Share whitelist / definitions

[natzar]

Hi!

Is there any way we can enable auto updates of definitions / whitelist, so we can all share it?

This Project doesn't get the awareness it deserves.

[scr34m]

Hello @natzar what kind of auto update do you think of? When something changes in the code or definitions, then a new release was made so with composer it easy to be update.

[natzar]

I would like to whitelist for example checksums of all wordpress, prestashop and drupal versions (files), so the script doesnt show false positives for any of core files.

I thought about all users of php malware modifying their white lists, and it did made sense to search for a way of have this definitions like crowd-done.

[scr34m]

With the --combined-whitelist option you can whitelist a lot of opensource frameworks, i've generate this list time to time and it will downloaded on the fly if new was uploaded.

Trusting others whitelist is dangerous with out a proper control this is why i not really like the idea.

[natzar]

Thats pretty cool, have to try that option. In that case, no need to open big security hole, agree.

I plan to use this piece with several websites, I usually find malware. Could that be useful? Not sure if we will be able to identify exact malware's name, but there are 4-5 types (specific lines) that are pretty common.

Interested? What's the best way to send it to you? pull requests?

[natzar]

Just a question, do you think I can whitelist all of this: Not malware, legit wp plugin files:

ER 18:20 01-12-2020# {/usr/www/users/accesr/wp-admin/includes/class-pclzip.php} #php_uname() # 5687

--   | # ER 23:34 03-12-2020# {/usr/www/users/accesr/wp-content/plugins/seo-by-rank-math/includes/admin/class-serp-preview.php} #ZpbG # 65   | # ER 19:09 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/woozone/modules/report/init.php} #create_function\s(\s['"]{2} # 531   | # ER 19:09 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/woozone/modules/synchronization/init.php} #create_function\s(\s['"]{2} # 1179   | # ER 19:09 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/woozone/composer/amazon-paapi/paapi5-php-sdk/src/Configuration.php} #php_uname() # 299   | # ER 19:09 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/woozone/aa-framework/utils/images.fix.php} #create_function\s(\s['"]{2} # 73   | # ER 19:09 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/woozone/composer_prefixed/guzzlehttp/vendor/guzzlehttp/guzzle/src/Middleware.php} #\$[a-z]+(\$[a-z0-9]+( # 201   | # ER 19:09 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/woozone/lib/scripts/Crawler-Detect/Fixtures/Crawlers.php} #comodo # 27   | # ER 19:09 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/woozone/lib/scripts/Crawler-Detect-withoutnamespace/Fixtures/Crawlers.php} #comodo # 25   | # ER 12:39 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/wordpress-seo/admin/tracking/class-tracking-server-data.php} #php_uname() # 39   | # ER 12:39 02-12-2020# {/usr/www/users/accesr/wp-content/plugins/wordpress-seo/vendor_prefixed/guzzlehttp/guzzle/src/Middleware.php} #\$[a-z]+(\$[a-z0-9]+( # 202   | # ER 23:39 03-12-2020# {/usr/www/users/accesr/wp-content/plugins/elementor/includes/fonts.php} #avira # 1072   | # ER 23:39 03-12-2020# {/usr/www/users/accesr/wp-content/plugins/commercegurus-commercekit/includes/admin-dashboard.php} #^.<\?php.{1100,}\?>.$ # 54   | # ER 23:39 03-12-2020# {/usr/www/users/accesr/wp-content/plugins/commercegurus-commercekit/includes/admin-ajax-search.php} #^.<\?php.{1100,}\?>.$ # 17   | # ER 18:21 01-12-2020# {/usr/www/users/accesr/wp-content/plugins/shortcodes-ultimate/admin/class-shortcodes-ultimate-admin-top-level.php} #ZpbG # 32   | # ER 18:27 01-12-2020# {/usr/www/users/accesr/wp-includes/formatting.php} #(\[0-9]{3}){6,} # 3033   | # ER 17:57 08-12-2020# {/usr/www/users/accesr/ninja/backup/vendor/phpunit/phpunit/src/Framework/TestCase.php} #{\seval\s(\s\$ # 1646   | # ER 17:57 08-12-2020# {/usr/www/users/accesr/ninja/backup/vendor/phpunit/phpunit-mock-objects/src/Generator.php} #{\seval\s(\s\$ # 262

They are legit files, not infected, is it possible/how can I whitelist file + pattern detected?

[scr34m]

New infections always welcomed 👍, if you can create the definition then i will be happy with a PR or just simply open a ticket, but please always attach / link the infected file to makte possible to check.

I used a small script many times which is scanned for PHP files with modification time and then stored in text file, next time diffed the old result with new one, so if a file uploaded, deleted or modified the sent an email. This process can be changed to do a scan at that time so you don't waste a lot of resources to scan always "safe" websites.

You you can, just need to create a md5 hash about those files and add to whitelist so then a scan will ignore it. If you can give a list later i can extend the compound generation with new frameworks / packages to be whitelisted.