symfony added, new versions of wordpress and drupal

author: shaddai 2016-02-12 15:04:12 +0100
committer: shaddai 2016-02-12 15:04:12 +0100
commit: 84102414fc295c9a37f15985e93fc2cc02ebb446 (patch)
tree: 542b9917e7c9b8ffafc3fa8649da2150767ca92a
parent: e5241047aef5b29957772f2dde425592cad78a95 (diff)
1 files changed, 39 insertions, 2 deletions
diff --git a/php-malware-finder/whitelist.yara b/php-malware-finder/whitelist.yara
index 107c638..e9bb883 100644
--- a/php-malware-finder/whitelist.yara
+++ b/php-malware-finder/whitelist.yara
@@ -3,6 +3,23 @@
    since the sha1sum my be recomputed for every since test;
    please make sure that you're calling them after every other ones.
 */
+private rule Symfony : Blog                                                     
+{                                                                               
+    condition:                                                                  
+       hash.sha1(0, filesize) ==  "3006ce2ddce200e1c66185b95065dc7f9d224465" or // vendor/twig/twig/lib/Twig/Node/Macro.php
+       hash.sha1(0, filesize) ==  "39bae7f6aa0f4affe06a0d7b7d8306e1e27e441e" or // vendor/doctrine/common/lib/Doctrine/Common/Proxy/ProxyGenerator.php
+       hash.sha1(0, filesize) ==  "4848d9582a2205c1b037a542faa5ed1b755d6620" or // vendor/phpoffice/phpword/src/PhpWord/Shared/PCLZip/pclzip.lib.php
+       hash.sha1(0, filesize) ==  "85a49736e0df50f8aaad652c517f4f230726f73c" or // vendor/mouf/mouf/vendor/twig/twig/test/Twig/Tests/Node/MacroTest.php
+       hash.sha1(0, filesize) ==  "8954260cbb93f46da59cff358c824679395664c2" or // vendor/twig/twig/lib/Twig/Node/CheckSecurity.php
+       hash.sha1(0, filesize) ==  "9b2834dabbb7331a02a158b91fdb48f73e8bc0ea" or // vendor/dompdf/dompdf/include/page_cache.cls.php
+       hash.sha1(0, filesize) ==  "a3e936e90a73ece5637a10cd7c26f047d0d5a820" or // vendor/dompdf/dompdf/include/attribute_translator.cls.php
+       hash.sha1(0, filesize) ==  "b4cbea1458132e156327f20810cf2a2d1f961869" or // vendor/doctrine/inflector/lib/Doctrine/Common/Inflector/Inflector.php
+       hash.sha1(0, filesize) ==  "beea13bcbd977cb7ee29fdf4bca36c9c19e5a562" or // vendor/dompdf/dompdf/include/cellmap.cls.php
+       hash.sha1(0, filesize) ==  "da96d532cc2f930449a4e19a0e280d759366a8de" or // vendor/dompdf/dompdf/include/style.cls.php
+       hash.sha1(0, filesize) ==  "e4b9be9277626f5377ecb3306fd4f2fb7a99508f" // vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/SimpleMailInvoker.php
+}                                                                               
 private rule Wordpress : Blog
 {
    condition:
@@ -15,7 +32,16 @@ private rule Wordpress : Blog
        hash.sha1(0, filesize)  == "e7caf1f66c38bb119fe709ade012a989d8610f07" or // wp-admin/includes/class-pclzip.php
        hash.sha1(0, filesize)  == "8ddb9eff06105b9699c6b03db54472291abcb823" or // wp-includes/taxonomy.php
        hash.sha1(0, filesize)  == "9dd666651f57ef6e704310fe37ffce7dfd2322e4" or // wp-includes/comment.php
+        
+        /* Wordpress 3.9 */                                                     
+        hash.sha1(0, filesize)  == "b20e3d401b0ab935ed6401392233b36966523e20" or // wp-includes/class-pop3.php
+        hash.sha1(0, filesize)  == "3748c7a2150a9da2d2dda10062b00d34982b3d87" or // wp-includes/taxonomy.php
+        hash.sha1(0, filesize)  == "1a4e6932523c34d95f050960e7c3d082adb28156" or // wp-includes/ID3/getid3.php
