Added suspect files.
This commit is contained in:
parent
88f5dd6036
commit
028bfbfc26
1
Makefile
1
Makefile
|
@ -6,5 +6,6 @@ md5:
|
||||||
md5sum evomalware.filenames > evomalware.filenames.md5
|
md5sum evomalware.filenames > evomalware.filenames.md5
|
||||||
md5sum evomalware.patterns > evomalware.patterns.md5
|
md5sum evomalware.patterns > evomalware.patterns.md5
|
||||||
md5sum evomalware.whitelist > evomalware.whitelist.md5
|
md5sum evomalware.whitelist > evomalware.whitelist.md5
|
||||||
|
md5sum evomalware.suspect > evomalware.suspect.md5
|
||||||
clean:
|
clean:
|
||||||
rm *.md5 || exit 0
|
rm *.md5 || exit 0
|
||||||
|
|
|
@ -11,9 +11,7 @@ r57shell|
|
||||||
c99shell|shellbot|
|
c99shell|shellbot|
|
||||||
void\.ru|
|
void\.ru|
|
||||||
phpremoteview|
|
phpremoteview|
|
||||||
directmail|
|
|
||||||
bash_history|
|
bash_history|
|
||||||
multiviews|
|
|
||||||
cwings|
|
cwings|
|
||||||
vandal|
|
vandal|
|
||||||
bitchx|
|
bitchx|
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
1baf9e134ab34971e107891e9dd0a8df evomalware.patterns
|
959ec6b01381cf9004f5db089a6f9a8b evomalware.patterns
|
||||||
|
|
|
@ -38,35 +38,20 @@ fi
|
||||||
mkdir -p $databasePATH
|
mkdir -p $databasePATH
|
||||||
mkdir -p $tmpPATH
|
mkdir -p $tmpPATH
|
||||||
cd $tmpPATH
|
cd $tmpPATH
|
||||||
|
for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
|
||||||
$wget ${databaseURL}/evomalware.filenames
|
$wget ${databaseURL}/${file}
|
||||||
$wget ${databaseURL}/evomalware.filenames.md5
|
$wget ${databaseURL}/${file}.md5
|
||||||
if md5sum --quiet -c evomalware.filenames.md5; then
|
if md5sum --quiet -c ${file}.md5; then
|
||||||
cp evomalware.filenames ${databasePATH}/
|
cp $file ${databasePATH}/
|
||||||
else
|
else
|
||||||
echo "Error with ${databaseURL}/evomalware.filenames, wrong md5sum!"
|
echo "Error with ${databaseURL}/${file}, wrong md5sum!"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
$wget ${databaseURL}/evomalware.patterns
|
done
|
||||||
$wget ${databaseURL}/evomalware.patterns.md5
|
|
||||||
if md5sum --quiet -c evomalware.patterns.md5; then
|
|
||||||
cp evomalware.patterns ${databasePATH}/
|
|
||||||
else
|
|
||||||
echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
$wget ${databaseURL}/evomalware.whitelist
|
|
||||||
$wget ${databaseURL}/evomalware.whitelist.md5
|
|
||||||
if md5sum --quiet -c evomalware.whitelist.md5; then
|
|
||||||
cp evomalware.whitelist ${databasePATH}/
|
|
||||||
else
|
|
||||||
echo "Error with ${databaseURL}/evomalware.whitelist, wrong md5sum!"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
|
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
|
||||||
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
|
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
|
||||||
whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n')
|
whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n')
|
||||||
|
suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')
|
||||||
|
|
||||||
# Search for .php files (less than 1M).
|
# Search for .php files (less than 1M).
|
||||||
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
|
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
|
||||||
|
@ -80,7 +65,7 @@ while read file; do
|
||||||
echo "PHP file in a non-PHP folder detected: $file"
|
echo "PHP file in a non-PHP folder detected: $file"
|
||||||
# Count the length of the longest line and search if suspect php functions are used.
|
# Count the length of the longest line and search if suspect php functions are used.
|
||||||
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
|
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
|
||||||
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file
|
grep -q -E "$suspect" "$file"
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
|
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
|
||||||
fi
|
fi
|
||||||
|
|
5
evomalware.suspect
Normal file
5
evomalware.suspect
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
base64\(|
|
||||||
|
gzinflate\(|
|
||||||
|
eval\(|
|
||||||
|
\\x..\\x..|
|
||||||
|
chr\(rand\(
|
1
evomalware.suspect.md5
Normal file
1
evomalware.suspect.md5
Normal file
|
@ -0,0 +1 @@
|
||||||
|
fe651e7aee7ff103d0f2bc01778275e5 evomalware.suspect
|
|
@ -1,4 +1,8 @@
|
||||||
com_flippingbook|
|
com_flippingbook|
|
||||||
evobackup|
|
evobackup|
|
||||||
smile_fonts|
|
smile_fonts|
|
||||||
gettext-compiled.php
|
gettext-compiled.php|
|
||||||
|
sucuri|
|
||||||
|
class-prebuilt-templates.php|
|
||||||
|
mainwp/backup/index.php|
|
||||||
|
mainwp/index.php|
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
5650b0040eba3409eb46c69b473c4099 evomalware.whitelist
|
93877831a1bf357a6aaa43be05a9e463 evomalware.whitelist
|
||||||
|
|
Loading…
Reference in a new issue