From 85054b183a1153803f10deef46126608443fd200 Mon Sep 17 00:00:00 2001 From: Caleb Mazalevskis Date: Sun, 18 Feb 2024 12:33:55 +0800 Subject: [PATCH] Extras module update. --- modules/module_extras.php | 16 +++++++++++++--- modules/modules.dat | 4 ++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/modules/module_extras.php b/modules/module_extras.php index 43d19b9..9bd6326 100644 --- a/modules/module_extras.php +++ b/modules/module_extras.php @@ -8,7 +8,7 @@ * License: GNU/GPLv2 * @see LICENSE.txt * - * This file: Optional security extras module (last modified: 2024.02.08). + * This file: Optional security extras module (last modified: 2024.02.18). * * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High » */ @@ -118,7 +118,7 @@ 'unisibfu|upfile(?:_\\(\d\\))?|uploader_by_cloud7_agath|utchiha(?:_uploader)?|' . 'vzlateam|' . 'w0rdpr3ssnew|walker-nva|webshell-[a-z\d]+|widgets-nva|widwsisw|wloymzuk|' . - 'wp[-_](?:2019|22|(?:admin|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:cong|dropdown|repeater|simple)|conflg|content/plugins/(?:backup-backup/includes/hro|contus-hd-flv-player/uploadvideo|dzs-zoomsounds/savepng|fix/up)|filemanager|setups|sigunq|p)|' . + 'wp[-_](?:2019|22|(?:admin|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:cong|dropdown|repeater|simple)|conflg|content/plugins/(?:backup-backup/includes/hro|contus-hd-flv-player/uploadvideo|dzs-zoomsounds/savepng|fix/up|wordpresscore/include|wp-file-manager/lib/php/connector\.minimal)|filemanager|setups|sigunq|p)|' . 'ws[ou](?:yanz)?(?:[\d.]*|[\da-z]{4,})|wwdv|' . 'x{3,}|xiaom|xichang/x|x+l(?:\d+|eet(?:mailer|-shell)?x?)|xm(?:lrpcs|lrpz|rlpc)|xw|' . 'yanz|yyobang/mar|' . @@ -128,7 +128,15 @@ $LCNrURI ), 'Probing for webshells/backdoors')) { $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']); - } // 2023.08.18 mod 2024.02.08 + } // 2023.08.18 mod 2024.02.18 + + /** Probing for webshells/backdoors. */ + if ($Trigger(preg_match( + '~(?:^|[/?])(?:[1-9cefimnptuwx]{27}\.jsp$)~', + $LCNrURI + ), 'Probing for webshells/backdoors')) { + $CIDRAM['Reporter']->report([15, 20], ['Caught probing for webshells/backdoors. Host might be compromised.'], $CIDRAM['BlockInfo']['IPAddr']); + } // 2024.02.18 /** Probing for exposed Git data. */ if ($Trigger(preg_match('~\.git(?:$|\W)~', $LCNrURI), 'Probing for exposed git data')) { @@ -285,6 +293,8 @@ $QueryNoSpace ), 'Compromised password used in brute-force attacks'); // 2023.10.10 + $Trigger(preg_match('~/etc/passwd:null:null$~', $QueryNoSpace), 'Hack attempt'); // 2024.02.18 + /** These signatures can set extended tracking options. */ if ( $Trigger(strpos($QueryNoSpace, '$_' . '[$' . '__') !== false, 'Shell upload attempt') || // 2017.03.01 diff --git a/modules/modules.dat b/modules/modules.dat index cfb2184..925eb22 100644 --- a/modules/modules.dat +++ b/modules/modules.dat @@ -233,7 +233,7 @@ module_cookies.php: module_extras.php: Name: "Optional security extras module" False Positive Risk: "Medium" - Version: "2024.38.0" + Version: "2024.48.0" Dependencies: PHP: "^5.4|^7|^8" CIDRAM Core: "^1.13.1|^2.0.1" @@ -248,7 +248,7 @@ module_extras.php: - "module_extras.php" - "module_extras.yaml" Checksum: - - "0eb10a39868ccd04cb8e59bbd372bd52ac984ab46198bd750b8ef36f23255920:26196" + - "924627c76b1cfcc974f0b9aa1a9ebe60301da4b3a414775043cfaf85c4c95d39:26754" - "7b891d1fa4b1c52c410220bc758e8cb7064bd6040430fb149a5b60e9ae2e0838:890" Used with: "modules" Reannotate: "modules.dat"