|
|
|
@@ -56,8 +56,10 @@ patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n') |
|
|
|
whitelist=$(cat ${databasePATH}/evomalware.whitelist $whitelistLocal | tr -d '\n') |
|
|
|
suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n') |
|
|
|
|
|
|
|
# Search for .php files (less than 1M). |
|
|
|
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \ |
|
|
|
# Search for .php and .js files (less than 1M). |
|
|
|
find $wwwpath -name evobackup -prune \ |
|
|
|
-o \( -type f ! -size +1M -name "*.php" \) \ |
|
|
|
-o \( -type f ! -size +1M -name "*.js" \) \ |
|
|
|
| grep -E -v "$whitelist" > $fileslist 2>/dev/null |
|
|
|
while read file; do |
|
|
|
# Search known filenames. |
|
|
|
@@ -70,7 +72,10 @@ while read file; do |
|
|
|
elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then |
|
|
|
grep -q -E "$suspect" "$file" |
|
|
|
if [[ $? -eq 0 ]]; then |
|
|
|
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file." |
|
|
|
# Don't suspect "one line" .js file due to common minification. |
|
|
|
if [[ ! "$file" =~ .js$ ]]; then |
|
|
|
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file." |
|
|
|
fi |
|
|
|
fi |
|
|
|
else |
|
|
|
# Search for patterns. |
|
|
|
|
