Merge PR #106 into develop
This commit is contained in:
commit
f436afc2b8
GPG Key ID:
EFC0C720A240551C
|
|
@ -19,4 +19,4 @@ fileExt="php|php3|php4|php5|phps|html|htaccess|gif"
|
|||
|
||||
; These format the output:
|
||||
code="<span class='jamss_tooltip code' title='%s'>code</span> "
|
||||
info="<span class='jamss_tooltip info' title='%s'>info</span> "
|
||||
info="<span class='jamss_tooltip info badge bg-warning me-1 mb-1' title='%s' data-bs-toggle="tooltip">?</span> "
|
||||
|
|
|
|||
|
|
@ -15,6 +15,9 @@ defined('_JEXEC') or die('Restricted access');
|
|||
// Include the rule base class
|
||||
require_once JPATH_COMPONENT_ADMINISTRATOR . '/models/rule.php';
|
||||
|
||||
// Include the helper class
|
||||
require_once JPATH_COMPONENT_ADMINISTRATOR . '/libraries/helper.php';
|
||||
|
||||
/**
|
||||
* JedcheckerRulesJamss
|
||||
*
|
||||
|
|
@ -111,13 +114,13 @@ class JedcheckerRulesJamss extends JEDcheckerRule
|
|||
$jamssStrings .= 'phpremoteview|directmail|bash_history|multiviews|cwings|vandal|bitchx|';
|
||||
$jamssStrings .= 'eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|';
|
||||
$jamssStrings .= 'Webshell|str_rot13|FilesMan|FilesTools|Web Shell|ifrm|bckdrprm|';
|
||||
$jamssStrings .= 'hackmeplz|wrgggthhd|WSOsetcookie|Hmei7|Inbox Mass Mailer|HackTeam|Hackeado';
|
||||
$jamssStrings .= 'hackmeplz|wrgggthhd|WSOsetcookie|Hmei7|Inbox Mass Mailer|HackTeam|Hackeado|';
|
||||
$jamssStrings .= 'Janissaries|Miyachung|ccteam|Adminer|OOO000000|$GLOBALS|findsysfolder';
|
||||
|
||||
// These patterns will be used if GET parameter ?deepscan=1 is set while calling jamss.php file
|
||||
$jamssDeepSearchStrings = 'eval|base64_decode|base64_encode|gzdecode|gzdeflate|';
|
||||
$jamssDeepSearchStrings .= 'gzuncompress|gzcompress|readgzfile|zlib_decode|zlib_encode|';
|
||||
$jamssDeepSearchStrings .= 'gzfile|gzget|gzpassthru|iframe|strrev|lzw_decompress|strtr';
|
||||
$jamssDeepSearchStrings .= 'gzfile|gzget|gzpassthru|iframe|strrev|lzw_decompress|strtr|';
|
||||
$jamssDeepSearchStrings .= 'exec|passthru|shell_exec|system|proc_|popen';
|
||||
|
||||
// The patterns to search for
|
||||
|
|
@ -313,6 +316,8 @@ class JedcheckerRulesJamss extends JEDcheckerRule
|
|||
}
|
||||
else
|
||||
{
|
||||
$content = JEDCheckerHelper::cleanPhpCode($content, JEDCheckerHelper::CLEAN_COMMENTS);
|
||||
|
||||
// Do a search for fingerprints
|
||||
foreach ($patterns As $pattern)
|
||||
{
|
||||
|
|
@ -346,18 +351,34 @@ class JedcheckerRulesJamss extends JEDcheckerRule
|
|||
{
|
||||
$count++;
|
||||
|
||||
foreach ($all_results as $match)
|
||||
{
|
||||
// Output the line of malware code, but sanitize it before
|
||||
// The offset is in $match[1]
|
||||
$offset = $match[1];
|
||||
// Note: negative 3rd argument is used for right-to-left search
|
||||
$start = strrpos($content, "\n", -(strlen($content) - $offset));
|
||||
|
||||
if ($start === false)
|
||||
{
|
||||
$start = 0;
|
||||
}
|
||||
|
||||
$end = strpos($content, "\n", $offset);
|
||||
|
||||
if ($end === false)
|
||||
{
|
||||
$end = strlen($content);
|
||||
}
|
||||
|
||||
$first_code = substr($content, $start, min($end - $start, 200));
|
||||
$first_line = $this->calculate_line_number($offset, $content);
|
||||
break;
|
||||
}
|
||||
|
||||
if (is_array($pattern))
|
||||
{
|
||||
// Then it has some additional comments
|
||||
foreach ($all_results as $match)
|
||||
{
|
||||
// Output the line of malware code, but sanitize it before
|
||||
// The offset is in $match[1]
|
||||
$first_code = substr($content, $match[1], 200);
|
||||
$first_line = $this->calculate_line_number($match[1], $content);
|
||||
break;
|
||||
}
|
||||
|
||||
$this->jamssWarning(
|
||||
$path,
|
||||
JText::_('COM_JEDCHECKER_ERROR_JAMSS_PATTERN') . "#$pattern[2] - $pattern[1]",
|
||||
|
|
@ -369,16 +390,6 @@ class JedcheckerRulesJamss extends JEDcheckerRule
|
|||
else
|
||||
{
|
||||
// It's a string, no comments available
|
||||
$first_content = "";
|
||||
|
||||
foreach ($all_results as $match)
|
||||
{
|
||||
// Output the line of malware code, but sanitize it before
|
||||
$first_code = substr($content, $match[1], 200);
|
||||
$first_line = $this->calculate_line_number($match[1], $content);
|
||||
break;
|
||||
}
|
||||
|
||||
$this->jamssWarning(
|
||||
$path,
|
||||
JText::_('COM_JEDCHECKER_ERROR_JAMSS_STRING') . $pattern,
|
||||
|
|
@ -429,8 +440,7 @@ class JedcheckerRulesJamss extends JEDcheckerRule
|
|||
*/
|
||||
private function jamssWarning($path, $title, $info, $code, $line)
|
||||
{
|
||||
$info = !empty($info)?sprintf($this->params->get('info'), htmlentities($info, ENT_QUOTES)):"";
|
||||
$code = !empty($code)?sprintf($this->params->get('code'), htmlentities($code, ENT_QUOTES)):"";
|
||||
$this->report->addWarning($path, $info . $code . $title, $line);
|
||||
$info = !empty($info) ? sprintf($this->params->get('info'), htmlentities($info, ENT_QUOTES)) : '';
|
||||
$this->report->addWarning($path, $info . $title, $line, $code);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue