diff --git a/php-malware-finder/whitelist.yar b/php-malware-finder/whitelist.yar index 3cb42b4..013184c 100644 --- a/php-malware-finder/whitelist.yar +++ b/php-malware-finder/whitelist.yar @@ -11,6 +11,7 @@ include "whitelists/phpmyadmin.yar" include "whitelists/magento1ce.yar" include "whitelists/magento2.yar" include "whitelists/prestashop.yar" +include "whitelists/Spip.yar" include "whitelists/custom.yar" @@ -125,5 +126,6 @@ private rule IsWhitelisted Dotclear or Owncloud or Phpmyadmin or + Spip or Misc } diff --git a/php-malware-finder/whitelists/Spip.yar b/php-malware-finder/whitelists/Spip.yar new file mode 100644 index 0000000..2732f0c --- /dev/null +++ b/php-malware-finder/whitelists/Spip.yar @@ -0,0 +1,259 @@ +include "Spip/spip-1.8.3b.yar" +include "Spip/spip-1.9.1i.yar" +include "Spip/spip-1.9.2f.yar" +include "Spip/spip-1.9.2g.yar" +include "Spip/spip-1.9.2h.yar" +include "Spip/spip-1.9.2i.yar" +include "Spip/spip-1.9.2j.yar" +include "Spip/spip-1.9.2k.yar" +include "Spip/spip-1.9.2m.yar" +include "Spip/spip-1.9.2n.yar" +include "Spip/spip-1.9.2o.yar" +include "Spip/spip-1.9.2p.yar" +include "Spip/spip-2-stable.yar" +include "Spip/spip-2.0.0.yar" +include "Spip/spip-2.0.1.yar" +include "Spip/spip-2.0.10.yar" +include "Spip/spip-2.0.11.yar" +include "Spip/spip-2.0.12.yar" +include "Spip/spip-2.0.13.yar" +include "Spip/spip-2.0.14.yar" +include "Spip/spip-2.0.15.yar" +include "Spip/spip-2.0.16.yar" +include "Spip/spip-2.0.17.yar" +include "Spip/spip-2.0.18.yar" +include "Spip/spip-2.0.19.yar" +include "Spip/spip-2.0.2.yar" +include "Spip/spip-2.0.20.yar" +include "Spip/spip-2.0.21.yar" +include "Spip/spip-2.0.22.yar" +include "Spip/spip-2.0.23.yar" +include "Spip/spip-2.0.24.yar" +include "Spip/spip-2.0.25.yar" +include "Spip/spip-2.0.26.yar" +include "Spip/spip-2.0.3.yar" +include "Spip/spip-2.0.5.yar" +include "Spip/spip-2.0.6.yar" +include "Spip/spip-2.0.7.yar" +include "Spip/spip-2.0.8.yar" +include "Spip/spip-2.0.9.yar" +include "Spip/spip-2.1.0.yar" +include "Spip/spip-2.1.1.yar" +include "Spip/spip-2.1.10.yar" +include "Spip/spip-2.1.11.yar" +include "Spip/spip-2.1.12.yar" +include "Spip/spip-2.1.13.yar" +include "Spip/spip-2.1.14.yar" +include "Spip/spip-2.1.15.yar" +include "Spip/spip-2.1.16.yar" +include "Spip/spip-2.1.17.yar" +include "Spip/spip-2.1.18.yar" +include "Spip/spip-2.1.19.yar" +include "Spip/spip-2.1.2.yar" +include "Spip/spip-2.1.20.yar" +include "Spip/spip-2.1.21.yar" +include "Spip/spip-2.1.22.yar" +include "Spip/spip-2.1.23.yar" +include "Spip/spip-2.1.24.yar" +include "Spip/spip-2.1.25.yar" +include "Spip/spip-2.1.26.yar" +include "Spip/spip-2.1.27.yar" +include "Spip/spip-2.1.28.yar" +include "Spip/spip-2.1.29.yar" +include "Spip/spip-2.1.3.yar" +include "Spip/spip-2.1.30.yar" +include "Spip/spip-2.1.4.yar" +include "Spip/spip-2.1.5.yar" +include "Spip/spip-2.1.6.yar" +include "Spip/spip-2.1.7.yar" +include "Spip/spip-2.1.8.yar" +include "Spip/spip-2.1.9.yar" +include "Spip/spip-3.0.0.yar" +include "Spip/spip-3.0.0-alpha1.yar" +include "Spip/spip-3.0.0-beta.yar" +include "Spip/spip-3.0.0-beta2.yar" +include "Spip/spip-3.0.0-rc.yar" +include "Spip/spip-3.0.1.yar" +include "Spip/spip-3.0.10.yar" +include "Spip/spip-3.0.11.yar" +include "Spip/spip-3.0.12.yar" +include "Spip/spip-3.0.13.yar" +include "Spip/spip-3.0.14.yar" +include "Spip/spip-3.0.15.yar" +include "Spip/spip-3.0.16.yar" +include "Spip/spip-3.0.17.yar" +include "Spip/spip-3.0.18.yar" +include "Spip/spip-3.0.19.yar" +include "Spip/spip-3.0.2.yar" +include "Spip/spip-3.0.20.yar" +include "Spip/spip-3.0.21.yar" +include "Spip/spip-3.0.22.yar" +include "Spip/spip-3.0.23.yar" +include "Spip/spip-3.0.24.yar" +include "Spip/spip-3.0.25.yar" +include "Spip/spip-3.0.26.yar" +include "Spip/spip-3.0.27.yar" +include "Spip/spip-3.0.28.yar" +include "Spip/spip-3.0.3.yar" +include "Spip/spip-3.0.4.yar" +include "Spip/spip-3.0.5.yar" +include "Spip/spip-3.0.6.yar" +include "Spip/spip-3.0.7.yar" +include "Spip/spip-3.0.8.yar" +include "Spip/spip-3.0.9.yar" +include "Spip/spip-3.1.0.yar" +include "Spip/spip-3.1.0-alpha.yar" +include "Spip/spip-3.1.0-beta.yar" +include "Spip/spip-3.1.0-rc.yar" +include "Spip/spip-3.1.0-rc2.yar" +include "Spip/spip-3.1.0-rc3.yar" +include "Spip/spip-3.1.1.yar" +include "Spip/spip-3.1.10.yar" +include "Spip/spip-3.1.2.yar" +include "Spip/spip-3.1.3.yar" +include "Spip/spip-3.1.4.yar" +include "Spip/spip-3.1.5.yar" +include "Spip/spip-3.1.6.yar" +include "Spip/spip-3.1.7.yar" +include "Spip/spip-3.1.8.yar" +include "Spip/spip-3.1.9.yar" +include "Spip/spip-3.2-alpha-1.yar" +include "Spip/spip-3.2.0.yar" +include "Spip/spip-3.2.0-beta.yar" +include "Spip/spip-3.2.0beta2.yar" +include "Spip/spip-3.2.0beta3.yar" +include "Spip/spip-3.2.1.yar" +include "Spip/spip-3.2.2.yar" +include "Spip/spip-3.2.3.yar" +include "Spip/spip-3.2.4.yar" +private rule Spip +{ condition: + Spip183b or + Spip191i or + Spip192f or + Spip192g or + Spip192h or + Spip192i or + Spip192j or + Spip192k or + Spip192m or + Spip192n or + Spip192o or + Spip192p or + Spip2stable or + Spip200 or + Spip201 or + Spip2010 or + Spip2011 or + Spip2012 or + Spip2013 or + Spip2014 or + Spip2015 or + Spip2016 or + Spip2017 or + Spip2018 or + Spip2019 or + Spip202 or + Spip2020 or + Spip2021 or + Spip2022 or + Spip2023 or + Spip2024 or + Spip2025 or + Spip2026 or + Spip203 or + Spip205 or + Spip206 or + Spip207 or + Spip208 or + Spip209 or + Spip210 or + Spip211 or + Spip2110 or + Spip2111 or + Spip2112 or + Spip2113 or + Spip2114 or + Spip2115 or + Spip2116 or + Spip2117 or + Spip2118 or + Spip2119 or + Spip212 or + Spip2120 or + Spip2121 or + Spip2122 or + Spip2123 or + Spip2124 or + Spip2125 or + Spip2126 or + Spip2127 or + Spip2128 or + Spip2129 or + Spip213 or + Spip2130 or + Spip214 or + Spip215 or + Spip216 or + Spip217 or + Spip218 or + Spip219 or + Spip300 or + Spip300alpha1 or + Spip300beta or + Spip300beta2 or + Spip300rc or + Spip301 or + Spip3010 or + Spip3011 or + Spip3012 or + Spip3013 or + Spip3014 or + Spip3015 or + Spip3016 or + Spip3017 or + Spip3018 or + Spip3019 or + Spip302 or + Spip3020 or + Spip3021 or + Spip3022 or + Spip3023 or + Spip3024 or + Spip3025 or + Spip3026 or + Spip3027 or + Spip3028 or + Spip303 or + Spip304 or + Spip305 or + Spip306 or + Spip307 or + Spip308 or + Spip309 or + Spip310 or + Spip310alpha or + Spip310beta or + Spip310rc or + Spip310rc2 or + Spip310rc3 or + Spip311 or + Spip3110 or + Spip312 or + Spip313 or + Spip314 or + Spip315 or + Spip316 or + Spip317 or + Spip318 or + Spip319 or + Spip32alpha1 or + Spip320 or + Spip320beta or + Spip320beta2 or + Spip320beta3 or + Spip321 or + Spip322 or + Spip323 or + Spip324 +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.8.3b.yar b/php-malware-finder/whitelists/Spip/spip-1.8.3b.yar new file mode 100644 index 0000000..abf492d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.8.3b.yar @@ -0,0 +1,12 @@ +import "hash" + +private rule Spip183b +{ + condition: + /* Spip183b */ + hash.sha1(0, filesize) == "2b2e67bb35d79592b73fdff33366c46b2de40820" or // spip/inc-calcul.php3 + hash.sha1(0, filesize) == "c6a1b628befb4fc9c841d6fd7680447006a4bc47" or // spip/extract_pdf.php + hash.sha1(0, filesize) == "522fc9ed063c74992fd5abacb94c348209e919a2" or // spip/ecrire/inc_db_mysql.php3 + hash.sha1(0, filesize) == "74631526e110d34f48802e208d2ac4a707d84601" or // spip/ecrire/inc_version.php3 + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.1i.yar b/php-malware-finder/whitelists/Spip/spip-1.9.1i.yar new file mode 100644 index 0000000..fe635f6 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.1i.yar @@ -0,0 +1,20 @@ +import "hash" + +private rule Spip191i +{ + condition: + /* Spip191i */ + hash.sha1(0, filesize) == "633868e16a747afc5acaeae5c94642a0c0a82d27" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "eac1bd5dd68993b772424586476bbbf30b7e072f" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "e56b48670e31218a7c856fad63f60a6e2fa342f3" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "b3599c0787d45c7f08a493cd61187571df5fc187" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "80676a96aac2bbd50d49cf5a665535aab15db944" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "5b34b23c23315a560c595f8a2c2b785d79a81daf" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "27f9b9e4490d6528242a2e230c7d420cf8555f76" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "34d8e486b589e40b10489862c1c0259a02fd4c1a" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "2b88f077de5203bdc0b02b66030e31ba4db732f6" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "bdd85ad5ca0d67a5de47bab08f03eae00f476fa8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "993322d21803e6070116489685759653d9319113" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "9b333daec7009d70a8cba69bae1e21da69c33181" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2f.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2f.yar new file mode 100644 index 0000000..54d7a1a --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2f.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192f +{ + condition: + /* Spip192f */ + hash.sha1(0, filesize) == "8d3347f63b24995c503966985ca65988c9c82806" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "0c97bd668f16459bf784e0cd8531df5bd449f229" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "d4b7d89aa843ed04c044073f2a8ce70494c70fea" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "7223299b9c6be70481a329acf34011f5ca52e4ad" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6728932884511317279303c6590be77d78f123bb" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "8d10e71f3b5cbbdf2de92ccf51f6bdfa60a41a8f" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "42dbcc11d294054b4b513c7cc18563d898842e97" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a0b890c8162a92b41a518d68be46031e49226f6e" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2g.