search

scr34m / php-malware-scanner

Scans PHP files for malwares and known threats
GNU General Public License v3.0
556 stars 96 forks source link

Additional Finds in Compromised Site #12

Closed jaygilmore closed 6 years ago

jaygilmore commented 6 years ago

The following files are commonly located in assets/images in compromised MODX CMS Revolution sites that were exploited using a vulnerability in versions below 2.2.15:

https://gist.github.com/jaygilmore/d6a6c1ae03420698cad1ea3135b38dd4 https://gist.github.com/jaygilmore/60410fdb1e37006786712379d9020de6 https://gist.github.com/jaygilmore/27b8c8037ad2120343a360ff68596ae8 (sorry, this one wp-post.php was found by the scanner).

All are different. The accesson.php one is the most commonly found file among hacked MODX sites.

jaygilmore commented 6 years ago

FYI, I found this magento scanner and it seems to have some nice rules. Not sure if there's anything you could use. https://github.com/gwillem/magento-malware-scanner/tree/master/rules

scr34m commented 6 years ago

At the first look we have a way bigger rules than magento malware scanner list, but i will take a deeper look.

scr34m commented 6 years ago

Patterns pushed, you can test it now.