a Joomla! and WordPress Security script that automatically scans the Joomla! or Wordpress files for some patterns and "fingerprints" of malware, trojans or other injections into PHP code
146
stars
102
forks
source link
.gif file that starts straight with '<?php' instead of 'GIF89a.' #13
Hi
A collegue discovered two manipulatetd gif files in his (Joomla-) template image folder, that starts straight with
<?php
instead of the used jamss-pattern
GIF89a.*[\r\n]*.*<\?php
followed by plain php-code (no eval/gzip/base64_encode.....)
As the patterns are file-extension indepent, and this is the future format of manipulatet gif's, that could be faced by adding a additional 'include/exclude file-extension' entry/entries in the patterns arrays, that can be used as an additional condition in the scan_file() function.
Hi A collegue discovered two manipulatetd gif files in his (Joomla-) template image folder, that starts straight with
<?phpinstead of the used jamss-patternGIF89a.*[\r\n]*.*<\?phpfollowed by plain php-code (no eval/gzip/base64_encode.....)As the patterns are file-extension indepent, and this is the future format of manipulatet gif's, that could be faced by adding a additional 'include/exclude file-extension' entry/entries in the patterns arrays, that can be used as an additional condition in the scan_file() function.