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2g.yar new file mode 100644 index 0000000..1b3f94a --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2g.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192g +{ + condition: + /* Spip192g */ + hash.sha1(0, filesize) == "8d3347f63b24995c503966985ca65988c9c82806" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "0c97bd668f16459bf784e0cd8531df5bd449f229" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "d4b7d89aa843ed04c044073f2a8ce70494c70fea" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "7223299b9c6be70481a329acf34011f5ca52e4ad" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6728932884511317279303c6590be77d78f123bb" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "8d10e71f3b5cbbdf2de92ccf51f6bdfa60a41a8f" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "42dbcc11d294054b4b513c7cc18563d898842e97" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a0b890c8162a92b41a518d68be46031e49226f6e" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2h.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2h.yar new file mode 100644 index 0000000..6b774b6 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2h.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192h +{ + condition: + /* Spip192h */ + hash.sha1(0, filesize) == "8d3347f63b24995c503966985ca65988c9c82806" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "0c97bd668f16459bf784e0cd8531df5bd449f229" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "d4b7d89aa843ed04c044073f2a8ce70494c70fea" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "e3d3d397a9cafdd02ce40414de57b4818e3a9615" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6728932884511317279303c6590be77d78f123bb" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "14862c9a93675eac69b1ceee64bfe953f33f8e86" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "42dbcc11d294054b4b513c7cc18563d898842e97" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a0b890c8162a92b41a518d68be46031e49226f6e" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2i.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2i.yar new file mode 100644 index 0000000..f94390f --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2i.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192i +{ + condition: + /* Spip192i */ + hash.sha1(0, filesize) == "8d3347f63b24995c503966985ca65988c9c82806" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "0c97bd668f16459bf784e0cd8531df5bd449f229" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "d4b7d89aa843ed04c044073f2a8ce70494c70fea" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "e3d3d397a9cafdd02ce40414de57b4818e3a9615" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6728932884511317279303c6590be77d78f123bb" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "14862c9a93675eac69b1ceee64bfe953f33f8e86" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "42dbcc11d294054b4b513c7cc18563d898842e97" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a0b890c8162a92b41a518d68be46031e49226f6e" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2j.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2j.yar new file mode 100644 index 0000000..2f743de --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2j.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192j +{ + condition: + /* Spip192j */ + hash.sha1(0, filesize) == "399b5ad7e505ba9801413291d80f92e4ca3c478a" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "82f5fa5a1d302db5d4159141887eae6c587f78a8" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "3a49a70d83718d5fb932dd3183877a6ceebda865" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "0c13096da7b7afbe76a77a1c9aeedfbf45314010" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "5501109a6d6cccb0b33cb63026daf2b8e393e807" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "dc099c990baeaa5f06c97a03b4d8aff1507f48c4" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "aa692b83692a53e84372fed7d655b042779beded" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2k.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2k.yar new file mode 100644 index 0000000..ca9137f --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2k.