|
8 | 8 | * License: GNU/GPLv2 |
9 | 9 | * @see LICENSE.txt |
10 | 10 | * |
11 | | - * This file: Optional security extras module (last modified: 2025.08.21). |
| 11 | + * This file: Optional security extras module (last modified: 2025.08.24). |
12 | 12 | * |
13 | 13 | * False positive risk (an approximate, rough estimate only): « [ ]Low [x]Medium [ ]High » |
14 | 14 | */ |
|
93 | 93 |
|
94 | 94 | /** Probing for unsecured WordPress configuration files. */ |
95 | 95 | if ($Trigger(preg_match( |
96 | | - '~(?:^|[/?.]|\._)wp-config\.php(?:\.(?:bak\d*|bkp|conf|dist|du?mp|inc|new|old|orig|sw.|tar|te?mp|txt|[\d\~#_]+)|[-.]backup)?(?:$|[/?])~', |
| 96 | + '~(?:^|[/?.]|\._)wp-config(?:\.(?:\d+|new|php)|_backup)(?:\.(?:bak\d*|bkp|conf|dist|du?mp|inc|new|old|orig|sw.|tar|te?mp|txt)|\.?[\d\~#_]+|[-.]backup)?(?:$|[/?])~', |
97 | 97 | $LCNrURI |
98 | 98 | ), 'Probing for unsecured WordPress configuration files not allowed')) { |
99 | | - $CIDRAM['Reporter']->report([15, 20, 21], ['Caught probing for unsecured WordPress configuration files.'], $CIDRAM['BlockInfo']['IPAddr']); |
100 | | - } // 2023.09.02 mod 2025.07.11 |
| 99 | + $CIDRAM['Reporter']->report([15, 21], ['Caught probing for unsecured WordPress configuration files.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 100 | + } // 2023.09.02 mod 2025.08.24 |
101 | 101 |
|
102 | 102 | /** Probing for webshells/backdoors. */ |
103 | 103 | if ( |
|
114 | 114 | 'd(?:7|eadcode\d*|elpaths|epotcv|isagraep|kiz|oiconvs|ummyyummy/wp-signup)|' . |
115 | 115 | 'e(?:ctoplasm/str_shuffcle|e|pinyins|rin\d+)|' . |
116 | 116 | 'f(?:ddqradz|ilefun)|' . |
117 | | - 'g(?:awean|dftps|el4y|etid3-core|h[0o]st|lab-rare|zismexv)|' . |
| 117 | + 'g(?:awean|dftps|eju|el4y|etid3-core|h[0o]st|lab-rare|odsend|zismexv)|' . |
118 | 118 | 'h(?:[4a]x+[0o]r|6ss|anna1337|ehehe|sfpdcd|tmlawedtest)|' . |
119 | 119 | 'i(?:\d{3,}[a-z]{2,}|cesword|d3/class-config|mages/sym|ndoxploit|optimize|oxi\d*|r7szrsouep|itsec|xr/(?:allez|wp-login))|' . |
120 | 120 | 'k(?:i1k|vkjguw)|' . |
|
125 | 125 | 'p(?:erl\.alfa|hp(?:1|_niu_\d+)|huploader|lugins/(?:backup_index|vwcleanerplugin/bump|zedd/\d+)|oison|rayer_intentions|riv8|wnd|zaiihfi)|' . |
126 | 126 | 'qxuho|' . |
127 | 127 | 'r(?:andkeyword|endixd)|' . |
128 | | - 's(?:_n?e|eoplugins/mar|ession91|h[3e]ll[sx]?\d*|hrift|idwso|ilic|kipper(?:shell)?|llolx|onarxleetxd|pammervip|rc/util/php/(?:eval(?:-stdin)?|kill)|ystem_log)|' . |
| 128 | + 's(?:_n?e|eoplugins/mar|ession91|h[3e]ll[sxz]?\d*|hrift|idwso|ilic|kipper(?:shell)?|llolx|onarxleetxd|pammervip|rc/util/php/(?:eval(?:-stdin)?|kill)|ystem_log)|' . |
129 | 129 | 't(?:62|aptap-null|enda\.sh.*tenda\.sh|emplates/beez/index|hemes/(?:finley/min|pridmag/db|universal-news/www)|ermps|homs|hreefox(?:_exploit/index)?|inymce/(?:langs/about|plugins/compat3x/css/index)|k_dencode_\d+|mp/vuln|opxoh/(?:drsx|wdr))|' . |
130 | 130 | 'u(?:bh/up|nisibfu|pfile(?:_\\(\d\\))?|pgrade-temp-backup/wp-login|ploader_by_cloud7_agath|tchiha(?:_uploader)?)|' . |
131 | 131 | 'v(?:endor/bin/loader|zlateam)|' . |
132 | 132 | 'w(?:[0o]rm\d+|0rdpr3ssnew|alker-nva|ebshell-[a-z\d]+|idgets-nva|idwsisw|loymzuk|orksec)|' . |