+        hash.sha1(0, filesize)  == "48a3dab94dc548169700bb411148c6fbf30274c3" or // wp-includes/ID3/getid3.lib.php
+        hash.sha1(0, filesize)  == "c605d1224cf4b24ad2457dd87885de9030e20731" or // wp-includes/SimplePie/File.php
+        hash.sha1(0, filesize)  == "005f02927a6904c4e7f3b88ebdd9feaa6221790b" or // wp-includes/class-phpmailer.php
+        hash.sha1(0, filesize)  == "12b433cc24cca9747b1fcb1132ffb6b1e6ab75b0" or // wp-includes/comment.php
+        
        /* Wordpress 3.5.1 */
        hash.sha1(0, filesize)  == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php
        hash.sha1(0, filesize)  == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php
@@ -65,7 +91,17 @@ private rule Drupal : Blog
        /* Drupal 7.38 */
        hash.sha1(0, filesize) == "ad7587ce735352b6a55526005c05c280e9d41822" or // modules/system/system.admin.inc
        hash.sha1(0, filesize) == "dfa67a40daeb9c1dd28f3fab00097852243258ed" or // modules/system/system.module
+        
+        /* Drupal 7.33 */                                                       
+                                                                                
+        hash.sha1(0, filesize) == "19c45985dfee7dc27a3a275542dee7c8fc7ebd6d" or // modules/simpletest/drupal_web_test_case.php
+        hash.sha1(0, filesize) == "e53ae29f02d7bd8667ce701b6d13ca71249e6598" or // modules/contrib/simplenews/tests/d6_simplenews_61.php
+        hash.sha1(0, filesize) == "5e1093b4d8bcb438b07e8a428957bd3f79c1042c" or // modules/contrib/simplenews/tests/d6_simplenews_62.php
+        hash.sha1(0, filesize) == "1335f535e2b20634fa8be3e95411921dfe47041d" or // modules/socials/og/og_migrate/tests/drupal-6.og.database.php
+        hash.sha1(0, filesize) == "c748f376cccb982448e99dee184dfec3a1979f44" or // modules/socials/og/tests/drupal-7.og.update_7001.database.php
+        hash.sha1(0, filesize) == "1335f535e2b20634fa8be3e95411921dfe47041d" or // modules/socials/og/tests/drupal-6.og.database.php
+        hash.sha1(0, filesize) == "10aa23f49747970a204c5df98d4c36e64e354760" or // modules/socials/og/og_ui/tests/drupal-6.og-ui.database.php
+       
        /* Drupal 7.15 */
        hash.sha1(0, filesize)  == "23cc0e2c6eebe94fe189e258a3658b40b0005891" or // modules/simpletest/tests/upgrade/drupal-6.bare.database.php
        hash.sha1(0, filesize)  == "8cb36d865b951378c3266dca7d5173a303e8dcff" or // modules/simpletest/tests/upgrade/drupal-6.filled.database.php
@@ -131,6 +167,7 @@ private rule Phpmyadmin
 private rule IsWhitelisted
 {
    condition:
+        Symfony or
        Wordpress or
        Prestashop or
        Magento or
author	shaddai	2016-02-12 15:04:12 +0100
committer	shaddai	2016-02-12 15:04:12 +0100
commit	84102414fc295c9a37f15985e93fc2cc02ebb446 (patch)
tree	542b9917e7c9b8ffafc3fa8649da2150767ca92a
parent	e5241047aef5b29957772f2dde425592cad78a95 (diff)

diff --git a/php-malware-finder/whitelist.yara b/php-malware-finder/whitelist.yara index 107c638..e9bb883 100644 --- a/php-malware-finder/whitelist.yara +++ b/php-malware-finder/whitelist.yara
@@ -3,6 +3,23 @@
3	since the sha1sum my be recomputed for every since test;	3	since the sha1sum my be recomputed for every since test;
4	please make sure that you're calling them after every other ones.	4	please make sure that you're calling them after every other ones.
