phpMussel v0.3c

HISTORICAL COMMIT! OUTDATED CONTENT; DO NOT DEPLOY! Originally released "17th December 2013". Originally released as "Version 0.3c". Refer to "change_log.txt" for further information.
phpMussel · May 23, 2015 · dc8d9fd · dc8d9fd
1 parent a9898dd
commit dc8d9fd
Show file tree

Hide file tree

Showing 33 changed files with 24,299 additions and 22,568 deletions.
diff --git a/change_log.txt b/change_log.txt
@@ -1,5 +1,28 @@
 phpMussel change_log.txt
 
+=== Version 0.3c ===
+SUMMARY:
+Updated to the latest signatures set (55+18240+3c).
+Sub-minor update.
+
+NEW CHANGES:
+- Extended the signature formatting for custom signatures.
+- Improved interpretation by phpMussel of ClamAV signatures compared
+  to previous version of the script.
+- Improved documentation.
+- Some conditions can now be inserted into signature files to control
+  when certain signatures are and aren't utilised.
+
+PROBLEMS/BUGS FIXED:
+- Maybe?? The PCRE bug that I'd mentioned I'd found in the previous release
+  (v0.3b), I haven't been able to replicate in the latest version (v0.3c).
+  Given the nature of the bug, and that it wasn't intentionally fixed, but that
+  I haven't been able to replicate it.. I very cautiously suggest that it
+  -might- be fixed, at least, for this version.
+
+Maikuolan,
+17th December 2013.
+
 === Version 0.3b ===
 SUMMARY:
 Updated to the latest signatures set (55+18175+3b).
@@ -9,7 +32,7 @@ NEW CHANGES:
 - Added controls (refer to phpmussel.ini) concerning the length of signatures.
   It is now possible to specify a minimum and maximum length requirement for
   the execution of signatures.
-- Rewrite the code for handling general commands (should see a very minor speed
+- Rewrote the code for handling general commands (should see a very minor speed
   and memory usage improvement).
 - Added the option to block control characters.
 - Added a new code block into the core script which checks for the existence of

diff --git a/readme.txt b/readme.txt
diff --git a/vault/elf_clamav_regex.cvd b/vault/elf_clamav_regex.cvd
@@ -1,9 +1,3 @@
-ClamAV-Trojan.Small-1254:\A(..){1777}6a006a0a6a008b4b085166c745d80200e856feffff5a8b7b045766c1c808668945dae854feffff8945dc83c4108d7dd8eb0d90909090909090909090909090566a006a016a02e890feffff83c41085c089c60f881001000083ec0c685a890408e8e6fdffffe8d1fdffff83c40cc700000000006a10575689c3e84dfeffff83c41085c00f85b6000000e88dfdffff85c0a32c9b0408745c7e1f83ec0c56e869fdffffc7042400000000c745d400000000e836feffff83c410
-ClamAV-Hacktool.Vulner:\A(..){1969}c785e0fbffff0100000083c4f88d85e8fbffff508b85e0fbffff50e8bb00000083c4106a006a048d85e8fbffff508b45fc50e834fdffff83c41083c4f468db890408e804fdffff83c410eb598d7600c785e0fbffff0000000083c4f468f0890408e8e5fcffff83c4108d8510fcffff8b95e4fbffffc604020083c4f88d8510fcffff8d5001528b85e0fbffff50e84900000083c41083c4f468008a0408e8a9fcffff
-ClamAV-Trojan.Small-1253:\A(..){2259}81ecac020000575653e8af0200006a006a026a02e810feffff89c683c40c83feff751a683c8c0408e8ccfdffff6affe815ffffff89f68dbc270000000066c745f002006a00e88ffeffff8945f468c7840000e8e2feffff668945f26a108d45f05056e812feffff
-ClamAV-Trojan.Small-1256:\A(..){3306}83ec086a05ff75c4e841fbffff83c41085c0791f83ec0c682e950408e89dfaffff83c410c7853470feff01000000e9e506000083ec0c6835950408e89efbffff83c41083ec0cff3518a70408e89dfaffff83c410e875faffff8945f4837df400742283ec08ff75f4684b950408e86cfbffff83c410c7853470feff00000000e994060000
-ClamAV-Hacktool.Deli:\A(..){4352}83c4fc6a0968509604088b85fcfbffff50e80af6ffff83c4108385fcfbffff0983c4fc8d8500fcffff8b95fcfbffff29c2528d8500fcffff508b85e8fbffff50e80bf5ffff83c41089c083f8ff7505e90c02000083c4f46a01e882f5ffff83c41083c4f4685a960408e8a2f5ffff83c41083c4fc6a0e68619604088b85ecfbffff50e8c9f4ffff83c4108db600000000
-ClamAV-Trojan.Small-1255:\A(..){2296}83ec0868a08d0408ff359c910408e8d5fcffff83c4108d45a8506a00ff35549004086a0ce83ffdffff83c41083f8ff751083ec0c68b38d0408e86afeffff83c41083ec04ff75d868e08d0408ff359c910408e891fcffff83c41083ec0cff75d8e892feffff83c41083ec0868208e0408ff359c910408e86dfcffff83c4106a006a00ff35549004086a11e8d9fcffff83c41083f8ff751083ec0c68408e0408e804feffff
 ClamAV-Worm.Agent-253:505249564d5347202573203a2a202e6164767363616e20(..)*7363616e6e65722f6578706c6f69742077697468206175746f20757365723a706173737764(..)*505249564d5347202573203a2a202e6a6f696e(..)*6a6f696e20626f7420696e
 ClamAV-Worm.Agent-252:55505821(..)*505249564d5347202573203a5b(..)*656e746869636174696f6e2070617373776f726421
 ClamAV-Worm.Agent-254:55505821(..)*5249564d5347206b203a5b(..)*6f67696e5d206879647261202d20796f75

