From 028bfbfc26e2c00441c33294c0dd5560275491ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= <bserie@evolix.fr>
Date: Thu, 22 Jan 2015 17:38:03 +0100
Subject: [PATCH] Added suspect files.

---
 Makefile                 |  1 +
 evomalware.patterns      |  2 --
 evomalware.patterns.md5  |  2 +-
 evomalware.sh            | 39 ++++++++++++---------------------------
 evomalware.suspect       |  5 +++++
 evomalware.suspect.md5   |  1 +
 evomalware.whitelist     |  6 +++++-
 evomalware.whitelist.md5 |  2 +-
 8 files changed, 26 insertions(+), 32 deletions(-)
 create mode 100644 evomalware.suspect
 create mode 100644 evomalware.suspect.md5

diff --git a/Makefile b/Makefile
index 59230a2..a1eb101 100644
--- a/Makefile
+++ b/Makefile
@@ -6,5 +6,6 @@ md5:
 	md5sum evomalware.filenames > evomalware.filenames.md5
 	md5sum evomalware.patterns > evomalware.patterns.md5
 	md5sum evomalware.whitelist > evomalware.whitelist.md5
+	md5sum evomalware.suspect > evomalware.suspect.md5
 clean:
 	rm *.md5 || exit 0
diff --git a/evomalware.patterns b/evomalware.patterns
index 2d22942..838bc65 100644
--- a/evomalware.patterns
+++ b/evomalware.patterns
@@ -11,9 +11,7 @@ r57shell|
 c99shell|shellbot|
 void\.ru|
 phpremoteview|
-directmail|
 bash_history|
-multiviews|
 cwings|
 vandal|
 bitchx|
diff --git a/evomalware.patterns.md5 b/evomalware.patterns.md5
index a61f348..1bb92c3 100644
--- a/evomalware.patterns.md5
+++ b/evomalware.patterns.md5
@@ -1 +1 @@
-1baf9e134ab34971e107891e9dd0a8df  evomalware.patterns
+959ec6b01381cf9004f5db089a6f9a8b  evomalware.patterns
diff --git a/evomalware.sh b/evomalware.sh
index ca8c16a..2c0e913 100644
--- a/evomalware.sh
+++ b/evomalware.sh
@@ -38,35 +38,20 @@ fi
 mkdir -p $databasePATH
 mkdir -p $tmpPATH
 cd $tmpPATH
-
-$wget ${databaseURL}/evomalware.filenames
-$wget ${databaseURL}/evomalware.filenames.md5
-if md5sum --quiet -c evomalware.filenames.md5; then
-    cp evomalware.filenames ${databasePATH}/
-else
-    echo "Error with ${databaseURL}/evomalware.filenames, wrong md5sum!"
-    exit 1
-fi
-$wget ${databaseURL}/evomalware.patterns
-$wget ${databaseURL}/evomalware.patterns.md5
-if md5sum --quiet -c evomalware.patterns.md5; then
-    cp evomalware.patterns ${databasePATH}/
-else
-    echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!"
-    exit 1
-fi
-$wget ${databaseURL}/evomalware.whitelist
-$wget ${databaseURL}/evomalware.whitelist.md5
-if md5sum --quiet -c evomalware.whitelist.md5; then
-    cp evomalware.whitelist ${databasePATH}/
-else
-    echo "Error with ${databaseURL}/evomalware.whitelist, wrong md5sum!"
-    exit 1
-fi
-
+for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
+    $wget ${databaseURL}/${file}
+    $wget ${databaseURL}/${file}.md5
+    if md5sum --quiet -c ${file}.md5; then
+        cp $file ${databasePATH}/
+    else
+        echo "Error with ${databaseURL}/${file}, wrong md5sum!"
+        exit 1
+    fi
+done
 filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
 patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
 whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n')
+suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')
 
 # Search for .php files (less than 1M).
 find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
@@ -80,7 +65,7 @@ while read file; do
         echo "PHP file in a non-PHP folder detected: $file"
     # Count the length of the longest line and search if suspect php functions are used.
     elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
-        grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file
+        grep -q -E "$suspect" "$file"
         if [[ $? -eq 0 ]]; then
             echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
         fi
diff --git a/evomalware.suspect b/evomalware.suspect
new file mode 100644
index 0000000..14a7122
--- /dev/null
+++ b/evomalware.suspect
@@ -0,0 +1,5 @@
+base64\(|
+gzinflate\(|
+eval\(|
+\\x..\\x..|
+chr\(rand\(
\ No newline at end of file
diff --git a/evomalware.suspect.md5 b/evomalware.suspect.md5
new file mode 100644
index 0000000..caaa79b
--- /dev/null
+++ b/evomalware.suspect.md5
@@ -0,0 +1 @@
+fe651e7aee7ff103d0f2bc01778275e5  evomalware.suspect
diff --git a/evomalware.whitelist b/evomalware.whitelist
index 07ecd8e..c6739ed 100644
--- a/evomalware.whitelist
+++ b/evomalware.whitelist
@@ -1,4 +1,8 @@
 com_flippingbook|
 evobackup|
 smile_fonts|
-gettext-compiled.php
\ No newline at end of file
+gettext-compiled.php|
+sucuri|
+class-prebuilt-templates.php|
+mainwp/backup/index.php|
+mainwp/index.php|
diff --git a/evomalware.whitelist.md5 b/evomalware.whitelist.md5
index 67f0cfe..daf8e90 100644
--- a/evomalware.whitelist.md5
+++ b/evomalware.whitelist.md5
@@ -1 +1 @@
-5650b0040eba3409eb46c69b473c4099  evomalware.whitelist
+93877831a1bf357a6aaa43be05a9e463  evomalware.whitelist