|
8 | 8 | * License: GNU/GPLv2 |
9 | 9 | * @see LICENSE.txt |
10 | 10 | * |
11 | | - * This file: Optional security extras module (last modified: 2025.08.24). |
| 11 | + * This file: Optional security extras module (last modified: 2025.08.29). |
12 | 12 | * |
13 | 13 | * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High » |
14 | 14 | */ |
|
129 | 129 | 't(?:62|aptap-null|enda\.sh.*tenda\.sh|emplates/beez/index|hemes/(?:finley/min|pridmag/db|universal-news/www)|ermps|homs|hreefox(?:_exploit/index)?|inymce/(?:langs/about|plugins/compat3x/css/index)|k_dencode_\d+|mp/vuln|opxoh/(?:drsx|wdr))|' . |
130 | 130 | 'u(?:bh/up|nisibfu|pfile(?:_\\(\d\\))?|pgrade-temp-backup/wp-login|ploader_by_cloud7_agath|tchiha(?:_uploader)?)|' . |
131 | 131 | 'v(?:endor/bin/loader|zlateam)|' . |
132 | | - 'w(?:[0o]rm\d+|0rdpr3ssnew|alker-nva|ebshell-[a-z\d]+|idgets-nva|idwsisw|loymzuk|orksec)|' . |
| 132 | + 'w(?:[0o]rm\d+|0rdpr3ssnew|alker-nva|ebshell-[a-z\d]+|idgets-nva|idwsisw|loymzuk|orksec|p_wrong_datlib|(?:p-w)?s[aou](?:yanz)?[\d.]*(?:[\da-z]{4,})?|wdv)|' . |
133 | 133 | 'wp[-_](?:2019|22|(?:admin(?:/images)?|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:[^?]*wp-login|0|aaa|cof|css/(?:about|acces|bgfbmo|colors/blue/file|dist/niil|gecko|ok)|dropdown|fgertreyersd|id3/about|(?:images|widgets)/include|includes/lint-branch|install|js/(?:codemirror/\d+|jcrop/jcrop|privacy-tools\.min)|mah|maint/(?:aaa|fie|fw|lint-branch|lmfi2)|(?:random_compat/|requests/)?class(?:_api|-wp-page-[\da-z]{5,})|repeater|rk2|simple|text/(?:about|diff/renderer/last)|themes/hello-element/footer|uploads/(?:admin|error_log)|vuln)|conflg|content/plugins/(?:about|backup-backup/includes/hro|cache/dropdown|contact-form-7/.+styles-rtl|contus-hd-flv-player/uploadvideo|(?:core-plugin/|wordpresscore/)?include|dzs-zoomsounds/savepng|fix/up|(?:view-more/)?ioxi|wp-automatic/inc/csv|wp-file-manager/lib/php/connector\.minimal|wp-content/uploads/.+)|filemanager|setups|sigunq|sts|p)|' . |
134 | 134 | 'wp-(?:aa|beckup|configs|(?:content/uploads|includes/(?:customize|js))/(?:autoload_classmap|wp-stream)|l0gins?|mail\.php/wp-includes(?:/id3/[\da-z]+)?|mna|red|zett)|' . |
135 | | - 'ws[ou](?:yanz)?(?:[\d.]*|[\da-z]{4,})|wwdv|' . |
136 | 135 | 'x(?:iaom|ichang/x|m(?:lrpcs|lrpz|rlpc)|s?hell|w|x{2,}|x*l(?:\d+|eet(?:mailer|-shell)?x?))|' . |
137 | 136 | 'ya?nz|yyobang/mar|' . |
138 | 137 | 'zone_hackbar(?:_beutify_other)?|' . |
|
141 | 140 | ')\.php[578]?(?:$|[/?])|' . |
142 | 141 | 'funs\.php[578]?(?:$|[/?])~', |
143 | 142 | $LCNrURI |
144 | | - ), 'Probing for webshells/backdoors') || // 2023.08.18 mod 2025.08.24 |
| 143 | + ), 'Probing for webshells/backdoors') || // 2023.08.18 mod 2025.08.29 |
145 | 144 | $Trigger(preg_match('~(?:^|[/?])(?:brutalshell|css/dmtixucz/golden-access|fierzashell\.html?|perl.alfa|search/label/php-shells|wp-ksv1i\.ph)(?:$|[/?])~', $LCNrURI), 'Probing for webshells/backdoors') || // 2025.05.12 mod 2025.08.07 |