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192k +{ + condition: + /* Spip192k */ + hash.sha1(0, filesize) == "399b5ad7e505ba9801413291d80f92e4ca3c478a" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "82f5fa5a1d302db5d4159141887eae6c587f78a8" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "3a49a70d83718d5fb932dd3183877a6ceebda865" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "0c13096da7b7afbe76a77a1c9aeedfbf45314010" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "5501109a6d6cccb0b33cb63026daf2b8e393e807" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "dc099c990baeaa5f06c97a03b4d8aff1507f48c4" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "aa692b83692a53e84372fed7d655b042779beded" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2m.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2m.yar new file mode 100644 index 0000000..3d50a60 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2m.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192m +{ + condition: + /* Spip192m */ + hash.sha1(0, filesize) == "399b5ad7e505ba9801413291d80f92e4ca3c478a" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "82f5fa5a1d302db5d4159141887eae6c587f78a8" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "3a49a70d83718d5fb932dd3183877a6ceebda865" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "0c13096da7b7afbe76a77a1c9aeedfbf45314010" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "5501109a6d6cccb0b33cb63026daf2b8e393e807" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "dc099c990baeaa5f06c97a03b4d8aff1507f48c4" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "aa692b83692a53e84372fed7d655b042779beded" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2n.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2n.yar new file mode 100644 index 0000000..91631d1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2n.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192n +{ + condition: + /* Spip192n */ + hash.sha1(0, filesize) == "399b5ad7e505ba9801413291d80f92e4ca3c478a" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "82f5fa5a1d302db5d4159141887eae6c587f78a8" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "3a49a70d83718d5fb932dd3183877a6ceebda865" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "fb0e9c8f42070642c269dc332451722e04b3562b" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "4ea473a1c1b2e96e2829c5b6c5ac861c5899efee" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "fdde185dc4a60a39ec7b8e667d33ae9bdc5b836e" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "208f79af9dcc6f5788b8d4af698d9284af26d22f" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "0c13096da7b7afbe76a77a1c9aeedfbf45314010" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "5501109a6d6cccb0b33cb63026daf2b8e393e807" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "f9b5dc20c4542b2f9d565b5e250e89d874a91c69" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "dc099c990baeaa5f06c97a03b4d8aff1507f48c4" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5226b24a0ec455f62050ed1e52e025150b75517e" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "aa692b83692a53e84372fed7d655b042779beded" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "184fea12a6422b5ade617af31b1258d6bb278e80" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "a4a9c3f7d639f9f88891bc1d2629c8259aa15903" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2o.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2o.yar new file mode 100644 index 0000000..8e16709 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2o.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192o +{ + condition: + /* Spip192o */ + hash.sha1(0, filesize) == "fd223aff783c0e678bfc7754003dd8b13d4e06b3" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "ad68155a25108cfe7b29814273bcca2acd112005" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "10fcb71d04f186d658e051b2375c4526271a3661" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "c72f183b714b5d0c7a79a9e6ec3c1e85313e8b0a" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "309fe160929e3a05fee09bd974de35680b41496c" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "3fc624aa0c36156f2ed7c6ea037356a6158cb95b" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "7c0e62f3f612fef9e5c166bc206a6934efdb3d54" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "4a31cd2165e9461b4995a7cbb2077c32f8d1fc61" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "a233692a59fea619fc2974370be92ac8628b1840" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "74a3616d18ef3462d9c1ccae3d011c8537cfc013" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "a7e9b483ba20305d983850e08afb27f898221f2e" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "a276fecc499aff103e74ee80e8cf8a63fd40a490" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "2a2c4c188c117881d001e9f536b356865fb88b71" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "e58d8383ad92493afb08cc312631ccfb8fa6999a" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "987a49d3633408219c6fb258ac7fa633eba6c13b" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-1.9.2p.yar