5	*/	5	*/
		6
		7	private rule Symfony : Blog
		8	{
		9	condition:
		10	hash.sha1(0, filesize) == "3006ce2ddce200e1c66185b95065dc7f9d224465" or // vendor/twig/twig/lib/Twig/Node/Macro.php
		11	hash.sha1(0, filesize) == "39bae7f6aa0f4affe06a0d7b7d8306e1e27e441e" or // vendor/doctrine/common/lib/Doctrine/Common/Proxy/ProxyGenerator.php
		12	hash.sha1(0, filesize) == "4848d9582a2205c1b037a542faa5ed1b755d6620" or // vendor/phpoffice/phpword/src/PhpWord/Shared/PCLZip/pclzip.lib.php
		13	hash.sha1(0, filesize) == "85a49736e0df50f8aaad652c517f4f230726f73c" or // vendor/mouf/mouf/vendor/twig/twig/test/Twig/Tests/Node/MacroTest.php
		14	hash.sha1(0, filesize) == "8954260cbb93f46da59cff358c824679395664c2" or // vendor/twig/twig/lib/Twig/Node/CheckSecurity.php
		15	hash.sha1(0, filesize) == "9b2834dabbb7331a02a158b91fdb48f73e8bc0ea" or // vendor/dompdf/dompdf/include/page_cache.cls.php
		16	hash.sha1(0, filesize) == "a3e936e90a73ece5637a10cd7c26f047d0d5a820" or // vendor/dompdf/dompdf/include/attribute_translator.cls.php
		17	hash.sha1(0, filesize) == "b4cbea1458132e156327f20810cf2a2d1f961869" or // vendor/doctrine/inflector/lib/Doctrine/Common/Inflector/Inflector.php
		18	hash.sha1(0, filesize) == "beea13bcbd977cb7ee29fdf4bca36c9c19e5a562" or // vendor/dompdf/dompdf/include/cellmap.cls.php
		19	hash.sha1(0, filesize) == "da96d532cc2f930449a4e19a0e280d759366a8de" or // vendor/dompdf/dompdf/include/style.cls.php
		20	hash.sha1(0, filesize) == "e4b9be9277626f5377ecb3306fd4f2fb7a99508f" // vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/SimpleMailInvoker.php
		21	}
		22
6	private rule Wordpress : Blog	23	private rule Wordpress : Blog
7	{	24	{
8	condition:	25	condition:
@@ -15,7 +32,16 @@ private rule Wordpress : Blog
15	hash.sha1(0, filesize) == "e7caf1f66c38bb119fe709ade012a989d8610f07" or // wp-admin/includes/class-pclzip.php	32	hash.sha1(0, filesize) == "e7caf1f66c38bb119fe709ade012a989d8610f07" or // wp-admin/includes/class-pclzip.php
16	hash.sha1(0, filesize) == "8ddb9eff06105b9699c6b03db54472291abcb823" or // wp-includes/taxonomy.php	33	hash.sha1(0, filesize) == "8ddb9eff06105b9699c6b03db54472291abcb823" or // wp-includes/taxonomy.php
17	hash.sha1(0, filesize) == "9dd666651f57ef6e704310fe37ffce7dfd2322e4" or // wp-includes/comment.php	34	hash.sha1(0, filesize) == "9dd666651f57ef6e704310fe37ffce7dfd2322e4" or // wp-includes/comment.php
18		35
		36	/* Wordpress 3.9 */
		37	hash.sha1(0, filesize) == "b20e3d401b0ab935ed6401392233b36966523e20" or // wp-includes/class-pop3.php
		38	hash.sha1(0, filesize) == "3748c7a2150a9da2d2dda10062b00d34982b3d87" or // wp-includes/taxonomy.php
		39	hash.sha1(0, filesize) == "1a4e6932523c34d95f050960e7c3d082adb28156" or // wp-includes/ID3/getid3.php
		40	hash.sha1(0, filesize) == "48a3dab94dc548169700bb411148c6fbf30274c3" or // wp-includes/ID3/getid3.lib.php
		41	hash.sha1(0, filesize) == "c605d1224cf4b24ad2457dd87885de9030e20731" or // wp-includes/SimplePie/File.php