diff --git a/vault/elf_clamav_regex.map b/vault/elf_clamav_regex.map
@@ -1,5 +1,3 @@
-000000:0:4
-feff:5:5
-5052:6:6
-5550:7:8
-6170:9:9
+5052:0:0
+5550:1:2
+6170:3:3
diff --git a/vault/elf_clamav_standard.cvd b/vault/elf_clamav_standard.cvd
@@ -2,12 +2,19 @@ ClamAV-Exploit.Linux.Local:25783a20257320257320257320257320257320257320307825782
 ClamAV-UNIX.Trojan.SSHDoor:410fb6041c83c50183f0234188441d0089eb4c89e7e846adfcff4839c372e1488b54240864483314252800000041c6441d00004c89e8750b
 ClamAV-Linux.Ranfy-1:57565381ec18010000e8000000005d83ed0fb8f8040000890424c74424042e00000031
 ClamAV-Linux.Ranfy:57565381ec1c01000066c744240a2e00e8000000005889c781c754800408c7442404
+ClamAV-Trojan.Small-1254:6a006a0a6a008b4b085166c745d80200e856feffff5a8b7b045766c1c808668945dae854feffff8945dc83c4108d7dd8eb0d90909090909090909090909090566a006a016a02e890feffff83c41085c089c60f881001000083ec0c685a890408e8e6fdffffe8d1fdffff83c40cc700000000006a10575689c3e84dfeffff83c41085c00f85b6000000e88dfdffff85c0a32c9b0408745c7e1f83ec0c56e869fdffffc7042400000000c745d400000000e836feffff83c410:1777
 ClamAV-Trojan.Tornkit-10:6c6c20414e414c414c2052657365727665642e20240a00555756535152fc8b74241c8b7c242483cdffeb0c90908a064688074701db75078b1e83eefc11db8a0772ebb80100000001db75078b1e83eefc11db11c0
 ClamAV-Flooder.Slice-2:72743e203c68696768706f72743e205b636c6f6e65735d0a00000000202020207372636164647220202d207468652073706f6f6665
+ClamAV-Trojan.Small-1253:81ecac020000575653e8af0200006a006a026a02e810feffff89c683c40c83feff751a683c8c0408e8ccfdffff6affe815ffffff89f68dbc270000000066c745f002006a00e88ffeffff8945f468c7840000e8e2feffff668945f26a108d45f05056e812feffff:2259
+ClamAV-Hacktool.Deli:83c4fc6a0968509604088b85fcfbffff50e80af6ffff83c4108385fcfbffff0983c4fc8d8500fcffff8b95fcfbffff29c2528d8500fcffff508b85e8fbffff50e80bf5ffff83c41089c083f8ff7505e90c02000083c4f46a01e882f5ffff83c41083c4f4685a960408e8a2f5ffff83c41083c4fc6a0e68619604088b85ecfbffff50e8c9f4ffff83c4108db600000000:4352
+ClamAV-Trojan.Small-1256:83ec086a05ff75c4e841fbffff83c41085c0791f83ec0c682e950408e89dfaffff83c410c7853470feff01000000e9e506000083ec0c6835950408e89efbffff83c41083ec0cff3518a70408e89dfaffff83c410e875faffff8945f4837df400742283ec08ff75f4684b950408e86cfbffff83c410c7853470feff00000000e994060000:3306
 ClamAV-PUA.IRC.Mechbot:8b1df45f07088b430889c1c1e80583e11f8d1485000000000fa38aa08807080f92c084c00f84cb00000083ec088d83490200005053e85b8300008b15f45f070883c40c8d8249020000508b4208506860900608e8cd620000a1f45f07088b702c8b15805e0708c74004030000008990101a00005668a40100008b1db05f0708538b0d885e070851e8997c000089c131db83c42085c9740e80b988000000007405bb01000000
