From 264def8281c5614220f80fb94e154541287b1c5a Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 17:41:15 -0500 Subject: [PATCH 01/36] Yara Joomla rules baseline Yara Joomla rules baseline (1.0.15, 1.5.26, 2.5.28, 3.6.0) --- php-malware-finder/whitelist.yar | 2 + php-malware-finder/whitelists/joomla.yar | 200 +++++++++++++++++++++++ 2 files changed, 202 insertions(+) create mode 100644 php-malware-finder/whitelists/joomla.yar diff --git a/php-malware-finder/whitelist.yar b/php-malware-finder/whitelist.yar index 3cb42b4..4bdb7c3 100644 --- a/php-malware-finder/whitelist.yar +++ b/php-malware-finder/whitelist.yar @@ -6,6 +6,7 @@ include "whitelists/drupal.yar" include "whitelists/wordpress.yar" +include "whitelists/joomla.yar" include "whitelists/symfony.yar" include "whitelists/phpmyadmin.yar" include "whitelists/magento1ce.yar" @@ -115,6 +116,7 @@ private rule IsWhitelisted condition: Symfony or Wordpress or + Joomla or Prestashop or Magento or Magento1Ce or diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar new file mode 100644 index 0000000..d5a8717 --- /dev/null +++ b/php-malware-finder/whitelists/joomla.yar @@ -0,0 +1,200 @@ +import "hash" + +private rule Joomla : CMS +{ + meta: + generated = "2020-04-10T17:58:54.003208" + + condition: + /* Joomla 1.0.15 */ + hash.sha1(0, filesize) == "0d87be9efc01370947b77c7e666e8c8bbe9f2520" or // joomla_1-0-15/globals.php + hash.sha1(0, filesize) == "f3191210add8f228a2c8fb9114f280f554c8d13f" or // joomla_1-0-15/offlinebar.php + hash.sha1(0, filesize) == "4f76762e81b3eded9221ef0c0c9295a58ff6446c" or // joomla_1-0-15/offline.php + hash.sha1(0, filesize) == "83689add91a65ba585c1f70e44042668bcaf380c" or // joomla_1-0-15/administrator/components/com_admin/admin.admin.html.php + hash.sha1(0, filesize) == "83fbb7111d7c131792ff81ad16f3f31575521a5a" or // joomla_1-0-15/administrator/components/com_installer/component/component.class.php + hash.sha1(0, filesize) == "d55dc6a8352b402f5ee93099d4dcae19c2a4de4f" or // joomla_1-0-15/administrator/components/com_media/admin.media.php + hash.sha1(0, filesize) == "9f543bbe1d209fd5dd2de69d318ab51d0b4b9149" or // joomla_1-0-15/administrator/includes/admin.php + hash.sha1(0, filesize) == "f81b8fc577a8517d2de422245197af42ef785f40" or // joomla_1-0-15/administrator/includes/pcl/pcltrace.lib.php + hash.sha1(0, filesize) == "0a82091a097e0fd0e0dfd4e368926d668b65887b" or // joomla_1-0-15/administrator/includes/pcl/pclzip.lib.php + hash.sha1(0, filesize) == "9fe290073b6aed81f053be31ae0aa51e3d8c2968" or // joomla_1-0-15/administrator/includes/pcl/zip.lib.php + hash.sha1(0, filesize) == "43679709c4e2321a30776d9e0151efea2c2b7314" or // joomla_1-0-15/components/com_search/search.php + hash.sha1(0, filesize) == "80027d39c8abdfd5bfa01ea80a75fc7ffd598304" or // joomla_1-0-15/components/com_search/search.html.php + hash.sha1(0, filesize) == "1ac5a97418f08e8e7d5be05f5b769dced2d1e130" or // joomla_1-0-15/components/com_content/content.php + hash.sha1(0, filesize) == "b9bb9895ba712dbc27be4d41f8d9a757cf27af92" or // joomla_1-0-15/components/com_content/content.html.php + hash.sha1(0, filesize) == "75e268dc065a65a5a2cc419dd9b08b87a3287385" or // joomla_1-0-15/includes/class.pdf.php + hash.sha1(0, filesize) == "165562eabebca5f88ace3d7aa5a81a6c87dbe7c6" or // joomla_1-0-15/includes/joomla.php + hash.sha1(0, filesize) == "d0d3c8d8148bcb82c0dc67940f3b9992b05955f9" or // joomla_1-0-15/includes/gacl_api.class.php + hash.sha1(0, filesize) == "69d0a11f1f5f59acdae76dd5cfac8edee93891a5" or // joomla_1-0-15/includes/feedcreator.class.php + hash.sha1(0, filesize) == "4c2ac318670bd40d55add0ab8291ff0b264cfc97" or // joomla_1-0-15/includes/patTemplate/patTemplate.php + hash.sha1(0, filesize) == "9ed02ec1c24e5fdf089e352742e2a2e0c3a4a99c" or // joomla_1-0-15/includes/patTemplate/patTemplate/Modifier/Expression.php + hash.sha1(0, filesize) == "1d427a1b3cc6560a9ad6eccaa51afce18520f6bc" or // joomla_1-0-15/includes/patTemplate/patTemplate/Reader/DB.php + hash.sha1(0, filesize) == "6b01e8c4cf9095315f126bab9054127c33e90206" or // joomla_1-0-15/includes/patTemplate/patTemplate/InputFilter/ShortModifiers.php + hash.sha1(0, filesize) == "933df34864ca00b1404368d8c62cb6d13057b706" or // joomla_1-0-15/includes/patTemplate/patTemplate/OutputFilter/BBCode.php + hash.sha1(0, filesize) == "bb1f429169df236ca5ffffed3b6609875fd2907b" or // joomla_1-0-15/includes/PEAR/PEAR.php + hash.sha1(0, filesize) == "01e612d5914896ac7424471bea9cf22e5dea1c56" or // joomla_1-0-15/includes/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "0496865ba7042a514af7398a71e36548d406bc5e" or // joomla_1-0-15/includes/Cache/Lite.php + hash.sha1(0, filesize) == "3d56fb2f943e61f9df7d4bd6e447bb34712affba" or // joomla_1-0-15/installation/index.php + hash.sha1(0, filesize) == "70a39b8f9f18717e70aca1e5a4aef0f7ef6f36c6" or // joomla_1-0-15/installation/install2.php + hash.sha1(0, filesize) == "a80449c2a043f1388e8d4f05f001f37d56a66a63" or // joomla_1-0-15/mambots/editors/none.php + hash.sha1(0, filesize) == "b8c31ec39fbd2a5bca238f7f28240110e754d53b" or // joomla_1-0-15/mambots/editors/tinymce.php + hash.sha1(0, filesize) == "e18d43f2e028ab7d367389a18846607b3989cd1a" or // joomla_1-0-15/mambots/content/mosimage.php + hash.sha1(0, filesize) == "9b31fdfeb94195847af5cb2402d615dac474cc36" or // joomla_1-0-15/mambots/content/geshi/geshi/php-brief.php + hash.sha1(0, filesize) == "098b7f1441cc99309f12c8dcc23a5496dd5c0d77" or // joomla_1-0-15/mambots/content/geshi/geshi/php.php + hash.sha1(0, filesize) == "240e5442555fed49040ad18a4346af60fd32c8d6" or // joomla_1-0-15/modules/mod_search.php + + /* Joomla 1.5.26 */ + hash.sha1(0, filesize) == "85fac3ab56341ef579029c53e5ea323a8dfa1b52" or // joomla_1-5-26/administrator/includes/framework.php + hash.sha1(0, filesize) == "3beb62cf7a58dec09cb13d4dda49bad6a293c717" or // joomla_1-5-26/administrator/includes/pcl/zip.lib.php + hash.sha1(0, filesize) == "be38a35895b0ee2d1b42e49f7608d7e42f21be47" or // joomla_1-5-26/administrator/includes/pcl/pclzip.lib.php + hash.sha1(0, filesize) == "677cf350b9f337c3b26e49032553d16f7b382e08" or // joomla_1-5-26/administrator/includes/pcl/pcltrace.lib.php + hash.sha1(0, filesize) == "987fd65bcc88a9b603a2471668b8c79f83ba7fa6" or // joomla_1-5-26/administrator/components/com_admin/tmpl/sysinfo_phpsettings.php + hash.sha1(0, filesize) == "2a336697a27ec9fb70dee73a8f0d62c186b700f0" or // joomla_1-5-26/includes/framework.php + hash.sha1(0, filesize) == "755ddcdc8e92e27696594c3f509717cb955a9ba3" or // joomla_1-5-26/installation/installer/helper.php + hash.sha1(0, filesize) == "4f76943927794c805c0e08fef0213957593ab9be" or // joomla_1-5-26/installation/installer/models/model.php + hash.sha1(0, filesize) == "d5288abeefedf35e48952b1bbcffc83eb2a42826" or // joomla_1-5-26/installation/includes/framework.php + hash.sha1(0, filesize) == "ec702ecd2b18367805e15ef0ea928a81461b3f61" or // joomla_1-5-26/libraries/bitfolge/feedcreator.php + hash.sha1(0, filesize) == "0631834120635c6a7de325933d6dffcf4c61e8cc" or // joomla_1-5-26/libraries/tcpdf/tcpdf.php + hash.sha1(0, filesize) == "786576175ea4deed7e9c8cc31acd3a12f471bcb9" or // joomla_1-5-26/libraries/simplepie/simplepie.php + hash.sha1(0, filesize) == "1c7d8dffa505b62229c9795c44dee566e926edfc" or // joomla_1-5-26/libraries/phpmailer/phpmailer.php + hash.sha1(0, filesize) == "7d203fec985ff396d39528d3b853616e8d9bd4e0" or // joomla_1-5-26/libraries/phpgacl/gacl.php + hash.sha1(0, filesize) == "129152e28321565572f172a2a05c695e4f07984d" or // joomla_1-5-26/libraries/phpgacl/gacl_api.php + hash.sha1(0, filesize) == "3acc3e848b1baee6558459e80c9fec09a3051878" or // joomla_1-5-26/libraries/pattemplate/patTemplate/Reader/DB.php + hash.sha1(0, filesize) == "2d567a95c0b760a44f6e5974c8db4c7452b15402" or // joomla_1-5-26/libraries/pattemplate/patTemplate/Modifier/Expression.php + hash.sha1(0, filesize) == "fb7b5088a96868acc848daf21607843f59873029" or // joomla_1-5-26/libraries/pattemplate/patTemplate/OutputFilter/BBCode.php + hash.sha1(0, filesize) == "697c287f2a6f5957b1a39f8f2447123094567280" or // joomla_1-5-26/libraries/pattemplate/patTemplate/InputFilter/ShortModifiers.php + hash.sha1(0, filesize) == "a3b14cb0d3cb0a520912ec1d3edde0af1687c81f" or // joomla_1-5-26/libraries/pear/PEAR.php + hash.sha1(0, filesize) == "782683593e1048ffc604abb22778ee141252d211" or // joomla_1-5-26/libraries/geshi/geshi/php-brief.php + hash.sha1(0, filesize) == "f9ae7706d57c73206cd10eeec60a174e77d0dbd9" or // joomla_1-5-26/libraries/geshi/geshi/php.php + hash.sha1(0, filesize) == "05354871d2b8da48fb64c3ef0a327147cb81f72b" or // joomla_1-5-26/libraries/openid/Auth/OpenID/SQLStore.php + hash.sha1(0, filesize) == "86e240ae7cbca387876c412d858b99004ea54120" or // joomla_1-5-26/libraries/phpxmlrpc/xmlrpc_wrappers.php + hash.sha1(0, filesize) == "5ea69172c7e09972894c123fde1d9358d5df66f3" or // joomla_1-5-26/libraries/phpxmlrpc/xmlrpc.php + hash.sha1(0, filesize) == "5da3dc37ef08f3be7bb99ef51a6a3942ea91e4f9" or // joomla_1-5-26/libraries/joomla/html/parameter/element.php + hash.sha1(0, filesize) == "be59ea41f1e2476f8e76d48ec781827334017e35" or // joomla_1-5-26/libraries/joomla/html/parameter/element/text.php + hash.sha1(0, filesize) == "07f8cb80a69e07403b0d2174b8f5fe202241a25b" or // joomla_1-5-26/libraries/joomla/html/parameter/element/password.php + hash.sha1(0, filesize) == "671cffe53c66666dcd3e850844daa7dfd8375bb3" or // joomla_1-5-26/libraries/joomla/html/parameter/element/hidden.php + hash.sha1(0, filesize) == "521b80549c6fb34f8b110a21b11709675045bbaa" or // joomla_1-5-26/libraries/joomla/html/parameter/element/textarea.php + hash.sha1(0, filesize) == "2c40171aa8818fb29963c22c2b874a06761039c6" or // joomla_1-5-26/libraries/joomla/filesystem/folder.php + hash.sha1(0, filesize) == "10959888891115fd7b41bf1bc2fe20afbdf9e135" or // joomla_1-5-26/modules/mod_mainmenu/legacy.php + hash.sha1(0, filesize) == "0d2f24e7423555f6c6e0e413efc93ff83446ec90" or // joomla_1-5-26/modules/mod_mainmenu/helper.php + hash.sha1(0, filesize) == "b251525475347ed67b00ca98adc9382b71b6f387" or // joomla_1-5-26/modules/mod_search/tmpl/default.php + hash.sha1(0, filesize) == "366016c6b56a916c8ae4af22f6495e91b2b66e59" or // joomla_1-5-26/plugins/editors/none.php + hash.sha1(0, filesize) == "1f87be434eaa0721c5304a48eb417313e5842343" or // joomla_1-5-26/plugins/editors/tinymce.php + hash.sha1(0, filesize) == "03b44dcaedb31464bf38746dae5c4525d0f99a13" or // joomla_1-5-26/plugins/editors/xstandard.php + hash.sha1(0, filesize) == "4826755b04d3666623c4c5ca974f8a450578dd8e" or // joomla_1-5-26/plugins/editors/xstandard/directory.php + hash.sha1(0, filesize) == "c80bd63b5a9a4d03dd187b8dd36d7f0f45b3ac2b" or // joomla_1-5-26/plugins/editors/xstandard/attachmentlibrary.php + hash.sha1(0, filesize) == "6b7e8d779d52c6806c13813da9415b066047c253" or // joomla_1-5-26/plugins/editors/xstandard/imagelibrary.php + hash.sha1(0, filesize) == "9c347eeb9f5e4937a4aaa5865e6eabdc527e65b1" or // joomla_1-5-26/templates/beez/html/mod_search/default.php + hash.sha1(0, filesize) == "8f12d46b17c61e55185edb416cda3cf62d79cb93" or // joomla_1-5-26/xmlrpc/includes/framework.php + + /* Joomla 2.5.28 */ + hash.sha1(0, filesize) == "2f5ce478e92511e8c09311f094cc5a8cd26195c9" or // joomla_2-5-28/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "af612eaacb12df3bdf394d019ee486d1852a2038" or // joomla_2-5-28/administrator/components/com_config/models/fields/filters.php + hash.sha1(0, filesize) == "2eb3ba5006d019c05296a2e44aaa57e61552dd58" or // joomla_2-5-28/administrator/components/com_contact/models/fields/modal/contacts.php + hash.sha1(0, filesize) == "e3f311cbd80772589b002fc6d9c14ad6a259dc2c" or // joomla_2-5-28/administrator/components/com_content/models/fields/modal/article.php + hash.sha1(0, filesize) == "8222e9f0d8d4b613e74537f730d3cab12ec093f8" or // joomla_2-5-28/administrator/components/com_finder/models/index.php + hash.sha1(0, filesize) == "2d3ad273c490016abc57db8911092e9d3223c743" or // joomla_2-5-28/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "57e7f9f1c71cc7a5d3ea59cfd06be57afbf8a1ea" or // joomla_2-5-28/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "f07b8a49e6400d22e25443c950ab484f744fbb01" or // joomla_2-5-28/administrator/components/com_menus/models/fields/menutype.php + hash.sha1(0, filesize) == "03f77c91ec5695112eaf235955c28e15750ab2d0" or // joomla_2-5-28/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "60919a17a1412e60b3a2c147cb964f49873583e5" or // joomla_2-5-28/administrator/components/com_modules/models/fields/moduleorder.php + hash.sha1(0, filesize) == "bfaeda835e6db3297e17d8200f390431aacdc512" or // joomla_2-5-28/administrator/components/com_newsfeeds/models/fields/modal/newsfeeds.php + hash.sha1(0, filesize) == "d80fbb6c0d11aa0a1a1a167f929d2f685219be7b" or // joomla_2-5-28/administrator/components/com_redirect/models/link.php + hash.sha1(0, filesize) == "ab49b43c886aea5f4ddcb1d64f3cdb6c48ff4899" or // joomla_2-5-28/components/com_contact/views/contact/view.vcf.php + hash.sha1(0, filesize) == "c577f59e57d6d14ae12a69851b36c26dd8ae3ab4" or // joomla_2-5-28/components/com_finder/helpers/html/filter.php + hash.sha1(0, filesize) == "55fdbd0969a7f6323c7d3a5003e24caaf720d7a2" or // joomla_2-5-28/components/com_finder/models/search.php + hash.sha1(0, filesize) == "beb54a2d4c82d72c1d12225be2147ba494c08c20" or // joomla_2-5-28/installation/controllers/setup.json.php + hash.sha1(0, filesize) == "0515e290098aa25c57bfbe9c7a07db6bac18f230" or // joomla_2-5-28/installation/models/configuration.php + hash.sha1(0, filesize) == "4bb14a32bdad8370defa4e584a04fa00bf802397" or // joomla_2-5-28/installation/models/setup.php + hash.sha1(0, filesize) == "158122f6da81050e1f616ed4051edc94f2fc5162" or // joomla_2-5-28/installation/models/fields/prefix.php + hash.sha1(0, filesize) == "dc7e31017acd4908b0583afc9a8afc2b2a44a310" or // joomla_2-5-28/libraries/import.php + hash.sha1(0, filesize) == "45fab8bb5ac2fc7b79774553334a123ee436094f" or // joomla_2-5-28/libraries/joomla/application/daemon.php + hash.sha1(0, filesize) == "954f999c161e8236349e50ee974c23dffa6b4a8f" or // joomla_2-5-28/libraries/joomla/cache/storage/cachelite.php + hash.sha1(0, filesize) == "3c0cfc1fbc57a1464ba94e7a102a24485af2a516" or // joomla_2-5-28/libraries/joomla/environment/request.php + hash.sha1(0, filesize) == "35ee412c6858d5a9dd7afaad27ae984fc615c5e2" or // joomla_2-5-28/libraries/joomla/filesystem/folder.php + hash.sha1(0, filesize) == "64818c6c23aff63d14771c69fddfbba175f372b3" or // joomla_2-5-28/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "60a319dd2d285fda6295f19320a4a090dffb6628" or // joomla_2-5-28/libraries/joomla/form/fields/checkboxes.php + hash.sha1(0, filesize) == "181535b423a908432580fe7d3ddea0f15dd6acfc" or // joomla_2-5-28/libraries/joomla/form/fields/color.php + hash.sha1(0, filesize) == "bcf21a48cd84186771b1cc6c3c5666e099368830" or // joomla_2-5-28/libraries/joomla/form/fields/email.php + hash.sha1(0, filesize) == "df85ba66d2d83a9e9bd3892c8058418ec261aecc" or // joomla_2-5-28/libraries/joomla/form/fields/file.php + hash.sha1(0, filesize) == "d1ffc9073c71ccf9aeb74fcca3a121814e35d383" or // joomla_2-5-28/libraries/joomla/form/fields/password.php + hash.sha1(0, filesize) == "2fc22930b350ad90bca80e40a72431453c468f6d" or // joomla_2-5-28/libraries/joomla/form/fields/radio.php + hash.sha1(0, filesize) == "faa3f8658f2efd25d6783203674b2a0ab7c0fc6c" or // joomla_2-5-28/libraries/joomla/form/fields/rules.php + hash.sha1(0, filesize) == "fc5746abac79d658dd0ae5c1a710aae8f27e9b86" or // joomla_2-5-28/libraries/joomla/form/fields/textarea.php + hash.sha1(0, filesize) == "0d2e4e7c3d15111a63fa9b97f436fcb9f3986aa4" or // joomla_2-5-28/libraries/joomla/html/grid.php + hash.sha1(0, filesize) == "6780bc931277c44ec6ef573cf39aedf96ca304ed" or // joomla_2-5-28/libraries/joomla/html/html/jgrid.php + hash.sha1(0, filesize) == "d2f51d230524fca2d80860f41fba853cfd3f0da7" or // joomla_2-5-28/libraries/joomla/html/html/select.php + hash.sha1(0, filesize) == "c549803ef75081c46e4a2a7f86b3230918ec3e7e" or // joomla_2-5-28/libraries/joomla/html/parameter/element.php + hash.sha1(0, filesize) == "3d85c4fef01d552f7e02c310c823f9d2e01bdb8c" or // joomla_2-5-28/libraries/joomla/html/parameter/element/hidden.php + hash.sha1(0, filesize) == "f544884acff1c002a894c7f5748f5880f05b3d96" or // joomla_2-5-28/libraries/joomla/html/parameter/element/password.php + hash.sha1(0, filesize) == "e505084ef873af343b66baf780c2e196e3c3fb85" or // joomla_2-5-28/libraries/joomla/html/parameter/element/text.php + hash.sha1(0, filesize) == "6e5c13d1b23bcf212221ec3e8dece6cfde1be6d5" or // joomla_2-5-28/libraries/joomla/html/parameter/element/textarea.php + hash.sha1(0, filesize) == "b450470d914098ea95ab7615481cec2dec2ccb4f" or // joomla_2-5-28/libraries/phpmailer/phpmailer.php + hash.sha1(0, filesize) == "020628492a773055e28ee8eba1a52de548e28960" or // joomla_2-5-28/libraries/simplepie/simplepie.php + hash.sha1(0, filesize) == "516634b11cce810e811a7a16f325fdaf18fc0a73" or // joomla_2-5-28/media/editors/codemirror/js/tokenizephp.js + hash.sha1(0, filesize) == "744d7184aca03fc8d6479a56f5864dbf8dec76f8" or // joomla_2-5-28/media/editors/tinymce/jscripts/tiny_mce/tiny_mce_src.js + hash.sha1(0, filesize) == "be0950ca8f8a4d9466119ee2f73973589e0fd0af" or // joomla_2-5-28/modules/mod_search/tmpl/default.php + hash.sha1(0, filesize) == "f5af668c28badaf198b18066c451f6070f8ef731" or // joomla_2-5-28/plugins/content/geshi/geshi/geshi/php-brief.php + hash.sha1(0, filesize) == "cc8e149a7aea65a8f8838f46a63aa170d1d909b1" or // joomla_2-5-28/plugins/content/geshi/geshi/geshi/php.php + hash.sha1(0, filesize) == "e9e03c59804307e94392bcf84b87a4d9a535fce0" or // joomla_2-5-28/plugins/editors/codemirror/codemirror.php + hash.sha1(0, filesize) == "522824b7739c3936f15d0176fc964128ec24f519" or // joomla_2-5-28/plugins/editors/none/none.php + hash.sha1(0, filesize) == "91519567a42c43dc9ad06bfe1303ba6b434cc282" or // joomla_2-5-28/plugins/editors/tinymce/tinymce.php + hash.sha1(0, filesize) == "c8868bbefcd67659f387dbf75af2759c98bf6e46" or // joomla_2-5-28/plugins/user/profile/profile.php + hash.sha1(0, filesize) == "4310a2aab1d3c25199aa91fc1bb729e542b727f7" or // joomla_2-5-28/templates/atomic/html/mod_search/default.php + + /* Joomla 3.6.0 */ + hash.sha1(0, filesize) == "a7ef90de8a66a2739e9a9f86603e3cb8d15cd7f6" or // joomla_3-6-0/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "fd855161cab72a1bac2dc35946843b70561c244b" or // joomla_3-6-0/administrator/components/com_categories/models/fields/modal/category.php + hash.sha1(0, filesize) == "755fa3de2d48dfe55f4eeeba4274fd1eed2091d0" or // joomla_3-6-0/administrator/components/com_contact/models/fields/modal/contact.php + hash.sha1(0, filesize) == "e6b8d6bc1121345671624b24e5a4b1e2e2a5578f" or // joomla_3-6-0/administrator/components/com_content/models/fields/modal/article.php + hash.sha1(0, filesize) == "bf6be5876f13fe53a4b344a7d3dc6ac79a5ae01b" or // joomla_3-6-0/administrator/components/com_joomlaupdate/controller.php + hash.sha1(0, filesize) == "c459b327f1708bc88401cd4a3bc6b5115816ff4c" or // joomla_3-6-0/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "7c78c131f3a66b44969dc237003db214118221bd" or // joomla_3-6-0/administrator/components/com_joomlaupdate/views/upload/view.html.php + hash.sha1(0, filesize) == "d3a47659b49434cb7cd4b789e45c29e104095f7e" or // joomla_3-6-0/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "1026d85816bae0ce8655da6973b3bfc7563067a4" or // joomla_3-6-0/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "89af239302e3d6d0ed3f447c19a0af169d65bbce" or // joomla_3-6-0/administrator/components/com_newsfeeds/models/fields/modal/newsfeed.php + hash.sha1(0, filesize) == "f51ff9fb198982f7806f25ebfda5596ed80f8687" or // joomla_3-6-0/administrator/modules/mod_menu/menu.php + hash.sha1(0, filesize) == "1dfea229f99510bc2e375d586d588bf7329f07fa" or // joomla_3-6-0/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "e43453801a55b10f5fb12958e9e25f2e0ad665af" or // joomla_3-6-0/administrator/templates/isis/html/pagination.php + hash.sha1(0, filesize) == "092f00b22397fff5a75a4b06534ebf0588fed22f" or // joomla_3-6-0/components/com_contact/views/contact/view.vcf.php + hash.sha1(0, filesize) == "c045e54d5d1ae123c0ac0628dad746aff90f8c5b" or // joomla_3-6-0/installation/controller/removefolder.php + hash.sha1(0, filesize) == "e4ff58fccc10bf5756cf911ac72fb7835704d0ee" or // joomla_3-6-0/installation/form/field/prefix.php + hash.sha1(0, filesize) == "4ae1e722be134a35e7dbbccbd6dfa4643c0650d5" or // joomla_3-6-0/installation/model/configuration.php + hash.sha1(0, filesize) == "6f1aa19439795a7bd3cf3031f730a945dc6257c5" or // joomla_3-6-0/installation/model/setup.php + hash.sha1(0, filesize) == "b280ad67adfd188772065daeaa7107c4f0a84831" or // joomla_3-6-0/layouts/joomla/html/sortablelist.php + hash.sha1(0, filesize) == "15f4fd20eb96597c3e9046bea1733f1aa8a6e758" or // joomla_3-6-0/libraries/cms/form/field/moduleorder.php + hash.sha1(0, filesize) == "8d7cf832538b98a5fe365dd946f2f946f17405c4" or // joomla_3-6-0/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "fd148c06de4044ff9086063d3cfc04d81d1549da" or // joomla_3-6-0/libraries/cms/plugin/helper.php + hash.sha1(0, filesize) == "8a97900127e34ec021b9ce7d73da4a63b2104d2c" or // joomla_3-6-0/libraries/fof/autoloader/component.php + hash.sha1(0, filesize) == "a99a17704f24a0bbff3da6d94ea79a1d67e6a1bc" or // joomla_3-6-0/libraries/fof/form/field/checkbox.php + hash.sha1(0, filesize) == "5bd5dbd4fe7a961c1cee089a794774c0ab18ad3e" or // joomla_3-6-0/libraries/fof/form/field/rules.php + hash.sha1(0, filesize) == "618f0bcb2b619de2f9a20d119653b53a33d7ea56" or // joomla_3-6-0/libraries/fof/form/header/fieldfilterable.php + hash.sha1(0, filesize) == "9857a68cfae4926c9b1f02cd5e9c1f1df40f7be4" or // joomla_3-6-0/libraries/fof/form/header/fieldsearchable.php + hash.sha1(0, filesize) == "849dcd8535fdf0bd1fbfdc31f045e81d1d231d23" or // joomla_3-6-0/libraries/fof/integration/joomla/platform.php + hash.sha1(0, filesize) == "2e2878d78dedffdc4906a3bec571393d3bd1ed63" or // joomla_3-6-0/libraries/fof/platform/platform.php + hash.sha1(0, filesize) == "013483a141fe6cbca788d04d0c8fb2065a1c4e8a" or // joomla_3-6-0/libraries/fof/render/joomla.php + hash.sha1(0, filesize) == "fcd03676d2b73cd6583af983a5f86f4331116061" or // joomla_3-6-0/libraries/fof/view/view.php + hash.sha1(0, filesize) == "dc8d4e17c21d492b91a2354b885eece35db2cfa9" or // joomla_3-6-0/libraries/joomla/application/daemon.php + hash.sha1(0, filesize) == "a5d803759a8074c2adeb0c9cf1a0970bf94f7bbc" or // joomla_3-6-0/libraries/joomla/cache/storage/cachelite.php + hash.sha1(0, filesize) == "510974d2274b943745666350c7837eb04fa4cf41" or // joomla_3-6-0/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "bead70c8ad7b8418120d06fc4aec71a552daa8a3" or // joomla_3-6-0/libraries/joomla/filesystem/folder.php + hash.sha1(0, filesize) == "3f6070c2a496de6d762537182f345817508824ce" or // joomla_3-6-0/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "e518dc636705b7fa75a61762ce4724dc6fba6cb0" or // joomla_3-6-0/libraries/joomla/form/fields/color.php + hash.sha1(0, filesize) == "ff5e16223c8e94221c901122b09c2a82d3e63be0" or // joomla_3-6-0/libraries/joomla/form/fields/email.php + hash.sha1(0, filesize) == "fd70c0097a92911b0aefe272f0625b9c39ae03e1" or // joomla_3-6-0/libraries/joomla/form/fields/number.php + hash.sha1(0, filesize) == "6a97c1e6adf28228f28fd48b4221ecdc13597226" or // joomla_3-6-0/libraries/joomla/form/fields/password.php + hash.sha1(0, filesize) == "8c693dafc63e5773455762f802219862aa45c9b1" or // joomla_3-6-0/libraries/joomla/form/fields/range.php + hash.sha1(0, filesize) == "5d870a7cf7ab9de40ab05374d98c13e43b63b308" or // joomla_3-6-0/libraries/joomla/form/fields/tel.php + hash.sha1(0, filesize) == "d6e842860cbf3c2e58f6ba9d28031bda37777149" or // joomla_3-6-0/libraries/joomla/form/fields/text.php + hash.sha1(0, filesize) == "2ab4558abc605bdb41b5f732898cb39e81e3ff87" or // joomla_3-6-0/libraries/joomla/form/fields/textarea.php + hash.sha1(0, filesize) == "504d4ef414270763dfc93259ba1c8950c5b382a6" or // joomla_3-6-0/libraries/joomla/form/fields/url.php + hash.sha1(0, filesize) == "a5e092f7ef31b4d61f9d614c019602c34284aa9e" or // joomla_3-6-0/libraries/joomla/grid/grid.php + hash.sha1(0, filesize) == "c6d240d5f4a98534716ce93949794229d8815fd0" or // joomla_3-6-0/libraries/joomla/http/transport/curl.php + hash.sha1(0, filesize) == "43e3343d1df42d6fe04ec535cab80a335be70ea8" or // joomla_3-6-0/libraries/joomla/openstreetmap/gps.php + hash.sha1(0, filesize) == "cc75280fdb8a7f23ccd55444acf5955e24f5d86e" or // joomla_3-6-0/libraries/vendor/joomla/application/src/AbstractDaemonApplication.php + hash.sha1(0, filesize) == "d8fb32c446cb3587f78fa6ee6e91adab71a92203" or // joomla_3-6-0/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "735c6fac986a25d5538593534da623e06cb55f65" or // joomla_3-6-0/media/editors/tinymce/tinymce.min.js + hash.sha1(0, filesize) == "01118e69f6836bdb1426028dae1bc0f34ea7cc6f" or // joomla_3-6-0/plugins/content/pagebreak/pagebreak.php + hash.sha1(0, filesize) == "947ae10ce4e4d4ca1de29bdc30ac211b92628ddd" or // joomla_3-6-0/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "39afd60df3da580acc01433f5320325c3a95b759" or // joomla_3-6-0/plugins/user/profile/profile.php + false +} From 98030116c8cac19e534763d8f4a0309246da18d2 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 17:45:56 -0500 Subject: [PATCH 02/36] Yara rule Joomla 3.0.1 --- php-malware-finder/whitelists/joomla.yar | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index d5a8717..0dd006a 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -196,5 +196,22 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "01118e69f6836bdb1426028dae1bc0f34ea7cc6f" or // joomla_3-6-0/plugins/content/pagebreak/pagebreak.php hash.sha1(0, filesize) == "947ae10ce4e4d4ca1de29bdc30ac211b92628ddd" or // joomla_3-6-0/plugins/system/debug/debug.php hash.sha1(0, filesize) == "39afd60df3da580acc01433f5320325c3a95b759" or // joomla_3-6-0/plugins/user/profile/profile.php + + /* Joomla_3.6.1 */ + hash.sha1(0, filesize) == "34a95343c7d5fd48f9d4138fe76f087922343fe9" or // joomla_3-6-1/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "c4c9ea74ba4c98e16f72df323d8316276f2f5112" or // joomla_3-6-1/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "4dbb31f9048cfc3faacf1ed5500e37773e0a9440" or // joomla_3-6-1/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "53a029c00670975796857ddd4353e2b87493de65" or // joomla_3-6-1/installation/controller/removefolder.php + hash.sha1(0, filesize) == "bf0d9e699c2221b63e9b6e470435e5c7f147f66f" or // joomla_3-6-1/installation/form/field/prefix.php + hash.sha1(0, filesize) == "244ebd1305c1ef19348125260131e27671b15617" or // joomla_3-6-1/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "c2c0bbec3363b748dc5d78e2655eb8a90ccfcd82" or // joomla_3-6-1/libraries/idna_convert/idna_convert.class.php + hash.sha1(0, filesize) == "28954800384fd75c8e11121b4a9b4efc12074e73" or // joomla_3-6-1/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "6054b200b8fa9ba03185912a4cccc40d245f4d10" or // joomla_3-6-1/libraries/vendor/joomla/di/src/Container.php + hash.sha1(0, filesize) == "78a8b547b26ae217d47b5dfa4f44b34e9f7e7dc2" or // joomla_3-6-1/libraries/vendor/paragonie/random_compat/lib/random.php + hash.sha1(0, filesize) == "23c0dab95ceec5fcbbac64053005241a799fbe89" or // joomla_3-6-1/libraries/vendor/simplepie/simplepie/idn/idna_convert.class.php + hash.sha1(0, filesize) == "c605d1224cf4b24ad2457dd87885de9030e20731" or // joomla_3-6-1/libraries/vendor/simplepie/simplepie/library/SimplePie/File.php + hash.sha1(0, filesize) == "ff2568e33a91fcca39344b555f4c3bb59a7a008d" or // joomla_3-6-1/media/editors/codemirror/mode/scheme/scheme.js + hash.sha1(0, filesize) == "c87c3e831d6994f0c2dce12921bc3b4d407b2397" or // joomla_3-6-1/media/editors/tinymce/tinymce.min.js + hash.sha1(0, filesize) == "f5faccaf081690f96856d96a8458d1f37d5b1dae" or // joomla_3-6-1/plugins/system/debug/debug.php false } From bfbd0f20644e18d1e3e71fc4255736db569edca6 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:15:44 -0500 Subject: [PATCH 03/36] Revert "Yara rule Joomla 3.0.1" This reverts commit 98030116c8cac19e534763d8f4a0309246da18d2. --- php-malware-finder/whitelists/joomla.yar | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 0dd006a..d5a8717 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -196,22 +196,5 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "01118e69f6836bdb1426028dae1bc0f34ea7cc6f" or // joomla_3-6-0/plugins/content/pagebreak/pagebreak.php hash.sha1(0, filesize) == "947ae10ce4e4d4ca1de29bdc30ac211b92628ddd" or // joomla_3-6-0/plugins/system/debug/debug.php hash.sha1(0, filesize) == "39afd60df3da580acc01433f5320325c3a95b759" or // joomla_3-6-0/plugins/user/profile/profile.php - - /* Joomla_3.6.1 */ - hash.sha1(0, filesize) == "34a95343c7d5fd48f9d4138fe76f087922343fe9" or // joomla_3-6-1/administrator/components/com_joomlaupdate/restore.php - hash.sha1(0, filesize) == "c4c9ea74ba4c98e16f72df323d8316276f2f5112" or // joomla_3-6-1/administrator/components/com_menus/models/item.php - hash.sha1(0, filesize) == "4dbb31f9048cfc3faacf1ed5500e37773e0a9440" or // joomla_3-6-1/administrator/components/com_menus/views/items/view.html.php - hash.sha1(0, filesize) == "53a029c00670975796857ddd4353e2b87493de65" or // joomla_3-6-1/installation/controller/removefolder.php - hash.sha1(0, filesize) == "bf0d9e699c2221b63e9b6e470435e5c7f147f66f" or // joomla_3-6-1/installation/form/field/prefix.php - hash.sha1(0, filesize) == "244ebd1305c1ef19348125260131e27671b15617" or // joomla_3-6-1/libraries/cms/html/jgrid.php - hash.sha1(0, filesize) == "c2c0bbec3363b748dc5d78e2655eb8a90ccfcd82" or // joomla_3-6-1/libraries/idna_convert/idna_convert.class.php - hash.sha1(0, filesize) == "28954800384fd75c8e11121b4a9b4efc12074e73" or // joomla_3-6-1/libraries/joomla/database/driver/postgresql.php - hash.sha1(0, filesize) == "6054b200b8fa9ba03185912a4cccc40d245f4d10" or // joomla_3-6-1/libraries/vendor/joomla/di/src/Container.php - hash.sha1(0, filesize) == "78a8b547b26ae217d47b5dfa4f44b34e9f7e7dc2" or // joomla_3-6-1/libraries/vendor/paragonie/random_compat/lib/random.php - hash.sha1(0, filesize) == "23c0dab95ceec5fcbbac64053005241a799fbe89" or // joomla_3-6-1/libraries/vendor/simplepie/simplepie/idn/idna_convert.class.php - hash.sha1(0, filesize) == "c605d1224cf4b24ad2457dd87885de9030e20731" or // joomla_3-6-1/libraries/vendor/simplepie/simplepie/library/SimplePie/File.php - hash.sha1(0, filesize) == "ff2568e33a91fcca39344b555f4c3bb59a7a008d" or // joomla_3-6-1/media/editors/codemirror/mode/scheme/scheme.js - hash.sha1(0, filesize) == "c87c3e831d6994f0c2dce12921bc3b4d407b2397" or // joomla_3-6-1/media/editors/tinymce/tinymce.min.js - hash.sha1(0, filesize) == "f5faccaf081690f96856d96a8458d1f37d5b1dae" or // joomla_3-6-1/plugins/system/debug/debug.php false } From 10d7a5c7d8e5fc85bffe98aae3a87eab96842399 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:17:01 -0500 Subject: [PATCH 04/36] Yara rule Joomla 3.6.1 --- php-malware-finder/whitelists/joomla.yar | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index d5a8717..b9df445 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -196,5 +196,22 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "01118e69f6836bdb1426028dae1bc0f34ea7cc6f" or // joomla_3-6-0/plugins/content/pagebreak/pagebreak.php hash.sha1(0, filesize) == "947ae10ce4e4d4ca1de29bdc30ac211b92628ddd" or // joomla_3-6-0/plugins/system/debug/debug.php hash.sha1(0, filesize) == "39afd60df3da580acc01433f5320325c3a95b759" or // joomla_3-6-0/plugins/user/profile/profile.php + + /* Joomla 3.6.1 */ + hash.sha1(0, filesize) == "34a95343c7d5fd48f9d4138fe76f087922343fe9" or // joomla_3-6-1/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "c4c9ea74ba4c98e16f72df323d8316276f2f5112" or // joomla_3-6-1/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "4dbb31f9048cfc3faacf1ed5500e37773e0a9440" or // joomla_3-6-1/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "53a029c00670975796857ddd4353e2b87493de65" or // joomla_3-6-1/installation/controller/removefolder.php + hash.sha1(0, filesize) == "bf0d9e699c2221b63e9b6e470435e5c7f147f66f" or // joomla_3-6-1/installation/form/field/prefix.php + hash.sha1(0, filesize) == "244ebd1305c1ef19348125260131e27671b15617" or // joomla_3-6-1/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "c2c0bbec3363b748dc5d78e2655eb8a90ccfcd82" or // joomla_3-6-1/libraries/idna_convert/idna_convert.class.php + hash.sha1(0, filesize) == "28954800384fd75c8e11121b4a9b4efc12074e73" or // joomla_3-6-1/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "6054b200b8fa9ba03185912a4cccc40d245f4d10" or // joomla_3-6-1/libraries/vendor/joomla/di/src/Container.php + hash.sha1(0, filesize) == "78a8b547b26ae217d47b5dfa4f44b34e9f7e7dc2" or // joomla_3-6-1/libraries/vendor/paragonie/random_compat/lib/random.php + hash.sha1(0, filesize) == "23c0dab95ceec5fcbbac64053005241a799fbe89" or // joomla_3-6-1/libraries/vendor/simplepie/simplepie/idn/idna_convert.class.php + hash.sha1(0, filesize) == "c605d1224cf4b24ad2457dd87885de9030e20731" or // joomla_3-6-1/libraries/vendor/simplepie/simplepie/library/SimplePie/File.php + hash.sha1(0, filesize) == "ff2568e33a91fcca39344b555f4c3bb59a7a008d" or // joomla_3-6-1/media/editors/codemirror/mode/scheme/scheme.js + hash.sha1(0, filesize) == "c87c3e831d6994f0c2dce12921bc3b4d407b2397" or // joomla_3-6-1/media/editors/tinymce/tinymce.min.js + hash.sha1(0, filesize) == "f5faccaf081690f96856d96a8458d1f37d5b1dae" or // joomla_3-6-1/plugins/system/debug/debug.php false } From fd380f2984f757205a25486724970561aa5f74ea Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:20:54 -0500 Subject: [PATCH 05/36] Yara rule Joomla 3.6.3 --- php-malware-finder/whitelists/joomla.yar | 36 ++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index b9df445..6c1ee18 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -213,5 +213,41 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "ff2568e33a91fcca39344b555f4c3bb59a7a008d" or // joomla_3-6-1/media/editors/codemirror/mode/scheme/scheme.js hash.sha1(0, filesize) == "c87c3e831d6994f0c2dce12921bc3b4d407b2397" or // joomla_3-6-1/media/editors/tinymce/tinymce.min.js hash.sha1(0, filesize) == "f5faccaf081690f96856d96a8458d1f37d5b1dae" or // joomla_3-6-1/plugins/system/debug/debug.php + + /* Joomla 3.6.3 */ + hash.sha1(0, filesize) == "757be831213ecf7578914177eab5c9b39e61567d" or // joomla_3-6-3/administrator/components/com_categories/models/fields/modal/category.php + hash.sha1(0, filesize) == "c24359f621090d764974c92ce7b057703e9c0127" or // joomla_3-6-3/administrator/components/com_contact/models/fields/modal/contact.php + hash.sha1(0, filesize) == "a33f63a203ab66b54b4d13b08973b1d6c2880f20" or // joomla_3-6-3/administrator/components/com_content/models/fields/modal/article.php + hash.sha1(0, filesize) == "e996196e2cc627dcb01a8b26beb5494ee556d25e" or // joomla_3-6-3/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "0b75353a9c6beab3a811ba644591f91c9e693281" or // joomla_3-6-3/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "f828003e702e0e03ffcc8d498a13634827dddc40" or // joomla_3-6-3/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "10bc537aa9ccef1847f160ca40166aaa8b640711" or // joomla_3-6-3/administrator/components/com_newsfeeds/models/fields/modal/newsfeed.php + hash.sha1(0, filesize) == "d5bf7d1aee76a66ad6f55e6d97948d470e2c98ab" or // joomla_3-6-3/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "a30b3af583007c19a3e65879bdaa30808945d827" or // joomla_3-6-3/installation/model/configuration.php + hash.sha1(0, filesize) == "85580c6bce63b46a21ac79afd81a5332c8b7a397" or // joomla_3-6-3/installation/model/setup.php + hash.sha1(0, filesize) == "72748ec8037ed13b7a6f46e3245fae720d76363e" or // joomla_3-6-3/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "0c58c2370b643d9224cdea9f9ccc061ad343e4e2" or // joomla_3-6-3/libraries/cms/plugin/helper.php + hash.sha1(0, filesize) == "bbe98303abc781e9e077fc96cf7d220ee6ee83c0" or // joomla_3-6-3/libraries/fof/autoloader/component.php + hash.sha1(0, filesize) == "270c4a88e1e7e80b5cb2b9f52e110bae9f9cb851" or // joomla_3-6-3/libraries/fof/database/driver/postgresql.php + hash.sha1(0, filesize) == "beeb74f20576ebbe1f3a437cb27fccf23a433dd6" or // joomla_3-6-3/libraries/fof/form/field/checkbox.php + hash.sha1(0, filesize) == "077840e205471f9e89870e23d805366a4f6eab4e" or // joomla_3-6-3/libraries/fof/form/field/rules.php + hash.sha1(0, filesize) == "f6d0be1dc1546fa9df4f52b1d4fb1ced83569e16" or // joomla_3-6-3/libraries/fof/form/header/fieldfilterable.php + hash.sha1(0, filesize) == "075bb9e117bcdebee4eb123af6bcddc85f93bd75" or // joomla_3-6-3/libraries/fof/form/header/fieldsearchable.php + hash.sha1(0, filesize) == "c828604b08aa559beaa907e37ef09d42ddc74ce0" or // joomla_3-6-3/libraries/fof/integration/joomla/platform.php + hash.sha1(0, filesize) == "d84bc10f18bb931340610dbdc50d5bcc63ca56a7" or // joomla_3-6-3/libraries/fof/platform/platform.php + hash.sha1(0, filesize) == "ed4654cc92de6f2fb5eb8fa34cb6d9f389bab83c" or // joomla_3-6-3/libraries/fof/render/joomla.php + hash.sha1(0, filesize) == "f54ccd0ab49e96e5abea4d94c4aacf0b0d86ec3b" or // joomla_3-6-3/libraries/fof/view/view.php + hash.sha1(0, filesize) == "2f3c07ca02fa6cbab338d2fa6a274b74fbbe598d" or // joomla_3-6-3/libraries/joomla/application/daemon.php + hash.sha1(0, filesize) == "9310d8a7ca905f11e2c0afe3f6c4df0b23825885" or // joomla_3-6-3/libraries/joomla/cache/storage/cachelite.php + hash.sha1(0, filesize) == "b953df469463696999be4d0c4add95ffa12d3a44" or // joomla_3-6-3/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "28c0818a90ac537fe6a9802d5ac37804238e0c43" or // joomla_3-6-3/libraries/joomla/filesystem/folder.php + hash.sha1(0, filesize) == "e43aec0d68706fe1607b6b9ad4395383b22bfb12" or // joomla_3-6-3/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "8007a80bafe5febe9fa2a671da5eea0e845b7ad2" or // joomla_3-6-3/libraries/joomla/form/fields/color.php + hash.sha1(0, filesize) == "10994fbb88485204e18dad6a63d966bb5bd3ad8e" or // joomla_3-6-3/libraries/joomla/form/fields/email.php + hash.sha1(0, filesize) == "e2cd756ae3dca06778d0b6186f6247dd917ffc47" or // joomla_3-6-3/libraries/joomla/openstreetmap/gps.php + hash.sha1(0, filesize) == "ea9abca70ac6b383a4ab6c14a94a91a1103287fc" or // joomla_3-6-3/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "5f1df16ff22abd2e0707bee24b3ac96d0acff4e5" or // joomla_3-6-3/plugins/content/pagebreak/pagebreak.php + hash.sha1(0, filesize) == "c2bafc2a1e49c3f80e6a1778937e9e1cd21538cc" or // joomla_3-6-3/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "e24010d61931182632e4c8e0d96c14c1796ed0b0" or // joomla_3-6-3/plugins/user/profile/profile.php false } From 36da1f3c607b6998c598f8d18ed22c3aaed47b4a Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:24:13 -0500 Subject: [PATCH 06/36] Yara rule Joomla 3.7.0 --- php-malware-finder/whitelists/joomla.yar | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 6c1ee18..f7405ae 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -249,5 +249,35 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "5f1df16ff22abd2e0707bee24b3ac96d0acff4e5" or // joomla_3-6-3/plugins/content/pagebreak/pagebreak.php hash.sha1(0, filesize) == "c2bafc2a1e49c3f80e6a1778937e9e1cd21538cc" or // joomla_3-6-3/plugins/system/debug/debug.php hash.sha1(0, filesize) == "e24010d61931182632e4c8e0d96c14c1796ed0b0" or // joomla_3-6-3/plugins/user/profile/profile.php + + /* Joomla 3.7.0 */ + hash.sha1(0, filesize) == "8a58bcb22ef6e20ab4f0ae05d2aa0557f21d1c01" or // joomla_3-7-0/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "f1cedf727ccc5c59048ee50ba752bf4c74ec3b29" or // joomla_3-7-0/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "05bcbc5f059b4d488d3e449f21b120f9b780fdcf" or // joomla_3-7-0/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "f97ab583d80229129e6f5a24b465bb6e4e47094f" or // joomla_3-7-0/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "2b458c132d8e5df7ba7995b26bcf269c2f3a59cd" or // joomla_3-7-0/administrator/modules/mod_menu/menu.php + hash.sha1(0, filesize) == "5b1356c069e740268db94d469e3f7914bd9ee676" or // joomla_3-7-0/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "5d6d3172cc5e962071798020e5b2d009fb28112c" or // joomla_3-7-0/administrator/templates/isis/html/pagination.php + hash.sha1(0, filesize) == "55fdfc4f276b58753589da439b29239298079a38" or // joomla_3-7-0/components/com_contact/views/contact/view.vcf.php + hash.sha1(0, filesize) == "f4e9d31c439bbdde7b62ebea772a7732291e0529" or // joomla_3-7-0/installation/controller/removefolder.php + hash.sha1(0, filesize) == "1662a6d57c3f963b5f4e975811672be7270b3831" or // joomla_3-7-0/installation/form/field/prefix.php + hash.sha1(0, filesize) == "7f70b3962c7126b5ae43c5826e0dee6a62d188e0" or // joomla_3-7-0/installation/model/configuration.php + hash.sha1(0, filesize) == "e91137844deacbc4acd964d3816671903e6bc664" or // joomla_3-7-0/installation/model/setup.php + hash.sha1(0, filesize) == "07205231fd8320cb12537a4c9f2ebf142bd65e46" or // joomla_3-7-0/layouts/joomla/html/sortablelist.php + hash.sha1(0, filesize) == "26900c5bdaa2f4bbe2923695eceadf2dd23d5b10" or // joomla_3-7-0/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "c5d330dee38d47ae239d3d278f0542ae696ab2d9" or // joomla_3-7-0/libraries/cms/plugin/helper.php + hash.sha1(0, filesize) == "ee3d5d875f80a7967f9c6465097fad37c60bfc97" or // joomla_3-7-0/libraries/joomla/application/daemon.php + hash.sha1(0, filesize) == "e64474bc59e703e9f331436ed27f3ae5b7a0ad61" or // joomla_3-7-0/libraries/joomla/cache/storage/cachelite.php + hash.sha1(0, filesize) == "1da1fc01568fbdd9f3d921808956c838f14f4d64" or // joomla_3-7-0/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "f17a06279999e0bea125c1ec5df7d19fbbd50e46" or // joomla_3-7-0/libraries/joomla/filesystem/folder.php + hash.sha1(0, filesize) == "46eb8e83f799793067565f3c6545de584bd9374f" or // joomla_3-7-0/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "1effc40b314dfb46ad4a67384828d6d71d1bb899" or // joomla_3-7-0/libraries/joomla/grid/grid.php + hash.sha1(0, filesize) == "c2815f23baba2d592030fc8c19397eb45dc72edc" or // joomla_3-7-0/libraries/joomla/http/transport/curl.php + hash.sha1(0, filesize) == "8548f1b6880bc593884a1e7b7b35807b9e16e728" or // joomla_3-7-0/libraries/joomla/openstreetmap/gps.php + hash.sha1(0, filesize) == "8c35fb14b428e31d28c237ffe133594941f515e1" or // joomla_3-7-0/libraries/vendor/joomla/application/src/AbstractDaemonApplication.php + hash.sha1(0, filesize) == "d3784ca2159730c89684cd5792fc61ea04bb4a68" or // joomla_3-7-0/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "3c6ac349b426a27dd7779bf6defdc40cbd6c17b4" or // joomla_3-7-0/plugins/content/pagebreak/pagebreak.php + hash.sha1(0, filesize) == "9cd551a23c9223b80941b6fbc6550b98847044e9" or // joomla_3-7-0/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "a529990f1951c94f6af51404a417ed3ff9131100" or // joomla_3-7-0/plugins/user/profile/profile.php false } From 48bc5a34adb93e217c5fc781cbd6657fe4d497a8 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:25:47 -0500 Subject: [PATCH 07/36] Yara rule Joomla 3.7.1 --- php-malware-finder/whitelists/joomla.yar | 3 +++ 1 file changed, 3 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index f7405ae..b2e28a4 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -279,5 +279,8 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "3c6ac349b426a27dd7779bf6defdc40cbd6c17b4" or // joomla_3-7-0/plugins/content/pagebreak/pagebreak.php hash.sha1(0, filesize) == "9cd551a23c9223b80941b6fbc6550b98847044e9" or // joomla_3-7-0/plugins/system/debug/debug.php hash.sha1(0, filesize) == "a529990f1951c94f6af51404a417ed3ff9131100" or // joomla_3-7-0/plugins/user/profile/profile.php + + /* Joomla 3.7.1 */ + hash.sha1(0, filesize) == "fb7fdbdfa65d83043e0d5d2b80f5085a1c951be5" or // joomla_3-7-1/layouts/joomla/form/field/color/advanced.php false } From fe34f6fe58e632583279f7154098a3cd7153b7d2 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:27:08 -0500 Subject: [PATCH 08/36] Yara rule Joomla 3.7.2 --- php-malware-finder/whitelists/joomla.yar | 3 +++ 1 file changed, 3 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index b2e28a4..af9a86c 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -282,5 +282,8 @@ private rule Joomla : CMS /* Joomla 3.7.1 */ hash.sha1(0, filesize) == "fb7fdbdfa65d83043e0d5d2b80f5085a1c951be5" or // joomla_3-7-1/layouts/joomla/form/field/color/advanced.php + + /* Joomla 3.7.2 */ + hash.sha1(0, filesize) == "f9a148d24cda9a7ccdda945334e1e954c5dd979e" or // Joomla_3-7-2/administrator/components/com_menus/models/item.php false } From 4d27526aa475df3c267795a9d7e6fc6b1cbdc399 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:29:00 -0500 Subject: [PATCH 09/36] Yara rule Joomla 3.7.3 --- php-malware-finder/whitelists/joomla.yar | 25 ++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index af9a86c..50ab200 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -285,5 +285,30 @@ private rule Joomla : CMS /* Joomla 3.7.2 */ hash.sha1(0, filesize) == "f9a148d24cda9a7ccdda945334e1e954c5dd979e" or // Joomla_3-7-2/administrator/components/com_menus/models/item.php + + /* Joomla 3.7.3 */ + hash.sha1(0, filesize) == "2fa44645300db1c5b2fe28e95de32a353e4198ac" or // Joomla_3.7.3/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "1780fc1d4493e83a86c7583242d37bd15ba78c25" or // Joomla_3.7.3/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "e328bb09467a0735c1338e08e64975315104e84d" or // Joomla_3.7.3/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "e78058bb76a804e55b95097bad41a9d71a067e48" or // Joomla_3.7.3/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "c91d1e8984c1c0989689894d2c7fd582b488785e" or // Joomla_3.7.3/administrator/templates/isis/html/pagination.php + hash.sha1(0, filesize) == "917a099a546882a58234818c00be7db15e823e89" or // Joomla_3.7.3/installation/controller/removefolder.php + hash.sha1(0, filesize) == "ac9541ef8e6f1003cc18d0214db706f107a6879e" or // Joomla_3.7.3/installation/form/field/prefix.php + hash.sha1(0, filesize) == "748a432dde9ee644e77ab4a480b08b1a9971a3c0" or // Joomla_3.7.3/installation/model/setup.php + hash.sha1(0, filesize) == "059cc671fcdd244e7b35056bcd5647b6c1f2e65d" or // Joomla_3.7.3/layouts/joomla/form/field/color/advanced.php + hash.sha1(0, filesize) == "2adf7d545eb255341e7655bad481e9747c9c5949" or // Joomla_3.7.3/libraries/cms/html/grid.php + hash.sha1(0, filesize) == "74a9cab3e31d6d0dd1238e20c69c9dd9631febd8" or // Joomla_3.7.3/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "9c67dca4443f4abcbf97610d2b1f95cab9809af5" or // Joomla_3.7.3/libraries/cms/plugin/helper.php + hash.sha1(0, filesize) == "8b156565316e4a50beef1d4c8666be7d45a15f4f" or // Joomla_3.7.3/libraries/joomla/application/daemon.php + hash.sha1(0, filesize) == "47f29710348e4d4dc451be406f1822250750e825" or // Joomla_3.7.3/libraries/joomla/cache/storage/cachelite.php + hash.sha1(0, filesize) == "24887afa2f062da42d13cdab1f3f3db76a11fbb0" or // Joomla_3.7.3/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "ecd1d7f72caacfe45aec15e92318f3fef4eee532" or // Joomla_3.7.3/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "0d913f9b01151286aef6bc4774a1d8ccef54d6b7" or // Joomla_3.7.3/libraries/joomla/http/transport/curl.php + hash.sha1(0, filesize) == "2abd8f737b7e1aea828754a2bd82be095a4b87d3" or // Joomla_3.7.3/libraries/vendor/paragonie/random_compat/lib/random.php + hash.sha1(0, filesize) == "7a7462d81392470ab4425313af5c74ef58489402" or // Joomla_3.7.3/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "68fa81a4726fdbe6b419e32fd95b24da46a2ff3a" or // Joomla_3.7.3/media/editors/tinymce/tinymce.min.js + hash.sha1(0, filesize) == "8e88fe3083af90e4ba9c7841da6824f572318a71" or // Joomla_3.7.3/plugins/content/pagebreak/pagebreak.php + hash.sha1(0, filesize) == "b9498231599e7034d020410a9bb275015d9ee785" or // Joomla_3.7.3/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "c38f06b61e40cb988095d5b3caf8fdb8f8621dc6" or // Joomla_3.7.3/plugins/user/profile/profile.php false } From 05ad063ec1df3900eaf2aa8232c053e8bf7f2259 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:30:17 -0500 Subject: [PATCH 10/36] Yara rule Joomla 3.7.4 --- php-malware-finder/whitelists/joomla.yar | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 50ab200..4354490 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -310,5 +310,9 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "8e88fe3083af90e4ba9c7841da6824f572318a71" or // Joomla_3.7.3/plugins/content/pagebreak/pagebreak.php hash.sha1(0, filesize) == "b9498231599e7034d020410a9bb275015d9ee785" or // Joomla_3.7.3/plugins/system/debug/debug.php hash.sha1(0, filesize) == "c38f06b61e40cb988095d5b3caf8fdb8f8621dc6" or // Joomla_3.7.3/plugins/user/profile/profile.php + + /* Joomla 3.7.4 */ + hash.sha1(0, filesize) == "959dd60ee767df7068036347b0a91def2d27f230" or // Joomla_3-7.4/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "1147ca5720a887553b624a484e6215a43ff97e8e" or // Joomla_3-7.4/libraries/cms/plugin/helper.php false } From d3005bb4dc7f02a11933d3a4b5ab03031174efd7 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:32:21 -0500 Subject: [PATCH 11/36] Yara rule Joomla 3.8.0 --- php-malware-finder/whitelists/joomla.yar | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 4354490..6f819d2 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -314,5 +314,27 @@ private rule Joomla : CMS /* Joomla 3.7.4 */ hash.sha1(0, filesize) == "959dd60ee767df7068036347b0a91def2d27f230" or // Joomla_3-7.4/administrator/components/com_admin/models/sysinfo.php hash.sha1(0, filesize) == "1147ca5720a887553b624a484e6215a43ff97e8e" or // Joomla_3-7.4/libraries/cms/plugin/helper.php + + /* Joomla 3.8.0 */ + hash.sha1(0, filesize) == "c923706a156054ab273cd4cc89722557e8336819" or // joomla_3-8-0/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "10b4da7aec31d41d5f27272fa5f0c147be658604" or // joomla_3-8-0/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "ecc49c3c6524698a0576886fa28fa6010ec71a2f" or // joomla_3-8-0/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "130ed65541e376c3a1371c958ece12af9ba20e6c" or // joomla_3-8-0/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "e723d1d5b3260e35043cd8af7b3530bc89728f42" or // joomla_3-8-0/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "02db8dbc3d4cd05152f149c08d35b1fbd0f6e749" or // joomla_3-8-0/installation/controller/removefolder.php + hash.sha1(0, filesize) == "2b0a526626cd62f807a3db2c19397005a4e27458" or // joomla_3-8-0/libraries/fof/view/view.php + hash.sha1(0, filesize) == "f58980dc3a4d924ec18561e679d6317a0ca1db43" or // joomla_3-8-0/libraries/idna_convert/idna_convert.class.php + hash.sha1(0, filesize) == "543a295e96bf9366da829e00edcf488f13a236d1" or // joomla_3-8-0/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "2695fc4b9809c6f5b815ef8629f0eb2ea8fea15f" or // joomla_3-8-0/libraries/joomla/grid/grid.php + hash.sha1(0, filesize) == "34cfc3a292f24bc42a34b5ba6c1ee711e0b91f7e" or // joomla_3-8-0/libraries/src/Application/DaemonApplication.php + hash.sha1(0, filesize) == "7a47aa67b8841c9f05840de74b0bcb9fb94b0fa0" or // joomla_3-8-0/libraries/src/Cache/Storage/CacheliteStorage.php + hash.sha1(0, filesize) == "1eeab3314841270974c65cb6d66669852630c1a3" or // joomla_3-8-0/libraries/src/Http/Transport/CurlTransport.php + hash.sha1(0, filesize) == "5c7507125c6c9471dd9622ecabd0eaea391648f4" or // joomla_3-8-0/libraries/src/Language/Language.php + hash.sha1(0, filesize) == "c091eec176703748c874bd718428722e3d5c8a27" or // joomla_3-8-0/libraries/src/Plugin/PluginHelper.php + hash.sha1(0, filesize) == "67012a376527db230c4da2651b6947cb7c8e3d98" or // joomla_3-8-0/libraries/vendor/joomla/application/src/AbstractDaemonApplication.php + hash.sha1(0, filesize) == "906a7ab184d05a65f9c317b090ae46074278a5b7" or // joomla_3-8-0/libraries/vendor/joomla/filesystem/src/Folder.php + hash.sha1(0, filesize) == "9ee98ae557f9b5e5c34c5ebbc38553ebbe44145f" or // joomla_3-8-0/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "88bd720b0c6012479cfeb2c709cf4164fab30ce8" or // joomla_3-8-0/media/editors/codemirror/mode/scheme/scheme.js + hash.sha1(0, filesize) == "15677430d50203d1e3c55ab49ab0633cc9b30791" or // joomla_3-8-0/plugins/system/debug/debug.php false } From 8799c347942992a43e06af309068168a8160092d Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:33:49 -0500 Subject: [PATCH 12/36] Yara rule Joomla 3.8.1 --- php-malware-finder/whitelists/joomla.yar | 3 +++ 1 file changed, 3 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 6f819d2..6b37fef 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -336,5 +336,8 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "9ee98ae557f9b5e5c34c5ebbc38553ebbe44145f" or // joomla_3-8-0/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php hash.sha1(0, filesize) == "88bd720b0c6012479cfeb2c709cf4164fab30ce8" or // joomla_3-8-0/media/editors/codemirror/mode/scheme/scheme.js hash.sha1(0, filesize) == "15677430d50203d1e3c55ab49ab0633cc9b30791" or // joomla_3-8-0/plugins/system/debug/debug.php + + /* Joomla 3.8.1 */ + hash.sha1(0, filesize) == "b90c10aee24b048087eb14b5ff764467ad7e39c7" or // joomla_3-8-1/libraries/cms/html/jgrid.php false } From 2282ae9b3b10beb22019ae6f97a013aa36a620ee Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:35:17 -0500 Subject: [PATCH 13/36] Yara rule Joomla 3.8.2 --- php-malware-finder/whitelists/joomla.yar | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 6b37fef..474b5b2 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -339,5 +339,14 @@ private rule Joomla : CMS /* Joomla 3.8.1 */ hash.sha1(0, filesize) == "b90c10aee24b048087eb14b5ff764467ad7e39c7" or // joomla_3-8-1/libraries/cms/html/jgrid.php + + /* Joomla 3.8.2 */ + hash.sha1(0, filesize) == "dc8b7b6e1de48b89268e2af07cc60069ff4d71d3" or // Joomla_3-8-2/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "eb56efb687bde29b49b11afc342e57a5696af334" or // Joomla_3-8-2/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "a609a87b188ae6340a22fd8b64b61a5879a88803" or // Joomla_3-8-2/installation/model/setup.php + hash.sha1(0, filesize) == "60a01b83a6c860d86faa52187476b15ad45f39fb" or // Joomla_3-8-2/layouts/joomla/form/field/color/advanced.php + hash.sha1(0, filesize) == "54b84e56d9b41ceddd41eb52460e85bd3212f489" or // Joomla_3-8-2/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "fae041ae14c36156a0a130fd21a6aed22a030f53" or // Joomla_3-8-2/plugins/user/profile/profile.php + hash.sha1(0, filesize) == "a1b2c5a1f4afb182b95fb01a3d73f622bcd85124" or // Joomla_3-8-2/templates/protostar/html/pagination.php false } From 2d35481af38aac922fb70696d352f4df16e11a7a Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:36:38 -0500 Subject: [PATCH 14/36] Yara rule Joomla 3.8.3 --- php-malware-finder/whitelists/joomla.yar | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 474b5b2..eede4c2 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -348,5 +348,14 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "54b84e56d9b41ceddd41eb52460e85bd3212f489" or // Joomla_3-8-2/libraries/joomla/form/fields/checkbox.php hash.sha1(0, filesize) == "fae041ae14c36156a0a130fd21a6aed22a030f53" or // Joomla_3-8-2/plugins/user/profile/profile.php hash.sha1(0, filesize) == "a1b2c5a1f4afb182b95fb01a3d73f622bcd85124" or // Joomla_3-8-2/templates/protostar/html/pagination.php + + /* Joomla 3.8.3 */ + hash.sha1(0, filesize) == "656a237f75345850bd3917e181526fc7b6923847" or // Joomla_3-8-3/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "6e2db96e40456dd15ca453c94f1fff39f8360993" or // Joomla_3-8-3/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "660bf34ddb850819889cc381d86da662e6dd227f" or // Joomla_3-8-3/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "db7bbc0c07a2b4ee381f46b853ae00abe7aa966b" or // Joomla_3-8-3/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "00e762a75caf2cf44472f4356ff0424837d75e5e" or // Joomla_3-8-3/libraries/vendor/joomla/di/src/Container.php + hash.sha1(0, filesize) == "cf23048e92285b6d9a9c1e49739583aaab4d9a1c" or // Joomla_3-8-3/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "b03ad3e18766c291aae6780ff3e663699f8cdfb0" or // Joomla_3-8-3/media/editors/tinymce/tinymce.min.js false } From c9e629184df7624286f057d6e1c81f90fd833e30 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:37:43 -0500 Subject: [PATCH 15/36] Yara rule Joomla 3.8.4 --- php-malware-finder/whitelists/joomla.yar | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index eede4c2..56af6a9 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -357,5 +357,35 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "00e762a75caf2cf44472f4356ff0424837d75e5e" or // Joomla_3-8-3/libraries/vendor/joomla/di/src/Container.php hash.sha1(0, filesize) == "cf23048e92285b6d9a9c1e49739583aaab4d9a1c" or // Joomla_3-8-3/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php hash.sha1(0, filesize) == "b03ad3e18766c291aae6780ff3e663699f8cdfb0" or // Joomla_3-8-3/media/editors/tinymce/tinymce.min.js + + /* Joomla 3.8.4 */ + hash.sha1(0, filesize) == "b2bff85f89eb2cbaba134e809cde9db8719d6561" or // Joomla_3-8-4/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "1534c1bb8351cf0f372afb9e177a49036fef90d0" or // Joomla_3-8-4/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "c9aa6bdfeb645f7b2cb8a71c15697f05623bcf10" or // Joomla_3-8-4/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "b436df3d8df012d7e4eb32187f7de1936ff5f436" or // Joomla_3-8-4/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "d43e00923e033c194497d8695c76c82038b3333c" or // Joomla_3-8-4/administrator/templates/isis/html/pagination.php + hash.sha1(0, filesize) == "eeb4143c1372c07dab19309cfe42bbb8b83c7e4f" or // Joomla_3-8-4/components/com_contact/views/contact/view.vcf.php + hash.sha1(0, filesize) == "d6185393236043ddb78bb2b4550433c52049226f" or // Joomla_3-8-4/installation/controller/removefolder.php + hash.sha1(0, filesize) == "09c3c76673c3c33613b94917622c58bb1a825c89" or // Joomla_3-8-4/installation/form/field/prefix.php + hash.sha1(0, filesize) == "f40a37b782c8502f99877e5e2da470acc8a1c384" or // Joomla_3-8-4/installation/model/configuration.php + hash.sha1(0, filesize) == "08807a8fedc6e41ed12d1443e6949b00d440c9b5" or // Joomla_3-8-4/installation/model/setup.php + hash.sha1(0, filesize) == "d192f78b378f408255121244acda25cf465ba005" or // Joomla_3-8-4/layouts/joomla/form/field/color/advanced.php + hash.sha1(0, filesize) == "da54f3fc71f5bea1e70851328a11f740f0bce16c" or // Joomla_3-8-4/layouts/joomla/html/sortablelist.php + hash.sha1(0, filesize) == "edef04d887ada4613e65ce65b4428389446ef097" or // Joomla_3-8-4/libraries/cms/html/grid.php + hash.sha1(0, filesize) == "5206188696acf613fde23f428f4bbe162cd283d6" or // Joomla_3-8-4/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "3207fae0f5d75af936cf7816b99aae950212f711" or // Joomla_3-8-4/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "0241d9bef8182b168a5efe77e22cbeb23c962393" or // Joomla_3-8-4/libraries/joomla/filesystem/folder.php + hash.sha1(0, filesize) == "bd8fdf3e3d96176c950f459336930befa5f364db" or // Joomla_3-8-4/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "dd09f2322103f262c3785a8a639663b3482825e7" or // Joomla_3-8-4/libraries/joomla/grid/grid.php + hash.sha1(0, filesize) == "ee1404b7ad984bcdda2df48322eb50d95fc00e25" or // Joomla_3-8-4/libraries/joomla/openstreetmap/gps.php + hash.sha1(0, filesize) == "4271ee2940aa67f9e1e25e7636fb37f697b97254" or // Joomla_3-8-4/libraries/src/Application/DaemonApplication.php + hash.sha1(0, filesize) == "a12fddc92ecfc855955bb97a532d84aae1757e5f" or // Joomla_3-8-4/libraries/src/Cache/Storage/CacheliteStorage.php + hash.sha1(0, filesize) == "85584db8c83de5fb85c0d5f18e7f938bd2b5f74d" or // Joomla_3-8-4/libraries/src/Http/Transport/CurlTransport.php + hash.sha1(0, filesize) == "ebc2db5f0174977304cc6106fa6123443a527970" or // Joomla_3-8-4/libraries/src/Language/Language.php + hash.sha1(0, filesize) == "70b4255d6ff8973f0b7cf99a2142ec79c76c6b46" or // Joomla_3-8-4/libraries/src/Plugin/PluginHelper.php + hash.sha1(0, filesize) == "bb37d2b468c4183f331e4eb48593480b534d5ddb" or // Joomla_3-8-4/plugins/content/pagebreak/pagebreak.php + hash.sha1(0, filesize) == "61091d674d279043775613240134a9c421e2fdce" or // Joomla_3-8-4/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "6d387622a7aeb9efb3fd027e477eb39ead05ee5f" or // Joomla_3-8-4/plugins/user/profile/profile.php + hash.sha1(0, filesize) == "1c92af22c95550ceee1a8222cf50ed9c106be482" or // Joomla_3-8-4/templates/protostar/html/pagination.php false } From 202652c8fe5898ff22700e6dc87100f26a6337f3 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:39:21 -0500 Subject: [PATCH 16/36] Yara rule Joomla 3.8.6 --- php-malware-finder/whitelists/joomla.yar | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 56af6a9..210fb5e 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -387,5 +387,10 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "61091d674d279043775613240134a9c421e2fdce" or // Joomla_3-8-4/plugins/system/debug/debug.php hash.sha1(0, filesize) == "6d387622a7aeb9efb3fd027e477eb39ead05ee5f" or // Joomla_3-8-4/plugins/user/profile/profile.php hash.sha1(0, filesize) == "1c92af22c95550ceee1a8222cf50ed9c106be482" or // Joomla_3-8-4/templates/protostar/html/pagination.php + + /* Joomla 3.8.6 */ + hash.sha1(0, filesize) == "45ac1b721dfefeab7af09fb839d06b8149db6f96" or // Joomla_3-8-6/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "62373361fca079083e10e98b904938557f2c53e3" or // Joomla_3-8-6/installation/model/setup.php + hash.sha1(0, filesize) == "421f086bb1b6a40e744ccbd8a8717a92bf4def4a" or // Joomla_3-8-6/plugins/user/profile/profile.php false } From 955a69ef34e3ed06e68ecf3a7a2dd36649c77386 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Fri, 10 Apr 2020 18:40:13 -0500 Subject: [PATCH 17/36] Yara rule Joomla 3.8.7 --- php-malware-finder/whitelists/joomla.yar | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 210fb5e..1e08193 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -392,5 +392,12 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "45ac1b721dfefeab7af09fb839d06b8149db6f96" or // Joomla_3-8-6/administrator/components/com_admin/models/sysinfo.php hash.sha1(0, filesize) == "62373361fca079083e10e98b904938557f2c53e3" or // Joomla_3-8-6/installation/model/setup.php hash.sha1(0, filesize) == "421f086bb1b6a40e744ccbd8a8717a92bf4def4a" or // Joomla_3-8-6/plugins/user/profile/profile.php + + /* Joomla 3.8.7 */ + hash.sha1(0, filesize) == "4d8be88eccfbb1e8f3988d5a5000048e0ae2cda5" or // Joomla_3-8-7/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "8ca3cd0766ba978e9ec3011be6a4e160ebb9c17a" or // Joomla_3-8-7/administrator/components/com_redirect/models/links.php + hash.sha1(0, filesize) == "030b98abb800a43c022afbaa0caa0417014d5f7e" or // Joomla_3-8-7/installation/controller/removefolder.php + hash.sha1(0, filesize) == "b56eeafccb7f8dcc5450d1b72393dfeba9c5ddbb" or // Joomla_3-8-7/libraries/src/Language/Language.php + hash.sha1(0, filesize) == "fa0f345febbe94bbffbfd3534db1bd3ac64fe302" or // Joomla_3-8-7/plugins/user/profile/profile.php false } From c2cc1d88d0f1bee92bec80d68e6e654771581726 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:16:38 -0500 Subject: [PATCH 18/36] Yara rule Joomla 3.8.8 --- php-malware-finder/whitelists/joomla.yar | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 1e08193..2efb50b 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -399,5 +399,16 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "030b98abb800a43c022afbaa0caa0417014d5f7e" or // Joomla_3-8-7/installation/controller/removefolder.php hash.sha1(0, filesize) == "b56eeafccb7f8dcc5450d1b72393dfeba9c5ddbb" or // Joomla_3-8-7/libraries/src/Language/Language.php hash.sha1(0, filesize) == "fa0f345febbe94bbffbfd3534db1bd3ac64fe302" or // Joomla_3-8-7/plugins/user/profile/profile.php + + /* Joomla 3.8.8 */ + hash.sha1(0, filesize) == "dd056d0de68232dbe20db89ed4750ccdbce56a80" or // Joomla_3-8-8/installation/controller/removefolder.php + hash.sha1(0, filesize) == "94df872fd597ff5ce7eff007eff13dc566cfac8c" or // Joomla_3-8-8/installation/model/configuration.php + hash.sha1(0, filesize) == "df3f81c3321a8a57cd985fe66134483e1b537b27" or // Joomla_3-8-8/installation/model/setup.php + hash.sha1(0, filesize) == "5e9ac6876002aca0b30ff09bb1b671b20e270776" or // Joomla_3-8-8/libraries/joomla/filesystem/folder.php + hash.sha1(0, filesize) == "b5b9c12558f2a019d28ec200c399ef6fbca2bc3b" or // Joomla_3-8-8/libraries/src/Language/Language.php + hash.sha1(0, filesize) == "480d37d986a9e8cf98904fc4767c8abb4cb23778" or // Joomla_3-8-8/libraries/src/Plugin/PluginHelper.php + hash.sha1(0, filesize) == "75e68d435b179f6dea0540fc1a58301933041fb9" or // Joomla_3-8-8/libraries/vendor/joomla/application/src/AbstractDaemonApplication.php + hash.sha1(0, filesize) == "cd02b717aa2008dcf864d6ff7c0662867e588e6a" or // Joomla_3-8-8/plugins/system/debug/debug.php + false } From 1079e7c9137ce6e8f8237fb304eabe01e6e62f54 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:25:14 -0500 Subject: [PATCH 19/36] Yara rule Joomla 3.8.9 --- php-malware-finder/whitelists/joomla.yar | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 2efb50b..ee31fdd 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -410,5 +410,12 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "75e68d435b179f6dea0540fc1a58301933041fb9" or // Joomla_3-8-8/libraries/vendor/joomla/application/src/AbstractDaemonApplication.php hash.sha1(0, filesize) == "cd02b717aa2008dcf864d6ff7c0662867e588e6a" or // Joomla_3-8-8/plugins/system/debug/debug.php + /* Joomla 3.8.9 */ + hash.sha1(0, filesize) == "06458f823d4d55da18d99b51d399bf4d212dcfb8" or // Joomla_3-8-9/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "c6aec6c1249e1b504a8d7e4d26cf6cf1de2f6dcf" or // Joomla_3-8-9/libraries/vendor/joomla/di/src/Container.php + hash.sha1(0, filesize) == "1c31963b439c5e3892445bc9874690838afba72e" or // Joomla_3-8-9/libraries/vendor/paragonie/random_compat/lib/random.php + hash.sha1(0, filesize) == "2d20f6b7d640e50ace4e1dc6dada81e1bcfc6cf2" or // Joomla_3-8-9/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "6708ae7a3b81a28b950c30640fed1c02b64d891e" or // Joomla_3-8-9/plugins/user/profile/profile.php + false } From 505cb001ff365fe86ea7eb76539ef39c70b7e1b9 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:28:32 -0500 Subject: [PATCH 20/36] Yara rule Joomla 3.8.11 --- php-malware-finder/whitelists/joomla.yar | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index ee31fdd..9b02c4a 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -417,5 +417,8 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "2d20f6b7d640e50ace4e1dc6dada81e1bcfc6cf2" or // Joomla_3-8-9/plugins/system/debug/debug.php hash.sha1(0, filesize) == "6708ae7a3b81a28b950c30640fed1c02b64d891e" or // Joomla_3-8-9/plugins/user/profile/profile.php - false + /* Joomla 3.8.11 */ + hash.sha1(0, filesize) == "abac6a3e3e2b3da9982358d0a083067078a089a9" or // Joomla_3-8-11/libraries/src/Plugin/PluginHelper.php + + false } From 2ebb12b3d903dc3cf6e7b87aa4f31077db87224f Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:31:00 -0500 Subject: [PATCH 21/36] Yara rule Joomla 3.8.12 --- php-malware-finder/whitelists/joomla.yar | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 9b02c4a..1556659 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -420,5 +420,9 @@ private rule Joomla : CMS /* Joomla 3.8.11 */ hash.sha1(0, filesize) == "abac6a3e3e2b3da9982358d0a083067078a089a9" or // Joomla_3-8-11/libraries/src/Plugin/PluginHelper.php + /* Joomla 3.8.12 */ + hash.sha1(0, filesize) == "0ee03e3fda80de9abfbe53c22dfd6943c73f5fc1" or // Joomla_3-8-12/installation/model/setup.php + hash.sha1(0, filesize) == "5f252bd259c7cd48b3181037787e0fcaad29da10" or // Joomla_3-8-12/libraries/joomla/database/driver/postgresql.php + false } From c8e5275c3bed790b9e51af7532099c9e6978a98e Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:33:44 -0500 Subject: [PATCH 22/36] Yara rule Joomla 3.9.0 --- php-malware-finder/whitelists/joomla.yar | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 1556659..2da581b 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -424,5 +424,23 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "0ee03e3fda80de9abfbe53c22dfd6943c73f5fc1" or // Joomla_3-8-12/installation/model/setup.php hash.sha1(0, filesize) == "5f252bd259c7cd48b3181037787e0fcaad29da10" or // Joomla_3-8-12/libraries/joomla/database/driver/postgresql.php + /* Joomla 3.9.0 */ + hash.sha1(0, filesize) == "a55a3d5840c1ced9f7760635138ea08bdc8adbdd" or // joomla_3-9-0/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "7378eb6d1021f781f52df74632880e2935c9b696" or // joomla_3-9-0/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "6f39a2ced7b58c6e7218f117e6fe706bf0e78437" or // joomla_3-9-0/installation/controller/removefolder.php + hash.sha1(0, filesize) == "db2a713754302a12a8f56a8117bb17830e4f08d9" or // joomla_3-9-0/installation/model/configuration.php + hash.sha1(0, filesize) == "98dfdeff482c226dff40971e51dbfbbbe902970f" or // joomla_3-9-0/libraries/cms/html/grid.php + hash.sha1(0, filesize) == "66d332347b886d2076435a9373630e6d17df6a8d" or // joomla_3-9-0/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "243393d3d274d556b47cb4f142caa086e519948e" or // joomla_3-9-0/libraries/joomla/openstreetmap/gps.php + hash.sha1(0, filesize) == "7aa17c15823a4ef0ca63c0b0cd7bcbf941a532f4" or // joomla_3-9-0/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "be580388fe44a12b2f2e9910e00662f05de5e3ef" or // joomla_3-9-0/libraries/joomla/grid/grid.php + hash.sha1(0, filesize) == "c3452582fc7bb5b82e6af30fd209832b06672e15" or // joomla_3-9-0/libraries/vendor/joomla/filesystem/src/Folder.php + hash.sha1(0, filesize) == "00ad81b3d5dc24a4ba0d6ae1bffd6bcad7209370" or // joomla_3-9-0/libraries/src/Cache/Storage/CacheliteStorage.php + hash.sha1(0, filesize) == "fbc71954759571e001e5848f301fbd418cbc592a" or // joomla_3-9-0/libraries/src/Language/LanguageHelper.php + hash.sha1(0, filesize) == "448ae8e775f92ea51fa207623fc8b9d400a3a546" or // joomla_3-9-0/libraries/src/Filesystem/Folder.php + hash.sha1(0, filesize) == "b249b3f3c75ffd2a5aaa762f9e0607ec2240e909" or // joomla_3-9-0/libraries/src/Http/Transport/CurlTransport.php + hash.sha1(0, filesize) == "ee5bc3b061f5a4ba6720c9857993b8662d404f6d" or // joomla_3-9-0/libraries/src/Application/DaemonApplication.php + hash.sha1(0, filesize) == "736557ef0644cca3bd57cc5f4846b19da222cbff" or // joomla_3-9-0/media/editors/codemirror/mode/scheme/scheme.js + false } From 3b2ebb1d083c868724d5f7c2c60a778426eb1045 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:35:52 -0500 Subject: [PATCH 23/36] Yara rule Joomla 3.9.1 --- php-malware-finder/whitelists/joomla.yar | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 2da581b..ca3837e 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -442,5 +442,9 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "ee5bc3b061f5a4ba6720c9857993b8662d404f6d" or // joomla_3-9-0/libraries/src/Application/DaemonApplication.php hash.sha1(0, filesize) == "736557ef0644cca3bd57cc5f4846b19da222cbff" or // joomla_3-9-0/media/editors/codemirror/mode/scheme/scheme.js + /* Joomla 3.9.1 */ + hash.sha1(0, filesize) == "266920e7b14ac4d7e7bc9625f9b87859abfdac8b" or // joomla_3-9-1/media/editors/tinymce/tinymce.min.js + hash.sha1(0, filesize) == "6264a72c974ab45182be01be6bb9a097e7a105b9" or // joomla_3-9-1/plugins/system/debug/debug.php + false } From 6f227e0f8c69ff3066fcbce7cd77fbd13322e437 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:37:49 -0500 Subject: [PATCH 24/36] Yara rule Joomla 3.9.2 --- php-malware-finder/whitelists/joomla.yar | 30 ++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index ca3837e..b7f3605 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -446,5 +446,35 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "266920e7b14ac4d7e7bc9625f9b87859abfdac8b" or // joomla_3-9-1/media/editors/tinymce/tinymce.min.js hash.sha1(0, filesize) == "6264a72c974ab45182be01be6bb9a097e7a105b9" or // joomla_3-9-1/plugins/system/debug/debug.php + /* Joomla 3.9.2 */ + hash.sha1(0, filesize) == "c96c0d20eff0dbaa2db8c02c152d9a74b02406d2" or // Joomla_3-9-2/administrator/components/com_redirect/models/links.php + hash.sha1(0, filesize) == "158cc06dc66ea1fc9d64cbe6638b3c50ead02f06" or // Joomla_3-9-2/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "ab2454be11d3328cb713fa89d1b45940be385db1" or // Joomla_3-9-2/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "945a4598fbdddc22a7ce556bf7e0a945e0e6582c" or // Joomla_3-9-2/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "16441b921a35d4352bf494d327c76bd8c3b92878" or // Joomla_3-9-2/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "f7d8c7b04022c30a60f9b0aed8de33b361ea2b9c" or // Joomla_3-9-2/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "8e94af2c0007bb1d866bd3a678ced888f0eb021e" or // Joomla_3-9-2/administrator/templates/isis/html/pagination.php + hash.sha1(0, filesize) == "a8e44c4bcdf6f97d525cb91d935ce33c311e18a4" or // Joomla_3-9-2/components/com_contact/views/contact/view.vcf.php + hash.sha1(0, filesize) == "72c993d7a16a4f353fb9414d235f43c78d5fa4dc" or // Joomla_3-9-2/installation/form/field/prefix.php + hash.sha1(0, filesize) == "5de93608a9f5576d1cfd3bdff3ccdc29e6d3b165" or // Joomla_3-9-2/installation/controller/removefolder.php + hash.sha1(0, filesize) == "7cc374b4fbb4d27fcb251b3ab6bc8448b49981a3" or // Joomla_3-9-2/installation/model/configuration.php + hash.sha1(0, filesize) == "494b8761600791c61d88280fd7848e178e80f6dc" or // Joomla_3-9-2/installation/model/setup.php + hash.sha1(0, filesize) == "eaba90b36caafadb9cdfcda7ac2f8377aa40a490" or // Joomla_3-9-2/layouts/joomla/html/sortablelist.php + hash.sha1(0, filesize) == "dab4617ff6fba55b4c3760e8214547dc4fab1a13" or // Joomla_3-9-2/libraries/cms/html/grid.php + hash.sha1(0, filesize) == "be3f89dfca1267a6c86af335ad411097a9656d33" or // Joomla_3-9-2/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "85cac05835a7908bbc7ee3221a74e05062e39955" or // Joomla_3-9-2/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "74f81f7f238d3c2b2af1717ee67a984903e0d4dc" or // Joomla_3-9-2/libraries/joomla/openstreetmap/gps.php + hash.sha1(0, filesize) == "c22294d3752dfef65a7d2b655e3216811ad1dce7" or // Joomla_3-9-2/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "4fe67fba806dd55ff658d8d19390d56b6ab44776" or // Joomla_3-9-2/libraries/joomla/grid/grid.php + hash.sha1(0, filesize) == "1a000e44ae3a71829a7ac8678a503338600d61d9" or // Joomla_3-9-2/libraries/src/Cache/Storage/CacheliteStorage.php + hash.sha1(0, filesize) == "2be0f21c0a36cf7126764b5c2de7117cc5895fc6" or // Joomla_3-9-2/libraries/src/Plugin/PluginHelper.php + hash.sha1(0, filesize) == "e394c4d5f2da97cce9efb494e91782ace0c047a8" or // Joomla_3-9-2/libraries/src/Language/LanguageHelper.php + hash.sha1(0, filesize) == "9294de5137cc255ecfb37290e6a3cd7df22564a6" or // Joomla_3-9-2/libraries/src/Filesystem/Folder.php + hash.sha1(0, filesize) == "fa5e9609bad33b884be57fec6b2e07f92e44138c" or // Joomla_3-9-2/libraries/src/Http/Transport/CurlTransport.php + hash.sha1(0, filesize) == "503df10564b0f553066ae616397bf2e94a796966" or // Joomla_3-9-2/libraries/src/Application/DaemonApplication.php + hash.sha1(0, filesize) == "7a30261332d41a1dd7814b1fdd4d0a4f3f13cd97" or // Joomla_3-9-2/plugins/user/profile/profile.php + hash.sha1(0, filesize) == "20a07f1352e2b0cadc22afb815c31edf514ab494" or // Joomla_3-9-2/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "24c6604d00b0cc878ed82d7f5e0ca5b5810ba55f" or // Joomla_3-9-2/templates/protostar/html/pagination.php + false } From 1dda6ef4908508b37b8f3b1318e07c4472dcb4f9 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:39:10 -0500 Subject: [PATCH 25/36] Yara rule Joomla 3.9.3 --- php-malware-finder/whitelists/joomla.yar | 3 +++ 1 file changed, 3 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index b7f3605..6cde503 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -476,5 +476,8 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "20a07f1352e2b0cadc22afb815c31edf514ab494" or // Joomla_3-9-2/plugins/system/debug/debug.php hash.sha1(0, filesize) == "24c6604d00b0cc878ed82d7f5e0ca5b5810ba55f" or // Joomla_3-9-2/templates/protostar/html/pagination.php + /* Joomla 3.9.3 */ + hash.sha1(0, filesize) == "732c2b34123a56e41c91d38a0502b72c303e4870" or // Joomla_3-9-3/libraries/fof/view/view.php + false } From 0b0a69078b9d01db8fd64f25d35792357e074c44 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:41:15 -0500 Subject: [PATCH 26/36] Yara rule Joomla 3.9.6 --- php-malware-finder/whitelists/joomla.yar | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 6cde503..ffbe0ca 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -479,5 +479,13 @@ private rule Joomla : CMS /* Joomla 3.9.3 */ hash.sha1(0, filesize) == "732c2b34123a56e41c91d38a0502b72c303e4870" or // Joomla_3-9-3/libraries/fof/view/view.php + /* Joomla 3.9.6 */ + hash.sha1(0, filesize) == "5ee868afac21f646c1657220e37b92cffe64adc9" or // Joomla_3-9-6/libraries/vendor/joomla/filesystem/src/Folder.php + hash.sha1(0, filesize) == "f83b64fc5d2aff946a8fdc6ff492953d6a491df5" or // Joomla_3-9-6/libraries/vendor/joomla/application/src/AbstractDaemonApplication.php + hash.sha1(0, filesize) == "4bcc26380d454429d18b8cfc83861fc88bcb9d19" or // Joomla_3-9-6/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php + hash.sha1(0, filesize) == "af54a7e589895b9c45b793cfa249e1d838465719" or // Joomla_3-9-6/libraries/src/Application/DaemonApplication.php + hash.sha1(0, filesize) == "f67b6addc078e05c802cd007c0d54cb2bfe1f81a" or // Joomla_3-9-6/libraries/src/Language/LanguageHelper.php + hash.sha1(0, filesize) == "1cef23d3091f1d9233abd6bcdaeda73c27b39adb" or // Joomla_3-9-6/libraries/src/Http/Transport/CurlTransport.php + false } From 9434e291a6f0a63c6d956338cb5418c36e4c4ee3 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:42:40 -0500 Subject: [PATCH 27/36] Yara rule Joomla 3.9.7 --- php-malware-finder/whitelists/joomla.yar | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index ffbe0ca..32473a9 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -487,5 +487,9 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "f67b6addc078e05c802cd007c0d54cb2bfe1f81a" or // Joomla_3-9-6/libraries/src/Language/LanguageHelper.php