Add a whitelist.
This commit is contained in:
parent
82c411f52c
commit
88f5dd6036
1
Makefile
1
Makefile
|
|
@ -5,5 +5,6 @@ all: $(TARGET)
|
||||||
md5:
|
md5:
|
||||||
md5sum evomalware.filenames > evomalware.filenames.md5
|
md5sum evomalware.filenames > evomalware.filenames.md5
|
||||||
md5sum evomalware.patterns > evomalware.patterns.md5
|
md5sum evomalware.patterns > evomalware.patterns.md5
|
||||||
|
md5sum evomalware.whitelist > evomalware.whitelist.md5
|
||||||
clean:
|
clean:
|
||||||
rm *.md5 || exit 0
|
rm *.md5 || exit 0
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,5 @@ abookH2w.php|
|
||||||
sslksZ.php|
|
sslksZ.php|
|
||||||
rzy2r4.php|
|
rzy2r4.php|
|
||||||
70ggd_shellscript.php|
|
70ggd_shellscript.php|
|
||||||
EWwJgDeNl|
|
|
||||||
seo_hack_antipidersia.php|
|
seo_hack_antipidersia.php|
|
||||||
shellscript_pass_dezmond.php
|
shellscript_pass_dezmond.php
|
||||||
|
|
@ -1 +1 @@
|
||||||
3d686ed2825040f28b37b8ffe86b302b evomalware.filenames
|
2fe2a2bde028dc9e0e2ca513b0928b99 evomalware.filenames
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,6 @@ Webshell|
|
||||||
FilesMan|
|
FilesMan|
|
||||||
FilesTools|
|
FilesTools|
|
||||||
Web Shell|
|
Web Shell|
|
||||||
ifrm|
|
|
||||||
bckdrprm|
|
bckdrprm|
|
||||||
hackmeplz|
|
hackmeplz|
|
||||||
wrgggthhd|
|
wrgggthhd|
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
0ed10460b6e8178f244063877aeb030d evomalware.patterns
|
1baf9e134ab34971e107891e9dd0a8df evomalware.patterns
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@ wwwpath=/home
|
||||||
databaseURL="http://antispam00.evolix.org/evomalware"
|
databaseURL="http://antispam00.evolix.org/evomalware"
|
||||||
databasePATH=/var/lib/evomalware
|
databasePATH=/var/lib/evomalware
|
||||||
# Tools.
|
# Tools.
|
||||||
find="ionice -c3 find"
|
find="ionice -c3 find -O3"
|
||||||
grep="nice -n 19 grep"
|
grep="nice -n 19 grep"
|
||||||
wc="nice -n 19 wc"
|
wc="nice -n 19 wc"
|
||||||
wget="wget -q -t 3"
|
wget="wget -q -t 3"
|
||||||
|
|
@ -38,6 +38,7 @@ fi
|
||||||
mkdir -p $databasePATH
|
mkdir -p $databasePATH
|
||||||
mkdir -p $tmpPATH
|
mkdir -p $tmpPATH
|
||||||
cd $tmpPATH
|
cd $tmpPATH
|
||||||
|
|
||||||
$wget ${databaseURL}/evomalware.filenames
|
$wget ${databaseURL}/evomalware.filenames
|
||||||
$wget ${databaseURL}/evomalware.filenames.md5
|
$wget ${databaseURL}/evomalware.filenames.md5
|
||||||
if md5sum --quiet -c evomalware.filenames.md5; then
|
if md5sum --quiet -c evomalware.filenames.md5; then
|
||||||
|
|
@ -54,12 +55,22 @@ else
|
||||||
echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!"
|
echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
$wget ${databaseURL}/evomalware.whitelist
|
||||||
|
$wget ${databaseURL}/evomalware.whitelist.md5
|
||||||
|
if md5sum --quiet -c evomalware.whitelist.md5; then
|
||||||
|
cp evomalware.whitelist ${databasePATH}/
|
||||||
|
else
|
||||||
|
echo "Error with ${databaseURL}/evomalware.whitelist, wrong md5sum!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
|
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
|
||||||
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
|
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
|
||||||
|
whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n')
|
||||||
|
|
||||||
# Search for .php files (less than 1M).
|
# Search for .php files (less than 1M).
|
||||||
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
|
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
|
||||||
> $fileslist 2>/dev/null
|
| grep -E -v "$whitelist" > $fileslist 2>/dev/null
|
||||||
while read file; do
|
while read file; do
|
||||||
# Search known filenames.
|
# Search known filenames.
|
||||||
if [[ "$file" =~ $filenames ]]; then
|
if [[ "$file" =~ $filenames ]]; then
|
||||||
|
|
@ -68,10 +79,10 @@ while read file; do
|
||||||
elif [[ "$file" =~ "wp-content/uploads/" ]]; then
|
elif [[ "$file" =~ "wp-content/uploads/" ]]; then
|
||||||
echo "PHP file in a non-PHP folder detected: $file"
|
echo "PHP file in a non-PHP folder detected: $file"
|
||||||
# Count the length of the longest line and search if suspect php functions are used.
|
# Count the length of the longest line and search if suspect php functions are used.
|
||||||
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 1000 ]]; then
|
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
|
||||||
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file
|
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file
|
||||||
if [[ $? -eq 0 ]]; then
|
if [[ $? -eq 0 ]]; then
|
||||||
echo "Suspect file! More than 1000 characters in one line (and suspect PHP functions): $file."
|
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
# Search for patterns.
|
# Search for patterns.
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
com_flippingbook|
|
||||||
|
evobackup|
|
||||||
|
smile_fonts|
|
||||||
|
gettext-compiled.php
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
5650b0040eba3409eb46c69b473c4099 evomalware.whitelist
|
||||||
Loading…
Reference in New Issue