diff --git a/Makefile b/Makefile index 4eed44c..59230a2 100644 --- a/Makefile +++ b/Makefile @@ -5,5 +5,6 @@ all: $(TARGET) md5: md5sum evomalware.filenames > evomalware.filenames.md5 md5sum evomalware.patterns > evomalware.patterns.md5 + md5sum evomalware.whitelist > evomalware.whitelist.md5 clean: rm *.md5 || exit 0 diff --git a/evomalware.filenames b/evomalware.filenames index 5f1a0e3..09e0ba8 100644 --- a/evomalware.filenames +++ b/evomalware.filenames @@ -4,6 +4,5 @@ abookH2w.php| sslksZ.php| rzy2r4.php| 70ggd_shellscript.php| -EWwJgDeNl| seo_hack_antipidersia.php| shellscript_pass_dezmond.php \ No newline at end of file diff --git a/evomalware.filenames.md5 b/evomalware.filenames.md5 index c3337b3..296ab53 100644 --- a/evomalware.filenames.md5 +++ b/evomalware.filenames.md5 @@ -1 +1 @@ -3d686ed2825040f28b37b8ffe86b302b evomalware.filenames +2fe2a2bde028dc9e0e2ca513b0928b99 evomalware.filenames diff --git a/evomalware.patterns b/evomalware.patterns index 4a74a27..2d22942 100644 --- a/evomalware.patterns +++ b/evomalware.patterns @@ -29,7 +29,6 @@ Webshell| FilesMan| FilesTools| Web Shell| -ifrm| bckdrprm| hackmeplz| wrgggthhd| diff --git a/evomalware.patterns.md5 b/evomalware.patterns.md5 index eb3083b..a61f348 100644 --- a/evomalware.patterns.md5 +++ b/evomalware.patterns.md5 @@ -1 +1 @@ -0ed10460b6e8178f244063877aeb030d evomalware.patterns +1baf9e134ab34971e107891e9dd0a8df evomalware.patterns diff --git a/evomalware.sh b/evomalware.sh index 9857992..ca8c16a 100644 --- a/evomalware.sh +++ b/evomalware.sh @@ -9,7 +9,7 @@ wwwpath=/home databaseURL="http://antispam00.evolix.org/evomalware" databasePATH=/var/lib/evomalware # Tools. -find="ionice -c3 find" +find="ionice -c3 find -O3" grep="nice -n 19 grep" wc="nice -n 19 wc" wget="wget -q -t 3" @@ -38,6 +38,7 @@ fi mkdir -p $databasePATH mkdir -p $tmpPATH cd $tmpPATH + $wget ${databaseURL}/evomalware.filenames $wget ${databaseURL}/evomalware.filenames.md5 if md5sum --quiet -c evomalware.filenames.md5; then @@ -54,12 +55,22 @@ else echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!" exit 1 fi +$wget ${databaseURL}/evomalware.whitelist +$wget ${databaseURL}/evomalware.whitelist.md5 +if md5sum --quiet -c evomalware.whitelist.md5; then + cp evomalware.whitelist ${databasePATH}/ +else + echo "Error with ${databaseURL}/evomalware.whitelist, wrong md5sum!" + exit 1 +fi + filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n') patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n') +whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n') # Search for .php files (less than 1M). find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \ - > $fileslist 2>/dev/null + | grep -E -v "$whitelist" > $fileslist 2>/dev/null while read file; do # Search known filenames. if [[ "$file" =~ $filenames ]]; then @@ -68,10 +79,10 @@ while read file; do elif [[ "$file" =~ "wp-content/uploads/" ]]; then echo "PHP file in a non-PHP folder detected: $file" # Count the length of the longest line and search if suspect php functions are used. - elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 1000 ]]; then + elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file if [[ $? -eq 0 ]]; then - echo "Suspect file! More than 1000 characters in one line (and suspect PHP functions): $file." + echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file." fi else # Search for patterns. diff --git a/evomalware.whitelist b/evomalware.whitelist new file mode 100644 index 0000000..07ecd8e --- /dev/null +++ b/evomalware.whitelist @@ -0,0 +1,4 @@ +com_flippingbook| +evobackup| +smile_fonts| +gettext-compiled.php \ No newline at end of file diff --git a/evomalware.whitelist.md5 b/evomalware.whitelist.md5 new file mode 100644 index 0000000..67f0cfe --- /dev/null +++ b/evomalware.whitelist.md5 @@ -0,0 +1 @@ +5650b0040eba3409eb46c69b473c4099 evomalware.whitelist