hash.sha1(0, filesize) == "1cef23d3091f1d9233abd6bcdaeda73c27b39adb" or // Joomla_3-9-6/libraries/src/Http/Transport/CurlTransport.php + /* Joomla 3.9.7 */ + hash.sha1(0, filesize) == "dba3cf7b173302747b3d5edda94de0929f8ea649" or // Joomla_3-9-7/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "fd2784087105d7a451bd0a477558a97b338fd8dd" or // Joomla_3-9-7/media/editors/tinymce/tinymce.min.js + false } From 3fca5cd912c380dfd3dc7ac8fc9e4c24c0b03c49 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:45:09 -0500 Subject: [PATCH 28/36] Yara rule Joomla 3.9.9 --- php-malware-finder/whitelists/joomla.yar | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 32473a9..00e09cc 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -491,5 +491,9 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "dba3cf7b173302747b3d5edda94de0929f8ea649" or // Joomla_3-9-7/libraries/joomla/database/driver/postgresql.php hash.sha1(0, filesize) == "fd2784087105d7a451bd0a477558a97b338fd8dd" or // Joomla_3-9-7/media/editors/tinymce/tinymce.min.js + /* Joomla 3.9.9 */ + hash.sha1(0, filesize) == "9353304c415731815eaf520f2bb6a60320ac5af0" or // Joomla_3-9-9/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "c7f873c7a0f63260aed6e6e064df6240695f12cc" or // Joomla_3-9-9/administrator/components/com_menus/models/item.php + false } From 7732437543efa746bcf68b1760be473b05cd12a5 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:46:57 -0500 Subject: [PATCH 29/36] Yara rule Joomla 3.9.11 --- php-malware-finder/whitelists/joomla.yar | 3 +++ 1 file changed, 3 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 00e09cc..b7cd647 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -495,5 +495,8 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "9353304c415731815eaf520f2bb6a60320ac5af0" or // Joomla_3-9-9/administrator/components/com_admin/models/sysinfo.php hash.sha1(0, filesize) == "c7f873c7a0f63260aed6e6e064df6240695f12cc" or // Joomla_3-9-9/administrator/components/com_menus/models/item.php + /* Joomla_3-9-11 */ + hash.sha1(0, filesize) == "f13782094e982ef78b6194ac49cea08ad4fb5fc5" or // Joomla_3-9-11/libraries/fof/render/joomla.php + false } From 7b75a2b9febf1ca86dc95ba983102f5261c074c5 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:48:37 -0500 Subject: [PATCH 30/36] Yara rule Joomla 3.9.12 --- php-malware-finder/whitelists/joomla.yar | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index b7cd647..7dc6fe6 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -495,8 +495,12 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "9353304c415731815eaf520f2bb6a60320ac5af0" or // Joomla_3-9-9/administrator/components/com_admin/models/sysinfo.php hash.sha1(0, filesize) == "c7f873c7a0f63260aed6e6e064df6240695f12cc" or // Joomla_3-9-9/administrator/components/com_menus/models/item.php - /* Joomla_3-9-11 */ + /* Joomla 3.9.11 */ hash.sha1(0, filesize) == "f13782094e982ef78b6194ac49cea08ad4fb5fc5" or // Joomla_3-9-11/libraries/fof/render/joomla.php + /* Joomla 3.9.12 */ + hash.sha1(0, filesize) == "25537b70a8604014b8f338cbd3e231b1842afab2" or // Joomla_3-9-12/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "4322aae7fef49c89ad669016d5be16706ce5d614" or // Joomla_3-9-12/libraries/joomla/database/driver/postgresql.php + false } From 414c3d6d0f0ac692b109e6f00a3ea8e1809ceb2f Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:50:11 -0500 Subject: [PATCH 31/36] Yara rule Joomla 3.9.13 --- php-malware-finder/whitelists/joomla.yar | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 7dc6fe6..f4c7eb7 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -502,5 +502,10 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "25537b70a8604014b8f338cbd3e231b1842afab2" or // Joomla_3-9-12/administrator/templates/isis/login.php hash.sha1(0, filesize) == "4322aae7fef49c89ad669016d5be16706ce5d614" or // Joomla_3-9-12/libraries/joomla/database/driver/postgresql.php + /* Joomla 3.9.13 */ + hash.sha1(0, filesize) == "fac60dea17fc6f45076060e0b64100e193816c2a" or // Joomla_3-9-13/administrator/components/com_joomlaupdate/restore.php + hash.sha1(0, filesize) == "ca64d3c1ba2a8de298fff8190959f60ae60f5062" or // Joomla_3-9-13/libraries/vendor/joomla/filesystem/src/Folder.php + hash.sha1(0, filesize) == "112fd31264d3e86ab42ea7884537c87d4deaf2f8" or // Joomla_3-9-13/libraries/idna_convert/idna_convert.class.php + false } From 02c51d5cb500641ee449b37888f32abd392bf62f Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:51:32 -0500 Subject: [PATCH 32/36] Yara rule Joomla 3.9.15 --- php-malware-finder/whitelists/joomla.yar | 3 +++ 1 file changed, 3 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index f4c7eb7..459ecab 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -507,5 +507,8 @@ private rule Joomla : CMS hash.sha1(0, filesize) == "ca64d3c1ba2a8de298fff8190959f60ae60f5062" or // Joomla_3-9-13/libraries/vendor/joomla/filesystem/src/Folder.php hash.sha1(0, filesize) == "112fd31264d3e86ab42ea7884537c87d4deaf2f8" or // Joomla_3-9-13/libraries/idna_convert/idna_convert.class.php + /* Joomla 3.9.14 */ + hash.sha1(0, filesize) == "feb0a5590d41ee968b7055aae069b4627e60a24c" or // Joomla_3-9-14/plugins/system/debug/debug.php + false } From 24d8d83ee4aef62a66a2ac197e5b37858240a89d Mon Sep 17 00:00:00 2001 From: HansPHP Date: Wed, 15 Apr 2020 14:52:54 -0500 Subject: [PATCH 33/36] Yara rule Joomla 3.9.15 --- php-malware-finder/whitelists/joomla.yar | 29 ++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/php-malware-finder/whitelists/joomla.yar b/php-malware-finder/whitelists/joomla.yar index 459ecab..a5090b3 100644 --- a/php-malware-finder/whitelists/joomla.yar +++ b/php-malware-finder/whitelists/joomla.yar @@ -510,5 +510,34 @@ private rule Joomla : CMS /* Joomla 3.9.14 */ hash.sha1(0, filesize) == "feb0a5590d41ee968b7055aae069b4627e60a24c" or // Joomla_3-9-14/plugins/system/debug/debug.php + /* Joomla 3.9.15 */ + hash.sha1(0, filesize) == "fcbb4fbe528ec51b8abc95fc04fda92e038ed3ab" or // Joomla_3-9-15/administrator/templates/isis/login.php + hash.sha1(0, filesize) == "3571efb938e1eca29bc47f24c79bcf129f1004eb" or // Joomla_3-9-15/administrator/templates/isis/html/pagination.php + hash.sha1(0, filesize) == "7f2379239c07e2a43b842bcaac4bfac8030f6a65" or // Joomla_3-9-15/administrator/components/com_admin/models/sysinfo.php + hash.sha1(0, filesize) == "8d0ed0629037538154ac28f62d6a136e37fa1975" or // Joomla_3-9-15/administrator/components/com_menus/views/items/view.html.php + hash.sha1(0, filesize) == "c854615bc455eb30b349dd2f7fba5bfbeedd5478" or // Joomla_3-9-15/administrator/components/com_menus/models/item.php + hash.sha1(0, filesize) == "f8bb223a4c7966e7d12dc8445f7389bf9682b87e" or // Joomla_3-9-15/administrator/components/com_redirect/models/links.php + hash.sha1(0, filesize) == "261d2fb9d865ba598c0d0b24f811a8f94c19e2ba" or // Joomla_3-9-15/components/com_contact/views/contact/view.vcf.php + hash.sha1(0, filesize) == "e691aa1112493323873de5b7d128a0074dbb4a01" or // Joomla_3-9-15/installation/form/field/prefix.php + hash.sha1(0, filesize) == "c9ae354124fd0452d0b0c88a61d68bfe5d113593" or // Joomla_3-9-15/installation/controller/removefolder.php + hash.sha1(0, filesize) == "814c1f52525464bc7dd5d83b0dfcdeb214fa4c88" or // Joomla_3-9-15/installation/model/configuration.php + hash.sha1(0, filesize) == "7054a79c6a7a3cdce301be32bfad08b6fce5bfc6" or // Joomla_3-9-15/installation/model/setup.php + hash.sha1(0, filesize) == "509e039e6621d781df43ba61a704da9097865797" or // Joomla_3-9-15/layouts/joomla/html/sortablelist.php + hash.sha1(0, filesize) == "92ea26cce29ffc04abbb17129128005716c39eee" or // Joomla_3-9-15/libraries/joomla/form/fields/checkbox.php + hash.sha1(0, filesize) == "9039febe6751a38d9a5124306c66e61a69ba7610" or // Joomla_3-9-15/libraries/joomla/grid/grid.php + hash.sha1(0, filesize) == "754d5edaba5ac3fc8a01d7b720d45c9f7b1c22e4" or // Joomla_3-9-15/libraries/joomla/openstreetmap/gps.php + hash.sha1(0, filesize) == "7c6fff2179ebdda16cc3d28d6f0edc44e938f532" or // Joomla_3-9-15/libraries/joomla/database/driver/postgresql.php + hash.sha1(0, filesize) == "c9be784e0d5c96d82da289e486930aecd99fcd62" or // Joomla_3-9-15/libraries/cms/html/jgrid.php + hash.sha1(0, filesize) == "53f796d75768c6e5fd455d3142f3a3c2ff20142f" or // Joomla_3-9-15/libraries/cms/html/grid.php + hash.sha1(0, filesize) == "530f18eac6c8e3f51b7c8c60580ba7532a722a69" or // Joomla_3-9-15/libraries/src/Application/DaemonApplication.php + hash.sha1(0, filesize) == "815f626d8f445353b062a452b36603aae3beab8a" or // Joomla_3-9-15/libraries/src/Cache/Storage/CacheliteStorage.php + hash.sha1(0, filesize) == "5bd770c59f8eb99f84a03c4184d476f7fc59d2e1" or // Joomla_3-9-15/libraries/src/Language/LanguageHelper.php + hash.sha1(0, filesize) == "04b9dbd3b9a517d6b1b21ca424d64ff9c69b8db6" or // Joomla_3-9-15/libraries/src/Http/Transport/CurlTransport.php + hash.sha1(0, filesize) == "36eefe7245d9764768c267cfba678d5982977400" or // Joomla_3-9-15/libraries/src/Plugin/PluginHelper.php + hash.sha1(0, filesize) == "1dacdac0fae0d942542f536c35ac257d64c844b4" or // Joomla_3-9-15/libraries/src/Filesystem/Folder.php + hash.sha1(0, filesize) == "54fb22b2495612225a51c88385aef73046812b58" or // Joomla_3-9-15/plugins/user/profile/profile.php + hash.sha1(0, filesize) == "8e5bb2af188c265e068b618829a9fa3f5f33ed81" or // Joomla_3-9-15/plugins/system/debug/debug.php + hash.sha1(0, filesize) == "94eb7a17ad9910559d65d68b3252f8d2e0484154" or // Joomla_3-9-15/templates/protostar/html/pagination.php + false } From ea8ce5b4e2aa8c9f19dbf4a600016ba118af2e97 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Thu, 30 Apr 2020 13:06:17 -0500 Subject: [PATCH 34/36] StringBitwise --- php-malware-finder/php.yar | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index de5b1f7..c8b316b 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar @@ -372,3 +372,11 @@ rule Websites (any of them) and not IsWhitelisted } +rule StringBitwise +{ + strings: + $ = /(\'|\")\s*(\^|\||\&)\s*(\'|\")/ nocase + + condition: + (any of them) and not IsWhitelisted +} \ No newline at end of file From b1c20b3f815733a17dc8d5ff11b71b7147a23de7 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Thu, 30 Apr 2020 13:14:03 -0500 Subject: [PATCH 35/36] StringBitwise --- php-malware-finder/php.yar | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index c8b316b..3dc6393 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar @@ -375,7 +375,10 @@ rule Websites rule StringBitwise { strings: - $ = /(\'|\")\s*(\^|\||\&)\s*(\'|\")/ nocase + $ = "\"^'" nocase + $ = "'^'" nocase + $ = "\"^\"" nocase + $ = "'^\"" nocase condition: (any of them) and not IsWhitelisted From f746fd91e108bafd9ec2329fdd140894edbd9e05 Mon Sep 17 00:00:00 2001 From: HansPHP Date: Thu, 30 Apr 2020 13:32:26 -0500 Subject: [PATCH 36/36] Update php.yar --- php-malware-finder/php.yar | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 3dc6393..46b4f3f 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar @@ -372,13 +372,10 @@ rule Websites (any of them) and not IsWhitelisted } -rule StringBitwise +rule SpecialPattern { strings: - $ = "\"^'" nocase - $ = "'^'" nocase - $ = "\"^\"" nocase - $ = "'^\"" nocase + $ = "#/\\*\\*(.*)\\*\\*/#s" nocase condition: (any of them) and not IsWhitelisted