+ClamAV-Hacktool.Vulner:c785e0fbffff0100000083c4f88d85e8fbffff508b85e0fbffff50e8bb00000083c4106a006a048d85e8fbffff508b45fc50e834fdffff83c41083c4f468db890408e804fdffff83c410eb598d7600c785e0fbffff0000000083c4f468f0890408e8e5fcffff83c4108d8510fcffff8b95e4fbffffc604020083c4f88d8510fcffff8d5001528b85e0fbffff50e84900000083c41083c4f468008a0408e8a9fcffff:1969
 ClamAV-Sniffer.XZ-1:83c4f48d8500ffffff5068e80300006a0168581f00008b450c83c0048b1052e800f2ffff83c420a390ed0408833d90ed040800751b83c4f4689c970408e8c2f1ffff83c410b8ffffffffe9010100009083c4f4a190ed040850e8b6f1ffff83c41089c083f80c77548b0485e4970408ffe0
 ClamAV-Hacktool.Fakeproc:83ec046a006a006affe87df6ffff83c410e895f5ffff89c08985b8feffff83bddcfeffff00745483ec0868bd950408ffb5dcfeffffe851f7ffff83c41089c08985d0feffff83bdd0feffff00742d83ec04ffb5b8feffff68bf950408ffb5d0feffffe884f5ffff83c41083ec0cffb5d0feffffe863f6ffff83c410ffb5b8feffffffb5e0feffff68c3950408ff3550a70408e854f5ffff83c41083ec08ffb5b4feffffffb5d4feffffe8cdf5ffff83c41083ec0c68e0950408e81df5ffff83c410b8ffffffff
+ClamAV-Trojan.Small-1255:83ec0868a08d0408ff359c910408e8d5fcffff83c4108d45a8506a00ff35549004086a0ce83ffdffff83c41083f8ff751083ec0c68b38d0408e86afeffff83c41083ec04ff75d868e08d0408ff359c910408e891fcffff83c41083ec0cff75d8e892feffff83c41083ec0868208e0408ff359c910408e86dfcffff83c4106a006a00ff35549004086a11e8d9fcffff83c41083f8ff751083ec0c68408e0408e804feffff:2296
 ClamAV-Exploit.Linux.rpc:41414141256e256e256e256e256e256e256e256e256e
+ClamAV-Linux.Trojan.Zollard:557365722d4167656e743a205a6f6c6c617264
 ClamAV-Linux.ELF.Zap:5f6d61696e4040474c4942435f322e3000726561644040474c4942435f322e30006b696c6c5f6c6173746c6f67005f494f5f737464696e5f75736564005f5f646174615f7374617274007374726c656e4040474c4942435f322e30005f5f64736f5f68616e646c65005f5f44544f525f454e445f5f005f5f6c6962635f6373755f696e6974007072696e74664040474c4942435f322e3000636c6f73654040474c4942435f322e30005f5f6273735f7374617274006b696c6c5f77746d70006b696c6c5f75746d70005f656e6400707574734040474c4942435f322e3000627a65726f4040474c4942435f322e30007374726e636d704040474c4942435f322e30006c7365656b4040474c4942435f322e300066005f65646174610067657470776e616d4040474c4942435f322e3000
 ClamAV-PUA.Server.PsyBNC:707379424e430025732573257300533d002a00533d2573007372632f705f7365727665722e63007365
 ClamAV-Linux.Evil.A:726d202d66202f746d702f2e6d79626f7920263e2f6465762f6e756c6c002f746d7000416768687272722c2049276d206479696e67212121

diff --git a/vault/elf_clamav_standard.map b/vault/elf_clamav_standard.map
@@ -1,9 +1,10 @@
-000000:0:6
-0000:7:7
-feff:8:8
-4141:9:9
-5f6d:10:10
-7073:11:11
-726d:12:12
-7569:13:13
-c953:14:14
+000000:0:11
+0000:12:12
+feff:13:14
+4141:15:15
+5573:16:16
+5f6d:17:17
+7073:18:18
+726d:19:19
+7569:20:20
+c953:21:21