Browse Source

Added suspect files.

remotes/forge/master
Benoît S. 4 years ago
parent
commit
028bfbfc26
8 changed files with 26 additions and 32 deletions
  1. 1
    0
      Makefile
  2. 0
    2
      evomalware.patterns
  3. 1
    1
      evomalware.patterns.md5
  4. 12
    27
      evomalware.sh
  5. 5
    0
      evomalware.suspect
  6. 1
    0
      evomalware.suspect.md5
  7. 5
    1
      evomalware.whitelist
  8. 1
    1
      evomalware.whitelist.md5

+ 1
- 0
Makefile View File

@@ -6,5 +6,6 @@ md5:
md5sum evomalware.filenames > evomalware.filenames.md5
md5sum evomalware.patterns > evomalware.patterns.md5
md5sum evomalware.whitelist > evomalware.whitelist.md5
md5sum evomalware.suspect > evomalware.suspect.md5
clean:
rm *.md5 || exit 0

+ 0
- 2
evomalware.patterns View File

@@ -11,9 +11,7 @@ r57shell|
c99shell|shellbot|
void\.ru|
phpremoteview|
directmail|
bash_history|
multiviews|
cwings|
vandal|
bitchx|

+ 1
- 1
evomalware.patterns.md5 View File

@@ -1 +1 @@
1baf9e134ab34971e107891e9dd0a8df evomalware.patterns
959ec6b01381cf9004f5db089a6f9a8b evomalware.patterns

+ 12
- 27
evomalware.sh View File

@@ -38,35 +38,20 @@ fi
mkdir -p $databasePATH
mkdir -p $tmpPATH
cd $tmpPATH

$wget ${databaseURL}/evomalware.filenames
$wget ${databaseURL}/evomalware.filenames.md5
if md5sum --quiet -c evomalware.filenames.md5; then
cp evomalware.filenames ${databasePATH}/
else
echo "Error with ${databaseURL}/evomalware.filenames, wrong md5sum!"
exit 1
fi
$wget ${databaseURL}/evomalware.patterns
$wget ${databaseURL}/evomalware.patterns.md5
if md5sum --quiet -c evomalware.patterns.md5; then
cp evomalware.patterns ${databasePATH}/
else
echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!"
exit 1
fi
$wget ${databaseURL}/evomalware.whitelist
$wget ${databaseURL}/evomalware.whitelist.md5
if md5sum --quiet -c evomalware.whitelist.md5; then
cp evomalware.whitelist ${databasePATH}/
else
echo "Error with ${databaseURL}/evomalware.whitelist, wrong md5sum!"
exit 1
fi

for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
$wget ${databaseURL}/${file}
$wget ${databaseURL}/${file}.md5
if md5sum --quiet -c ${file}.md5; then
cp $file ${databasePATH}/
else
echo "Error with ${databaseURL}/${file}, wrong md5sum!"
exit 1
fi
done
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n')
suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')

# Search for .php files (less than 1M).
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
@@ -80,7 +65,7 @@ while read file; do
echo "PHP file in a non-PHP folder detected: $file"
# Count the length of the longest line and search if suspect php functions are used.
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file
grep -q -E "$suspect" "$file"
if [[ $? -eq 0 ]]; then
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
fi

+ 5
- 0
evomalware.suspect View File

@@ -0,0 +1,5 @@
base64\(|
gzinflate\(|
eval\(|
\\x..\\x..|
chr\(rand\(

+ 1
- 0
evomalware.suspect.md5 View File

@@ -0,0 +1 @@
fe651e7aee7ff103d0f2bc01778275e5 evomalware.suspect

+ 5
- 1
evomalware.whitelist View File

@@ -1,4 +1,8 @@
com_flippingbook|
evobackup|
smile_fonts|
gettext-compiled.php
gettext-compiled.php|
sucuri|
class-prebuilt-templates.php|
mainwp/backup/index.php|
mainwp/index.php|

+ 1
- 1
evomalware.whitelist.md5 View File

@@ -1 +1 @@
5650b0040eba3409eb46c69b473c4099 evomalware.whitelist
93877831a1bf357a6aaa43be05a9e463 evomalware.whitelist

Loading…
Cancel
Save