/1.7", "/libraries/cms/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
+    array("Joomla 2.5/3.x", "/libraries/cms/version/version.php", "\$RELEASE =", "\$DEV_LEVEL ="),
     array("Joomla 3.5+", "/libraries/cms/version/version.php", "const RELEASE =", "const DEV_LEVEL ="),
     
     );
@@ -237,8 +237,9 @@ foreach(glob("../{**/*,*}".$raw[1], GLOB_BRACE) as $versionfiles){
 // fix for scripts installed in docroot
 foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfiles) {
     $file = file_get_contents($versionfiles);
-	$pattern = preg_quote($raw[2], '/');
-	$pattern = "/^.*$pattern.*\$/m";
+    $pattern1 = preg_quote($raw[2], '/');
+    $pattern2 = preg_quote($raw[3], '/');
+	$pattern = "/^.*$pattern1.*\$|^.*$pattern2.*\$/m";  
 	if(preg_match_all($pattern, $file, $matches)){
 	echo "<br />";
    	echo "<strong>".$raw[0]." found:</strong><br />";
@@ -248,5 +249,48 @@ foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfiles) {
 	}
   }
 
+}
+  $versiontriple = array (
+    array("Joomla 3.8.x", "/libraries/src/Version.php", "const MAJOR_VERSION =", "const MINOR_VERSION =", "const PATCH_VERSION ="),
+
+);
+
+foreach($versiontriple as $rxw){
+
+// scripts installed in subdirectories/subdomains
+foreach(glob("../{**/*,*}".$rxw[1], GLOB_BRACE) as $versionfilex){
+
+    $file = file_get_contents($versionfilex);
+    $pattern1 = preg_quote($rxw[2], '/');
+    $pattern2 = preg_quote($rxw[3], '/');
+    $pattern3 = preg_quote($rxw[4], '/');
+	$pattern = "/^.*$pattern1.*\$|^.*$pattern2.*\$|^.*$pattern3.*\$/m";  
+	if(preg_match_all($pattern, $file, $matches)){
+	echo "<br />";
+   	echo "<strong>".$rxw[0]." found:</strong><br />";
+   	echo implode("<br />", $matches[0]);
+   	echo "<br />";
+   	print_r ("location:".$versionfilex);
+   	
+   	
+	}
+  }
+
+
+// fix for scripts installed in docroot
+foreach(glob("../".$raw[1], GLOB_BRACE) as $versionfilex) {
+    $file = file_get_contents($versionfilex);
+    $pattern1 = preg_quote($rxw[2], '/');
+    $pattern2 = preg_quote($rxw[3], '/');
+    $pattern3 = preg_quote($rxw[4], '/');
+	$pattern = "/^.*$pattern1.*\$|^.*$pattern2.*\$|^.*$pattern3.*\$/m";  
+	if(preg_match_all($pattern, $file, $matches)){
+	echo "<br />";
+   	echo "<strong>".$raw[0]." found:</strong><br />";
+   	echo implode("<br />", $matches[0]);
+   	echo "<br />";
+   	print_r ("location:".$versionfilex);
+	}
+  }
 
 }

malware5.pl

@@ -171,6 +171,8 @@ my @regexen = (
     qr/<\?php\s+\$target\_path\=basename\(\$\_FILES\[.+?\]\)\;if\(move\_uploaded\_file\(\$\_FILES\[.+?><input\s+type\=\"submit\"\s+value\=\"Upload\s+File\"\/><\/form>/is,
     qr/<\?php\s+\$auth\s+\=.+?function\s+display\_auth\_form\(\)\s+\{.+?auth\(\)\;.+?if\s+\(isset\(\$\_POST\[\'action\'\]\)\).+?default\:\s+return\;\s+\}/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\]\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\}\s+\}\s+if\s+\(\$([A-z0-9]{1,20})\s+>\=\s+\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/is,
+    qr/<\?php.+?eval\(\"\\\$\w\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(\\\".+?\\\"\)\)\;\"\)\;eval\(\"\?>\"\.\$\w\)\;\s+\?>/is,
+    
 
 );