b/php-malware-finder/whitelists/Spip/spip-1.9.2p.yar new file mode 100644 index 0000000..b0cc358 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-1.9.2p.yar @@ -0,0 +1,26 @@ +import "hash" + +private rule Spip192p +{ + condition: + /* Spip192p */ + hash.sha1(0, filesize) == "fd223aff783c0e678bfc7754003dd8b13d4e06b3" or // spip/ecrire/exec/import_all.php + hash.sha1(0, filesize) == "ad68155a25108cfe7b29814273bcca2acd112005" or // spip/ecrire/exec/recherche.php + hash.sha1(0, filesize) == "09724694d6eb8a67b7f096a680a30867a8309d17" or // spip/ecrire/extract/pdf.php + hash.sha1(0, filesize) == "10fcb71d04f186d658e051b2375c4526271a3661" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "c72f183b714b5d0c7a79a9e6ec3c1e85313e8b0a" or // spip/ecrire/public/parametrer.php + hash.sha1(0, filesize) == "309fe160929e3a05fee09bd974de35680b41496c" or // spip/ecrire/inc/vieilles_defs.php + hash.sha1(0, filesize) == "3fc624aa0c36156f2ed7c6ea037356a6158cb95b" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "7c0e62f3f612fef9e5c166bc206a6934efdb3d54" or // spip/ecrire/inc/export.php + hash.sha1(0, filesize) == "c216d23343a644690071883cbd02e0c42e577900" or // spip/ecrire/inc/compacte_js.php + hash.sha1(0, filesize) == "4a31cd2165e9461b4995a7cbb2077c32f8d1fc61" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "a233692a59fea619fc2974370be92ac8628b1840" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "74a3616d18ef3462d9c1ccae3d011c8537cfc013" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "a7e9b483ba20305d983850e08afb27f898221f2e" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "a276fecc499aff103e74ee80e8cf8a63fd40a490" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "2a2c4c188c117881d001e9f536b356865fb88b71" or // spip/ecrire/inc/minipres.php + hash.sha1(0, filesize) == "e58d8383ad92493afb08cc312631ccfb8fa6999a" or // spip/ecrire/inc/presentation.php + hash.sha1(0, filesize) == "987a49d3633408219c6fb258ac7fa633eba6c13b" or // spip/ecrire/base/db_mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2-stable.yar b/php-malware-finder/whitelists/Spip/spip-2-stable.yar new file mode 100644 index 0000000..ecf8eb4 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2-stable.yar @@ -0,0 +1,19 @@ +import "hash" + +private rule Spip2stable +{ + condition: + /* Spip2stable */ + hash.sha1(0, filesize) == "a2271edd39913835a7dc7e5dc5f05c1823992a6d" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d072b32ae106bfad54b2074bc079766f89db62dc" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "232d924fb11850a4e64fc51d38f3e1eaaa7e192f" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ec896b1e9f8535a3bdffe7502ebc0bc2e354ab7e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.0.yar b/php-malware-finder/whitelists/Spip/spip-2.0.0.yar new file mode 100644 index 0000000..266556a --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.0.yar @@ -0,0 +1,23 @@ +import "hash" + +private rule Spip200 +{ + condition: + /* Spip200 */ + hash.sha1(0, filesize) == "25405420a5b883d74b80d5b4a84eb7ae584c51b5" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "6d501c308191c96f4a68ad953a31cb1b77687a07" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "b7c2e20296171777eb59af6864afd5403a34aed1" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "c6fdeac58b629ec7c652fb452c87055fd8fc033b" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "eff141c73fef07633a775f275e26b5ac29b08728" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "955f38836621f720912d6aba44221c5efbf8253f" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "382727c0df422be4ad5583f012056f6df7bc9d4f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "291615644cc2a38e7a5fc3225bff25347281c08f" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "9ee4455d0c32c2549e076ebf4db03f532291187a" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "c346d6aa9bede19e3a19f2dbb9e4def229e6a18f" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "37b5ff79b14009b069e792a2e4335a644cd089aa" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "b9d6b2e8ded92310975751711df9b1ffdfa94c3e" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "8a3ffb6e1cc1f9c75d46430aa0b7c53db0c31c48" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.1.yar b/php-malware-finder/whitelists/Spip/spip-2.0.1.yar new file mode 100644 index 0000000..275b362 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.1.yar @@ -0,0 +1,23 @@ +import "hash" + +private rule Spip201 +{ + condition: + /* Spip201 */ + hash.sha1(0, filesize) == "25405420a5b883d74b80d5b4a84eb7ae584c51b5" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "6d501c308191c96f4a68ad953a31cb1b77687a07" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "8e0b5153ab9c1126e3d147092ad4f8321337b194" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "c6fdeac58b629ec7c652fb452c87055fd8fc033b" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "eff141c73fef07633a775f275e26b5ac29b08728" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "955f38836621f720912d6aba44221c5efbf8253f" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "0d9a5a6963f59f79ef65e0bc5d1c60bd1c5e381c" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "291615644cc2a38e7a5fc3225bff25347281c08f" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "9ee4455d0c32c2549e076ebf4db03f532291187a" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "c346d6aa9bede19e3a19f2dbb9e4def229e6a18f" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "37b5ff79b14009b069e792a2e4335a644cd089aa" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "b9d6b2e8ded92310975751711df9b1ffdfa94c3e" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "8a3ffb6e1cc1f9c75d46430aa0b7c53db0c31c48" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.10.yar b/php-malware-finder/whitelists/Spip/spip-2.0.10.yar new file mode 100644 index 0000000..1b2bfdc --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.10.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2010 +{ + condition: + /* Spip2010 */ + hash.sha1(0, filesize) == "4b1a3ab16e5fb507f475f3fb114789694bb1ab35" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "043171a629df7acbab2efe725e652f2c32458cb5" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "08fa36a92712fd4e5eb739cda6e47e49048b2d92" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f96b68ac7314ef20af74a734c0184c4091ab0eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "954554efd716288f7d6ac0b7aceca72c95879021" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "c3d355ee31fabb0e908b32cea5d50090ba1557f7" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "4cce07037061a343867b0fec3f0af98260e07d47" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae5db7abbda4fcabdce95ae74826f82cd8f30158" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "64936a1e43c42462a68b28f72164cb465d339a94" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "af11b7a27a24cf422ad6b6f7955a580404389be8" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.11.yar b/php-malware-finder/whitelists/Spip/spip-2.0.11.yar new file mode 100644 index 0000000..b014b8e --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.11.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2011 +{ + condition: + /* Spip2011 */ + hash.sha1(0, filesize) == "626f275c73265550980acb72eb465b2343f6b959" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "10921e6c8e4c1802610397b27e6b5c3c4f76203a" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "0a3ae0f120fad66df780d07a32c23a9839ef5b4e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "116fbb11ea4f67ee24f60f3cecc67e7f7bdd5d0a" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "0fec51090a5fb13b9a6ab2e0a92d365f45916eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "1608aa1d6e6c079339f2b4204ef728e8376d6875" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "730911dcb124464c20fb8c63afcfa69340b4c00b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "4f449e22b6284a1e587e8944bf5d55253a9c1678" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6260fc4efda8f0f60ad3790ce0497d2bc32fbf27" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "76743f1dd031684ab335bd8fb14e58b8410fae02" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "bb79a7f17178ec8fcfc67b27dd4c22c378443656" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.12.yar b/php-malware-finder/whitelists/Spip/spip-2.0.12.yar new file mode 100644 index 0000000..194b2c1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.12.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2012 +{ + condition: + /* Spip2012 */ + hash.sha1(0, filesize) == "ac41947cf2efb700000370a259737246fbde864e" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "10921e6c8e4c1802610397b27e6b5c3c4f76203a" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "0a3ae0f120fad66df780d07a32c23a9839ef5b4e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "498d25d095e92291556ba7bb1314edb5b939b256" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "0fec51090a5fb13b9a6ab2e0a92d365f45916eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "1608aa1d6e6c079339f2b4204ef728e8376d6875" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "730911dcb124464c20fb8c63afcfa69340b4c00b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ae539f1a251e1b38d6d35f8f8e4b26b6f59d009a" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6260fc4efda8f0f60ad3790ce0497d2bc32fbf27" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "76743f1dd031684ab335bd8fb14e58b8410fae02" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "bb79a7f17178ec8fcfc67b27dd4c22c378443656" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.13.yar b/php-malware-finder/whitelists/Spip/spip-2.0.13.yar new file mode 100644 index 0000000..faa13e5 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.13.