133 | 133 | 'wp[-_](?:2019|22|(?:admin(?:/images)?|content|css(?:/colors)?|includes(?:/ixr|/customize|/pomo)?|js(?:/widgets)?|network)/(?:[^?]*wp-login|0|aaa|cof|css/(?:about|acces|bgfbmo|colors/blue/file|dist/niil|gecko|ok)|dropdown|fgertreyersd|id3/about|(?:images|widgets)/include|includes/lint-branch|install|js/(?:codemirror/\d+|jcrop/jcrop|privacy-tools\.min)|mah|maint/(?:aaa|fie|fw|lint-branch|lmfi2)|(?:random_compat/|requests/)?class(?:_api|-wp-page-[\da-z]{5,})|repeater|rk2|simple|text/(?:about|diff/renderer/last)|themes/hello-element/footer|uploads/(?:admin|error_log)|vuln)|conflg|content/plugins/(?:about|backup-backup/includes/hro|cache/dropdown|contact-form-7/.+styles-rtl|contus-hd-flv-player/uploadvideo|(?:core-plugin/|wordpresscore/)?include|dzs-zoomsounds/savepng|fix/up|(?:view-more/)?ioxi|wp-automatic/inc/csv|wp-file-manager/lib/php/connector\.minimal|wp-content/uploads/.+)|filemanager|setups|sigunq|sts|p)|' . |
134 | | - 'wp-(?:aa|beckup|configs|(?:content/uploads|includes/(?:customize|js))/(?:autoload_classmap|wp-stream)|l0gins?|mail\.php/wp-includes(?:/id3/[\da-z]+)?|mna|red)|' . |
| 134 | + 'wp-(?:aa|beckup|configs|(?:content/uploads|includes/(?:customize|js))/(?:autoload_classmap|wp-stream)|l0gins?|mail\.php/wp-includes(?:/id3/[\da-z]+)?|mna|red|zett)|' . |
135 | 135 | 'ws[ou](?:yanz)?(?:[\d.]*|[\da-z]{4,})|wwdv|' . |
136 | 136 | 'x(?:iaom|ichang/x|m(?:lrpcs|lrpz|rlpc)|s?hell|w|x{2,}|x*l(?:\d+|eet(?:mailer|-shell)?x?))|' . |
137 | 137 | 'ya?nz|yyobang/mar|' . |
|
141 | 141 | ')\.php[578]?(?:$|[/?])|' . |
142 | 142 | 'funs\.php[578]?(?:$|[/?])~', |
143 | 143 | $LCNrURI |
144 | | - ), 'Probing for webshells/backdoors') || // 2023.08.18 mod 2025.08.11 |
| 144 | + ), 'Probing for webshells/backdoors') || // 2023.08.18 mod 2025.08.24 |
145 | 145 | $Trigger(preg_match('~(?:^|[/?])(?:brutalshell|css/dmtixucz/golden-access|fierzashell\.html?|perl.alfa|search/label/php-shells|wp-ksv1i\.ph)(?:$|[/?])~', $LCNrURI), 'Probing for webshells/backdoors') || // 2025.05.12 mod 2025.08.07 |
146 | 146 | $Trigger(preg_match('~(?:^|[/?])(?:moon\.php|ss\.php)\?(?:f_c|p)=~', $LCNrURI), 'Probing for webshells/backdoors') // 2025.08.07 |
147 | 147 | ) { |
|
218 | 218 | } // 2022.06.05 mod 2023.09.04 |
219 | 219 |
|
220 | 220 | /** Probing for exposed AWS credentials. */ |
221 | | - if ($Trigger(preg_match('~(?:^|[/?])(?:\.?aws_?/(?:config(?:uration)?|credentials?)(?:\.yml)?|\.?aws\.yml|config/aws\.json)(?:$|[/?])~', $LCNrURI), 'Probing for exposed AWS credentials')) { |
| 221 | + if ($Trigger(preg_match('~(?:^|[/?])(?:\.?aws_?/(?:config(?:uration)?|credentials?)(?:\.yml)?|\.?aws\.yml|aws[_-]secrets?\.ya?ml|config/aws\.json)(?:$|[/?])~', $LCNrURI), 'Probing for exposed AWS credentials')) { |
222 | 222 | $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed AWS credentials.'], $CIDRAM['BlockInfo']['IPAddr']); |
223 | | - } // 2023.09.04 mod 2025.08.07 |
| 223 | + } // 2023.09.04 mod 2025.08.24 |
224 | 224 |
|
225 | 225 | /** Probing for exposed FTP credentials. */ |
226 | 226 | if ($Trigger(preg_match('~(?:^|[/?])\.?s?ftp-(?:config|sync)\.json(?:$|[/?])~', $LCNrURI), 'Probing for exposed FTP credentials')) { |
|
278 | 278 | } // 2025.08.02 |
279 | 279 |
|
280 | 280 | /** Probing for env file. */ |
281 | | - if ($Trigger(preg_match('~(?:^|[/?=])(?:config|secrets?)?\.env(?:\.[\da-z]+)?(?:$|[/?])~', $LCNrURI), 'Probing for env file')) { |
| 281 | + if ($Trigger(preg_match('~(?:^|[/?=])(?:config|secrets?)?\.env(?:\.[\da-z]+)*(?:$|[/?])~', $LCNrURI), 'Probing for env file')) { |
282 | 282 | $CIDRAM['Reporter']->report([15, 21], ['Caught probing for env file.'], $CIDRAM['BlockInfo']['IPAddr']); |
