Parcourir la source

Added suspect files.

Benoît S. il y a 4 ans
Parent
révision
028bfbfc26
8 fichiers modifiés avec 26 ajouts et 32 suppressions
  1. 1
    0
      Makefile
  2. 0
    2
      evomalware.patterns
  3. 1
    1
      evomalware.patterns.md5
  4. 12
    27
      evomalware.sh
  5. 5
    0
      evomalware.suspect
  6. 1
    0
      evomalware.suspect.md5
  7. 5
    1
      evomalware.whitelist
  8. 1
    1
      evomalware.whitelist.md5

+ 1
- 0
Makefile Voir le fichier

@@ -6,5 +6,6 @@ md5:
6 6
 	md5sum evomalware.filenames > evomalware.filenames.md5
7 7
 	md5sum evomalware.patterns > evomalware.patterns.md5
8 8
 	md5sum evomalware.whitelist > evomalware.whitelist.md5
9
+	md5sum evomalware.suspect > evomalware.suspect.md5
9 10
 clean:
10 11
 	rm *.md5 || exit 0

+ 0
- 2
evomalware.patterns Voir le fichier

@@ -11,9 +11,7 @@ r57shell|
11 11
 c99shell|shellbot|
12 12
 void\.ru|
13 13
 phpremoteview|
14
-directmail|
15 14
 bash_history|
16
-multiviews|
17 15
 cwings|
18 16
 vandal|
19 17
 bitchx|

+ 1
- 1
evomalware.patterns.md5 Voir le fichier

@@ -1 +1 @@
1
-1baf9e134ab34971e107891e9dd0a8df  evomalware.patterns
1
+959ec6b01381cf9004f5db089a6f9a8b  evomalware.patterns

+ 12
- 27
evomalware.sh Voir le fichier

@@ -38,35 +38,20 @@ fi
38 38
 mkdir -p $databasePATH
39 39
 mkdir -p $tmpPATH
40 40
 cd $tmpPATH
41
-
42
-$wget ${databaseURL}/evomalware.filenames
43
-$wget ${databaseURL}/evomalware.filenames.md5
44
-if md5sum --quiet -c evomalware.filenames.md5; then
45
-    cp evomalware.filenames ${databasePATH}/
46
-else
47
-    echo "Error with ${databaseURL}/evomalware.filenames, wrong md5sum!"
48
-    exit 1
49
-fi
50
-$wget ${databaseURL}/evomalware.patterns
51
-$wget ${databaseURL}/evomalware.patterns.md5
52
-if md5sum --quiet -c evomalware.patterns.md5; then
53
-    cp evomalware.patterns ${databasePATH}/
54
-else
55
-    echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!"
56
-    exit 1
57
-fi
58
-$wget ${databaseURL}/evomalware.whitelist
59
-$wget ${databaseURL}/evomalware.whitelist.md5
60
-if md5sum --quiet -c evomalware.whitelist.md5; then
61
-    cp evomalware.whitelist ${databasePATH}/
62
-else
63
-    echo "Error with ${databaseURL}/evomalware.whitelist, wrong md5sum!"
64
-    exit 1
65
-fi
66
-
41
+for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
42
+    $wget ${databaseURL}/${file}
43
+    $wget ${databaseURL}/${file}.md5
44
+    if md5sum --quiet -c ${file}.md5; then
45
+        cp $file ${databasePATH}/
46
+    else
47
+        echo "Error with ${databaseURL}/${file}, wrong md5sum!"
48
+        exit 1
49
+    fi
50
+done
67 51
 filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
68 52
 patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
69 53
 whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n')
54
+suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')
70 55
 
71 56
 # Search for .php files (less than 1M).
72 57
 find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
@@ -80,7 +65,7 @@ while read file; do
80 65
         echo "PHP file in a non-PHP folder detected: $file"
81 66
     # Count the length of the longest line and search if suspect php functions are used.
82 67
     elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
83
-        grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file
68
+        grep -q -E "$suspect" "$file"
84 69
         if [[ $? -eq 0 ]]; then
85 70
             echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
86 71
         fi

+ 5
- 0
evomalware.suspect Voir le fichier

@@ -0,0 +1,5 @@
1
+base64\(|
2
+gzinflate\(|
3
+eval\(|
4
+\\x..\\x..|
5
+chr\(rand\(

+ 1
- 0
evomalware.suspect.md5 Voir le fichier

@@ -0,0 +1 @@
1
+fe651e7aee7ff103d0f2bc01778275e5  evomalware.suspect

+ 5
- 1
evomalware.whitelist Voir le fichier

@@ -1,4 +1,8 @@
1 1
 com_flippingbook|
2 2
 evobackup|
3 3
 smile_fonts|
4
-gettext-compiled.php
4
+gettext-compiled.php|
5
+sucuri|
6
+class-prebuilt-templates.php|
7
+mainwp/backup/index.php|
8
+mainwp/index.php|

+ 1
- 1
evomalware.whitelist.md5 Voir le fichier

@@ -1 +1 @@
1
-5650b0040eba3409eb46c69b473c4099  evomalware.whitelist
1
+93877831a1bf357a6aaa43be05a9e463  evomalware.whitelist

Chargement…
Annuler
Enregistrer