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2013 +{ + condition: + /* Spip2013 */ + hash.sha1(0, filesize) == "ac41947cf2efb700000370a259737246fbde864e" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "10921e6c8e4c1802610397b27e6b5c3c4f76203a" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "0a3ae0f120fad66df780d07a32c23a9839ef5b4e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "498d25d095e92291556ba7bb1314edb5b939b256" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "0fec51090a5fb13b9a6ab2e0a92d365f45916eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "1608aa1d6e6c079339f2b4204ef728e8376d6875" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "730911dcb124464c20fb8c63afcfa69340b4c00b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "597726d450833e471ab46731c0511045442562bf" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6260fc4efda8f0f60ad3790ce0497d2bc32fbf27" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "76743f1dd031684ab335bd8fb14e58b8410fae02" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "bb79a7f17178ec8fcfc67b27dd4c22c378443656" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.14.yar b/php-malware-finder/whitelists/Spip/spip-2.0.14.yar new file mode 100644 index 0000000..c84991b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.14.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2014 +{ + condition: + /* Spip2014 */ + hash.sha1(0, filesize) == "d2143c1de515bc7c110a7503aa64388abaef8537" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "10921e6c8e4c1802610397b27e6b5c3c4f76203a" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "0a3ae0f120fad66df780d07a32c23a9839ef5b4e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "498d25d095e92291556ba7bb1314edb5b939b256" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "0fec51090a5fb13b9a6ab2e0a92d365f45916eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "1608aa1d6e6c079339f2b4204ef728e8376d6875" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "730911dcb124464c20fb8c63afcfa69340b4c00b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "597726d450833e471ab46731c0511045442562bf" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6260fc4efda8f0f60ad3790ce0497d2bc32fbf27" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "76743f1dd031684ab335bd8fb14e58b8410fae02" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "bb79a7f17178ec8fcfc67b27dd4c22c378443656" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.15.yar b/php-malware-finder/whitelists/Spip/spip-2.0.15.yar new file mode 100644 index 0000000..07321e9 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.15.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2015 +{ + condition: + /* Spip2015 */ + hash.sha1(0, filesize) == "ec5018b21d68d45913a76770e0d7eaf8499cccdc" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "10921e6c8e4c1802610397b27e6b5c3c4f76203a" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "0a3ae0f120fad66df780d07a32c23a9839ef5b4e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "498d25d095e92291556ba7bb1314edb5b939b256" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "0fec51090a5fb13b9a6ab2e0a92d365f45916eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "1608aa1d6e6c079339f2b4204ef728e8376d6875" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "730911dcb124464c20fb8c63afcfa69340b4c00b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "597726d450833e471ab46731c0511045442562bf" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6260fc4efda8f0f60ad3790ce0497d2bc32fbf27" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "76743f1dd031684ab335bd8fb14e58b8410fae02" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "bb79a7f17178ec8fcfc67b27dd4c22c378443656" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.16.yar b/php-malware-finder/whitelists/Spip/spip-2.0.16.yar new file mode 100644 index 0000000..4152be1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.16.