146 | 145 | $Trigger(preg_match('~(?:^|[/?])(?:moon\.php|ss\.php)\?(?:f_c|p)=~', $LCNrURI), 'Probing for webshells/backdoors') // 2025.08.07 |
147 | 146 | ) { |
|
189 | 188 | $CIDRAM['Reporter']->report([15, 16, 21], ['Caught probing for ' . $Exploit . ' vulnerability.'], $CIDRAM['BlockInfo']['IPAddr']); |
190 | 189 | } |
191 | 190 |
|
| 191 | + /** Probing for common vulnerabilities and exploits. */ |
| 192 | + if ( |
| 193 | + $Trigger(preg_match('~[?&](?=.*m=admin(?:$|[^a-z]))(?=.*c=index(?:$|[^a-z]))(?=.*pc_hash(?:$|[^a-z]))~', $LCNrURI), $Exploit = 'CVE-2018-14399') // 2025.08.29 |
| 194 | + ) { |
| 195 | + $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for ' . $Exploit . ' vulnerability.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 196 | + } |
| 197 | + |
192 | 198 | /** Probing for compromised WordPress installations. */ |
193 | 199 | if ($Trigger(preg_match( |
194 | | - '~(?:^|[/?])wp-content/plugins/(?:aryabot|cakil|cekidot|dummyyummy|helloapx|ioptimization|masterx|owfsmac|prenota|pwnd|seoo(?:yanz)?|ubh|upspy|uwogh-segs|vwcleanerplugin|wp(?:-d(?:[ao]ftx?|b-ajax-made|iambar)|-freeform|-hps|eazvp)|xichang|xt|yyobang|zaen)(?:-\d+)?/~', |
| 200 | + '~(?:^|[/?])wp-(?:content/plugins/(?:aryabot|cakil|cekidot|dummyyummy|helloapx|ioptimization|ioxi|masterx|owfsmac|prenota|pwnd|rxr|seoo(?:yanz)?|ubh|upspy|uwogh-segs|vwcleanerplugin|wp(?:-d(?:[ao]ftx?|b-ajax-made|iambar)|-freeform|-hps|eazvp)|xichang|xt|yanierin|yyobang|zaen)|ws[aou])(?:-\d+)?(?:/|$)~', |
195 | 201 | $LCNrURI |
196 | 202 | ), 'Probing for compromised WordPress installations')) { |
197 | 203 | $CIDRAM['Reporter']->report([15, 21], ['Caught probing for compromised WordPress installations.'], $CIDRAM['BlockInfo']['IPAddr']); |
198 | | - } // 2025.07.28 mod 2025.08.07 |
| 204 | + } // 2025.07.28 mod 2025.08.29 |
199 | 205 |
|
200 | 206 | /** Probing for exposed Git data. */ |
201 | 207 | if ($Trigger(preg_match('~\.git(?:config)?(?:$|\W)~', $LCNrURI), 'Probing for exposed Git data')) { |
|
438 | 444 | if ($Trigger(preg_match('~(?:^|[/?])setup\.py(?:$|[/?])~', $LCNrURI), 'Probing for exposed Python application setup file')) { |
439 | 445 | $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed Python application setup file.'], $CIDRAM['BlockInfo']['IPAddr']); |
440 | 446 | } // 2025.08.24 |
| 447 | + |
| 448 | + /** Probing for exposed Bitcoin wallets. */ |
| 449 | + if ($Trigger(preg_match('~(?:^|[/?])wallet\.dat(?:$|[/?])~', $LCNrURI), 'Probing for exposed Bitcoin wallets')) { |
| 450 | + $CIDRAM['Reporter']->report([15], ['Caught probing for exposed Bitcoin wallets.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 451 | + } // 2025.08.29 |
441 | 452 | } |
442 | 453 |
|
443 | 454 | /** |
|
0 commit comments