|
8 | 8 | * License: GNU/GPLv2 |
9 | 9 | * @see LICENSE.txt |
10 | 10 | * |
11 | | - * This file: Optional security extras module (last modified: 2025.07.01). |
| 11 | + * This file: Optional security extras module (last modified: 2025.07.05). |
12 | 12 | * |
13 | 13 | * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High » |
14 | 14 | */ |
|
115 | 115 | 'd(?:7|eadcode\d*|elpaths|epotcv|isagraep|kiz|oiconvs|ummyyummy/wp-signup)|' . |
116 | 116 | 'e(?:ctoplasm/str_shuffcle|e|pinyins|rin\d+)|' . |
117 | 117 | 'f(?:ddqradz|ilefun)|' . |
118 | | - 'g(?:dftps|el4y|etid3-core|h[0o]st|lab-rare|zismexv)|' . |
| 118 | + 'g(?:awean|dftps|el4y|etid3-core|h[0o]st|lab-rare|zismexv)|' . |
119 | 119 | 'h(?:[4a]x+[0o]r|6ss|anna1337|ehehe|sfpdcd|tmlawedtest)|' . |
120 | 120 | 'i(?:\d{3,}[a-z]{2,}|cesword|d3/class-config|mages/sym|ndoxploit|optimize|oxi\d*|r7szrsouep|itsec|xr/(?:allez|wp-login))|' . |
121 | 121 | 'kvkjguw|' . |
|
143 | 143 | $LCNrURI |
144 | 144 | ), 'Probing for webshells/backdoors')) { |
145 | 145 | $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']); |
146 | | - } // 2023.08.18 mod 2025.06.29 |
| 146 | + } // 2023.08.18 mod 2025.07.05 |
147 | 147 |
|
148 | 148 | /** Probing for vulnerable plugins or webapps. */ |
149 | 149 | if ( |
| 150 | + $Trigger(preg_match('~/civicrm/packages/openflashchart/php-ofc-library/ofc_upload_image\.php[57]?(?:$|[/?])~', $LCNrURI), $Exploit = 'CiviCRM 3x') || // 2025.07.05 |
150 | 151 | $Trigger(preg_match('~/dup-installer/main\.installer\.php[57]?(?:$|[/?])~', $LCNrURI), $Exploit = 'CVE-2022-2551') || // 2024.09.05 |
151 | 152 | $Trigger(preg_match('~/Telerik\.Web\.UI\.WebResource\.axd(?:$|[/?])~i', $LCNrURI), $Exploit = 'CVE-2019-18935') || // 2024.10.30 |
152 | 153 | $Trigger(preg_match('~\?s=../%5c|invokefunction&function=call_user_func_array&|vars%5b0%5d=md5|vars%5b1%5d%5b%5d=hellothinkphp~', $LCNrURI), $Exploit = 'CVE-2018-20062') // 2025.07.01 |
|
156 | 157 |
|
157 | 158 | /** Probing for webshells/backdoors. */ |
158 | 159 | if ($Trigger(preg_match( |
159 | | - '~(?:^|[/?])(?:[1-9cefimnptuwx]{27}\.jsp|alfa-?rexhp\d\.p|(?:send-)?ses\.sh)(?:$|[/?])~', |
| 160 | + '~(?:^|[/?])(?:[1-9cefimnptuwx]{27}\.jsp|alfa_data/alfacgiapi|alfa-?rexhp\d\.p|(?:send-)?ses\.sh)(?:$|[/?])~', |
160 | 161 | $LCNrURI |
161 | 162 | ), 'Probing for webshells/backdoors')) { |
162 | 163 | $CIDRAM['Reporter']->report([15, 20], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']); |
163 | | - } // 2024.02.18 mod 2025.06.26 |
| 164 | + } // 2024.02.18 mod 2025.07.05 |
164 | 165 |
|
165 | 166 | /** Probing for webshells/backdoors. */ |
166 | 167 | if ($Trigger(preg_match( |
|
344 | 345 | ), 'Compromised password used in brute-force attacks'); // 2023.10.10 |
345 | 346 |
|
346 | 347 | $Trigger(preg_match('~/etc/passwd:null:null$~', $QueryNoSpace), 'Hack attempt'); // 2024.02.18 |
347 | | - $Trigger(preg_match('~\?phpinfo=-1$~', $QueryNoSpace), 'Hack attempt'); // 2025.05.24 |
| 348 | + $Trigger(preg_match('~(?:^|&)phpinfo=-1$~', $QueryNoSpace), 'Hack attempt'); // 2025.05.24 fix 2025.07.05 |
| 349 | + $Trigger(preg_match('~(?:^|&)action=p&api=p&path=p&token=$~', $QueryNoSpace), 'Hack attempt'); // 2025.07.05 |
348 | 350 |
|
349 | 351 | /** These signatures can set extended tracking options. */ |
350 | 352 | if ( |
|
0 commit comments