Extras module update.

CIDRAM · Jun 4, 2024 · 0b7575a · 0b7575a
1 parent afb007c
commit 0b7575a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 13 deletions.
diff --git a/modules/module_extras.php b/modules/module_extras.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Optional security extras module (last modified: 2024.05.21).
+ * This file: Optional security extras module (last modified: 2024.06.04).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -101,39 +101,42 @@
 
         /** Probing for webshells/backdoors. */
         if ($Trigger(preg_match(
-            '~^/{3,}wp-|(?:^|[/?])(?:shell\?cd|test/wp-includes/wlwmanifest\.xml|(?:' .
+            '~^/{3,}wp-|(?:^|[/?])(?:mt-xmlrpc\.cgi|shell\?cd|wp-includes/wlwmanifest\.xml)(?:$|[/?])|(?:^|[/?])(?:' .
             '\+theme\+/(?:error|index)|' .
-            '\.w(?:ell-known|p-cli)/.*(?:a(?:bout|dmin)[\da-z]*|fierza[\da-z]*|install[\da-z]*|moon[\da-z]*|shell[\da-z]*|wp-login[\da-z]*|x)|\.?rxr(?:_[\da-z]+)?|' .
-            '\d{3,5}[a-z]{3,5}|\d+-?backdoor|0byte|0x|10+|991176|' .
+            '\.w(?:ell-known|p-cli)/.*(?:a(?:bout|dmin)[\da-z]*|fierza[\da-z]*|install[\da-z]*|moon[\da-z]*|shell[\da-z]*|wp-login[\da-z]*|x)|' .
+            '\.?rxr(?:_[\da-z]+)?|' .
+            '\d{3,5}[a-z]{3,5}|\d+-?backdoor|0byte|0[xz]|10+|991176|' .
             'a(?:dmin-heade\d*|dminfuns|hhygskn|lfa(?:-rex|_data|a?cgiapi|ioxi|new)?\d*|njas|pismtp|xx)|' .
             'b0|b3d2acc621a0|bak|bala|' .
             'c(?:(?:9|10)\d+|asper[\da-z]+|d(?:.*tmp.*rm-rf|chmod.*\d{3,})|fom[-_]files|(?:gi-bin|ss)/(?:luci/;|moon|newgolden|radio|sgd|stok=/|uploader|well-known|wp-login)|jfuns|lasssmtps|olors/blue/uploader|ong)|' .
             'd7|deadcode\d*|dkiz|' .
             'ee|' .
-            'fddqradz|' .
+            'f(?:ddqradz|ilefuns?)|' .
             'gel4y|gh[0o]st|glab-rare|gzismexv|' .
             'h[4a]x+[0o]r|h6ss|hanna1337|hehehe|htmlawedtest|' .
-            'i(?:\d{3,}[a-z]{2,}|cesword|ndoxploit|optimize|r7szrsouep|itsec)|' .
+            'i(?:\d{3,}[a-z]{2,}|cesword|ndoxploit|optimize|r7szrsouep|itsec|xr/(?:allez|wp-login))|' .
             'lock0?360|lufix(?:-shell)?|' .
             'miin|my1|' .
             'old/wp-admin/install|orvx(?:-shell)?|' .
             'perl\.alfa|php(?:1|_niu_\d+)|(?:plugins|themes)/(?:ccx|ioptimization|yyobang)|poison|priv8|pzaiihfi|' .
+            'rendixd|' .
             's(?:ession91|h[3e]llx?\d*|hrift|idwso|ilic|kipper(?:shell)?|onarxleetxd|pammervip|rc/util/php/(?:eval(?:-stdin)?|kill))|' .
             't62|tenda\.sh.*tenda\.sh|themes/(?:finley/min|pridmag/db|universal-news/www)|tinymce/(?:langs/about|plugins/compat3x/css/index)|tk(?:_dencode_\d+)?|(?:tmp|wp-content)/vuln|topxoh/(?:drsx|wdr)|' .
             'u(?:nisibfu|pfile(?:_\\(\d\\))?|ploader_by_cloud7_agath|tchiha(?:_uploader)?)|' .
             'vzlateam|' .
-            'w(?:0rdpr3ssnew|alker-nva|ebshell-[a-z\d]+|idgets-nva|idwsisw|loymzuk)|' .
-            'wp[-_](?:2019|22|(?:admin(?:/images)?|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:dropdown|fgertreyersd|install|js/privacy-tools\.min|r(?:andom_compat/class_api|equests/class_api|epeater)|simple|text/about|themes/hello-element/footer|wp-login)|conflg|content/plugins/(?:backup-backup/includes/hro|cache/dropdown|contact-form-7/.+styles-rtl|contus-hd-flv-player/uploadvideo|dzs-zoomsounds/savepng|fix/up|wordpresscore/include|wp-file-manager/lib/php/connector\.minimal)|filemanager|setups|sigunq|sts|p)|' .
+            'w(?:[0o]rm\d+|0rdpr3ssnew|alker-nva|ebshell-[a-z\d]+|idgets-nva|idwsisw|loymzuk)|' .
+            'wp[-_](?:2019|22|(?:admin(?:/images)?|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:class-wp-page-[\da-z]{5,}|dropdown|fgertreyersd|install|js/privacy-tools\.min|r(?:andom_compat/class_api|equests/class_api|epeater)|simple|text/about|themes/hello-element/footer|uploads/error_log|wp-login)|conflg|content/plugins/(?:backup-backup/includes/hro|cache/dropdown|contact-form-7/.+styles-rtl|contus-hd-flv-player/uploadvideo|dzs-zoomsounds/savepng|fix/up|wordpresscore/include|wp-file-manager/lib/php/connector\.minimal)|filemanager|setups|sigunq|sts|p)|' .
+            'wp-configs|' .
             'ws[ou](?:yanz)?(?:[\d.]*|[\da-z]{4,})|wwdv|' .
             'x{3,}|xiaom|xichang/x|x+l(?:\d+|eet(?:mailer|-shell)?x?)|xm(?:lrpcs|lrpz|rlpc)|xw|' .
-            'yanz|yyobang/mar|' .
+            'ya?nz|yyobang/mar|' .
             'zone_hackbar(?:_beutify_other)?|' .
             '版iisspy|大马|一句话(?:木马|扫描脚本程序)?' .
-            '))\.php[57]?(?:$|[/?])~',
+            ')\.php[57]?(?:$|[/?])~',
             $LCNrURI
         ), 'Probing for webshells/backdoors')) {
             $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']);
-        } // 2023.08.18 mod 2024.05.21
+        } // 2023.08.18 mod 2024.06.04
 
         /** Probing for webshells/backdoors. */
         if ($Trigger(preg_match(

diff --git a/modules/modules.dat b/modules/modules.dat
@@ -233,7 +233,7 @@ module_cookies.php:
 module_extras.php:
  Name: "Optional security extras module"
  False Positive Risk: "Medium"
- Version: "2024.141.0"
+ Version: "2024.155.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -248,7 +248,7 @@ module_extras.php:
    - "module_extras.php"
    - "module_extras.yaml"
   Checksum:
-   - "cfab24db4ad605e22be30f1437d993808eb580e221f986422586c94bbe1632b5:27737"
+   - "b0219561bf7d15cdf578ee4cd9f4fe9099c86b3b900522d0242512902e0b67ea:27930"
    - "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890"
  Used with: "modules"
  Reannotate: "modules.dat"