283 | | - } // 2025.03.18 mod 2025.08.02 |
| 283 | + } // 2025.03.18 mod 2025.08.24 |
284 | 284 |
|
285 | 285 | /** Probing for unsecured configuration file. */ |
286 | 286 | if ($Trigger(preg_match('~(?:^|[/?])\.?config.ya?ml(?:$|[/?])~', $LCNrURI), 'Probing for unsecured configuration file')) { |
|
403 | 403 | if ($Trigger(preg_match('~(?:^|[/?])(?:tmp/errors[._]log|php_error_log)(?:$|[/?])~', $LCNrURI), 'Probing for exposed error logs')) { |
404 | 404 | $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed error logs.'], $CIDRAM['BlockInfo']['IPAddr']); |
405 | 405 | } // 2025.08.13 |
| 406 | + |
| 407 | + /** Probing for exposed shell/bash configuration/setup files. */ |
| 408 | + if ($Trigger(preg_match('~(?:^|[/?])config\.sh(?:$|[/?])~', $LCNrURI), 'Probing for exposed shell/bash configuration/setup files')) { |
| 409 | + $CIDRAM['Reporter']->report([15], ['Caught probing for exposed shell/bash configuration/setup files.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 410 | + } // 2025.08.24 |
| 411 | + |
| 412 | + /** Probing for exposed Kubernetes secrets. */ |
| 413 | + if ($Trigger(preg_match('~(?:^|[/?])secrets\.sh(?:$|[/?])~', $LCNrURI), 'Probing for exposed Kubernetes secrets')) { |
| 414 | + $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed Kubernetes secrets.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 415 | + } // 2025.08.24 |
| 416 | + |
| 417 | + /** Probing for exposed SparkPost API keys. */ |
| 418 | + if ($Trigger(preg_match('~(?:^|[/?])sparkpost(?:_(?:config|keys)(?:\.env|-py)?|\.(?:env|py))(?:$|[/?])~', $LCNrURI), 'Probing for exposed SparkPost API keys')) { |
| 419 | + $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed SparkPost API keys.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 420 | + } // 2025.08.24 |
| 421 | + |
| 422 | + /** Probing for exposed PyPI logs. */ |
| 423 | + if ($Trigger(preg_match('~(?:^|[/?])pip/log\.txt(?:$|[/?])~', $LCNrURI), 'Probing for exposed PyPI logs')) { |
| 424 | + $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed PyPI logs.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 425 | + } // 2025.08.24 |
| 426 | + |
| 427 | + /** Probing for printenv.tmp file. */ |
| 428 | + if ($Trigger(preg_match('~(?:^|[/?])printenv\.tmp(?:$|[/?])~', $LCNrURI), 'Probing for exposed printenv.tmp file')) { |
| 429 | + $CIDRAM['Reporter']->report([15], ['Caught probing for exposed printenv.tmp file.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 430 | + } // 2025.08.24 |
| 431 | + |
| 432 | + /** Probing for exposed Jenkins configuration file. */ |
| 433 | + if ($Trigger(preg_match('~(?:^|[/?])\.?jenkins\.sh|jenkinsfile(?:$|[/?])~', $LCNrURI), 'Probing for exposed Jenkins configuration file')) { |
| 434 | + $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed Jenkins configuration file.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 435 | + } // 2025.08.24 |
| 436 | + |
| 437 | + /** Probing for exposed Python application setup file. */ |
| 438 | + if ($Trigger(preg_match('~(?:^|[/?])setup\.py(?:$|[/?])~', $LCNrURI), 'Probing for exposed Python application setup file')) { |
| 439 | + $CIDRAM['Reporter']->report([15, 21], ['Caught probing for exposed Python application setup file.'], $CIDRAM['BlockInfo']['IPAddr']); |
| 440 | + } // 2025.08.24 |
406 | 441 | } |
407 | 442 |
|
408 | 443 | /** |
|
0 commit comments