		42	hash.sha1(0, filesize) == "005f02927a6904c4e7f3b88ebdd9feaa6221790b" or // wp-includes/class-phpmailer.php
		43	hash.sha1(0, filesize) == "12b433cc24cca9747b1fcb1132ffb6b1e6ab75b0" or // wp-includes/comment.php
		44
19	/* Wordpress 3.5.1 */	45	/* Wordpress 3.5.1 */
20	hash.sha1(0, filesize) == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php	46	hash.sha1(0, filesize) == "833281b4d1113180e4d1ca026f5e85a680d52662" or // wp-includes/class-phpmailer.php
21	hash.sha1(0, filesize) == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php	47	hash.sha1(0, filesize) == "b4e4b88f2be38ed9c3147b77c2f3a7f929caba2c" or // wp-admin/includes/menu.php
@@ -65,7 +91,17 @@ private rule Drupal : Blog
65	/* Drupal 7.38 */	91	/* Drupal 7.38 */
66	hash.sha1(0, filesize) == "ad7587ce735352b6a55526005c05c280e9d41822" or // modules/system/system.admin.inc	92	hash.sha1(0, filesize) == "ad7587ce735352b6a55526005c05c280e9d41822" or // modules/system/system.admin.inc
67	hash.sha1(0, filesize) == "dfa67a40daeb9c1dd28f3fab00097852243258ed" or // modules/system/system.module	93	hash.sha1(0, filesize) == "dfa67a40daeb9c1dd28f3fab00097852243258ed" or // modules/system/system.module
68		94
		95	/* Drupal 7.33 */
		96
		97	hash.sha1(0, filesize) == "19c45985dfee7dc27a3a275542dee7c8fc7ebd6d" or // modules/simpletest/drupal_web_test_case.php
		98	hash.sha1(0, filesize) == "e53ae29f02d7bd8667ce701b6d13ca71249e6598" or // modules/contrib/simplenews/tests/d6_simplenews_61.php
		99	hash.sha1(0, filesize) == "5e1093b4d8bcb438b07e8a428957bd3f79c1042c" or // modules/contrib/simplenews/tests/d6_simplenews_62.php
		100	hash.sha1(0, filesize) == "1335f535e2b20634fa8be3e95411921dfe47041d" or // modules/socials/og/og_migrate/tests/drupal-6.og.database.php
		101	hash.sha1(0, filesize) == "c748f376cccb982448e99dee184dfec3a1979f44" or // modules/socials/og/tests/drupal-7.og.update_7001.database.php
		102	hash.sha1(0, filesize) == "1335f535e2b20634fa8be3e95411921dfe47041d" or // modules/socials/og/tests/drupal-6.og.database.php
		103	hash.sha1(0, filesize) == "10aa23f49747970a204c5df98d4c36e64e354760" or // modules/socials/og/og_ui/tests/drupal-6.og-ui.database.php
		104
69	/* Drupal 7.15 */	105	/* Drupal 7.15 */
70	hash.sha1(0, filesize) == "23cc0e2c6eebe94fe189e258a3658b40b0005891" or // modules/simpletest/tests/upgrade/drupal-6.bare.database.php	106	hash.sha1(0, filesize) == "23cc0e2c6eebe94fe189e258a3658b40b0005891" or // modules/simpletest/tests/upgrade/drupal-6.bare.database.php
71	hash.sha1(0, filesize) == "8cb36d865b951378c3266dca7d5173a303e8dcff" or // modules/simpletest/tests/upgrade/drupal-6.filled.database.php	107	hash.sha1(0, filesize) == "8cb36d865b951378c3266dca7d5173a303e8dcff" or // modules/simpletest/tests/upgrade/drupal-6.filled.database.php
@@ -131,6 +167,7 @@ private rule Phpmyadmin
131	private rule IsWhitelisted	167	private rule IsWhitelisted
132	{	168	{
133	condition:	169	condition:
		170	Symfony or
134	Wordpress or	171	Wordpress or
135	Prestashop or	172	Prestashop or
136	Magento or	173	Magento or