Extras module update.

CIDRAM · Feb 18, 2024 · 85054b1 · 85054b1
1 parent 69c5294
commit 85054b1
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 5 deletions.
diff --git a/modules/module_extras.php b/modules/module_extras.php
@@ -8,7 +8,7 @@
  * License: GNU/GPLv2
  * @see LICENSE.txt
  *
- * This file: Optional security extras module (last modified: 2024.02.08).
+ * This file: Optional security extras module (last modified: 2024.02.18).
  *
  * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High »
  */
@@ -118,7 +118,7 @@
             'unisibfu|upfile(?:_\\(\d\\))?|uploader_by_cloud7_agath|utchiha(?:_uploader)?|' .
             'vzlateam|' .
             'w0rdpr3ssnew|walker-nva|webshell-[a-z\d]+|widgets-nva|widwsisw|wloymzuk|' .
-            'wp[-_](?:2019|22|(?:admin|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:cong|dropdown|repeater|simple)|conflg|content/plugins/(?:backup-backup/includes/hro|contus-hd-flv-player/uploadvideo|dzs-zoomsounds/savepng|fix/up)|filemanager|setups|sigunq|p)|' .
+            'wp[-_](?:2019|22|(?:admin|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:cong|dropdown|repeater|simple)|conflg|content/plugins/(?:backup-backup/includes/hro|contus-hd-flv-player/uploadvideo|dzs-zoomsounds/savepng|fix/up|wordpresscore/include|wp-file-manager/lib/php/connector\.minimal)|filemanager|setups|sigunq|p)|' .
             'ws[ou](?:yanz)?(?:[\d.]*|[\da-z]{4,})|wwdv|' .
             'x{3,}|xiaom|xichang/x|x+l(?:\d+|eet(?:mailer|-shell)?x?)|xm(?:lrpcs|lrpz|rlpc)|xw|' .
             'yanz|yyobang/mar|' .
@@ -128,7 +128,15 @@
             $LCNrURI
         ), 'Probing for webshells/backdoors')) {
             $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']);
-        } // 2023.08.18 mod 2024.02.08
+        } // 2023.08.18 mod 2024.02.18
+
+        /** Probing for webshells/backdoors. */
+        if ($Trigger(preg_match(
+            '~(?:^|[/?])(?:[1-9cefimnptuwx]{27}\.jsp$)~',
+            $LCNrURI
+        ), 'Probing for webshells/backdoors')) {
+            $CIDRAM['Reporter']->report([15, 20], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']);
+        } // 2024.02.18
 
         /** Probing for exposed Git data. */
         if ($Trigger(preg_match('~\.git(?:$|\W)~', $LCNrURI), 'Probing for exposed git data')) {
@@ -285,6 +293,8 @@
             $QueryNoSpace
         ), 'Compromised password used in brute-force attacks'); // 2023.10.10
 
+        $Trigger(preg_match('~/etc/passwd:null:null$~', $QueryNoSpace), 'Hack attempt'); // 2024.02.18
+
         /** These signatures can set extended tracking options. */
         if (
             $Trigger(strpos($QueryNoSpace, '$_' . '[$' . '__') !== false, 'Shell upload attempt') || // 2017.03.01

diff --git a/modules/modules.dat b/modules/modules.dat
@@ -233,7 +233,7 @@ module_cookies.php:
 module_extras.php:
  Name: "Optional security extras module"
  False Positive Risk: "Medium"
- Version: "2024.38.0"
+ Version: "2024.48.0"
  Dependencies:
   PHP: "^5.4|^7|^8"
   CIDRAM Core: "^1.13.1|^2.0.1"
@@ -248,7 +248,7 @@ module_extras.php:
    - "module_extras.php"
    - "module_extras.yaml"
   Checksum:
-   - "0eb10a39868ccd04cb8e59bbd372bd52ac984ab46198bd750b8ef36f23255920:26196"
+   - "924627c76b1cfcc974f0b9aa1a9ebe60301da4b3a414775043cfaf85c4c95d39:26754"
    - "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890"
  Used with: "modules"
  Reannotate: "modules.dat"