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2016 +{ + condition: + /* Spip2016 */ + hash.sha1(0, filesize) == "ec5018b21d68d45913a76770e0d7eaf8499cccdc" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "10921e6c8e4c1802610397b27e6b5c3c4f76203a" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "0a3ae0f120fad66df780d07a32c23a9839ef5b4e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "498d25d095e92291556ba7bb1314edb5b939b256" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "0fec51090a5fb13b9a6ab2e0a92d365f45916eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "1608aa1d6e6c079339f2b4204ef728e8376d6875" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "730911dcb124464c20fb8c63afcfa69340b4c00b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "597726d450833e471ab46731c0511045442562bf" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6260fc4efda8f0f60ad3790ce0497d2bc32fbf27" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "76743f1dd031684ab335bd8fb14e58b8410fae02" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "bb79a7f17178ec8fcfc67b27dd4c22c378443656" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.17.yar b/php-malware-finder/whitelists/Spip/spip-2.0.17.yar new file mode 100644 index 0000000..ef9e1ad --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.17.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2017 +{ + condition: + /* Spip2017 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "10921e6c8e4c1802610397b27e6b5c3c4f76203a" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "0a3ae0f120fad66df780d07a32c23a9839ef5b4e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "498d25d095e92291556ba7bb1314edb5b939b256" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "0fec51090a5fb13b9a6ab2e0a92d365f45916eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "1608aa1d6e6c079339f2b4204ef728e8376d6875" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "730911dcb124464c20fb8c63afcfa69340b4c00b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "597726d450833e471ab46731c0511045442562bf" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6260fc4efda8f0f60ad3790ce0497d2bc32fbf27" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "76743f1dd031684ab335bd8fb14e58b8410fae02" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "bb79a7f17178ec8fcfc67b27dd4c22c378443656" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.18.yar b/php-malware-finder/whitelists/Spip/spip-2.0.18.yar new file mode 100644 index 0000000..0f39863 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.18.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2018 +{ + condition: + /* Spip2018 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "482a99e69784763c27242676bd1f2546d1ff23ba" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "e544016d3a061a6ddfd20320af2efbf979b1c159" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "0bc415fac7c598c6e465a2c1e23b653b4b8d9ea2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5c17c07a8216c60242a70997fc8cb4f510b8110e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d55a7f5d60bd636e92402f24e628f1eb75b1f5c4" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89c47a33e91e85938de86ca00c9007a6d1be5605" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b3a8d630dab45d41dc3fe4ef468eef63f595a17f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bdf0e22f523ae48a2888af44c43e346f78c66ede" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "ebcdcd0a17313a4579c85ca75893ef18547e32eb" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "46bf85bd990d48f9769bc04ef27db1f2080f0f1b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "8b17f193d4c43fb9f3f5e73e92e924a459cf8928" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.19.yar b/php-malware-finder/whitelists/Spip/spip-2.0.19.yar new file mode 100644 index 0000000..0d95331 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.19.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2019 +{ + condition: + /* Spip2019 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "482a99e69784763c27242676bd1f2546d1ff23ba" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "e544016d3a061a6ddfd20320af2efbf979b1c159" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "0bc415fac7c598c6e465a2c1e23b653b4b8d9ea2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5c17c07a8216c60242a70997fc8cb4f510b8110e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d55a7f5d60bd636e92402f24e628f1eb75b1f5c4" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89c47a33e91e85938de86ca00c9007a6d1be5605" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b3a8d630dab45d41dc3fe4ef468eef63f595a17f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bdf0e22f523ae48a2888af44c43e346f78c66ede" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "ebcdcd0a17313a4579c85ca75893ef18547e32eb" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "46bf85bd990d48f9769bc04ef27db1f2080f0f1b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "8b17f193d4c43fb9f3f5e73e92e924a459cf8928" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.2.yar b/php-malware-finder/whitelists/Spip/spip-2.0.2.yar new file mode 100644 index 0000000..74409ca --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.2.yar @@ -0,0 +1,23 @@ +import "hash" + +private rule Spip202 +{ + condition: + /* Spip202 */ + hash.sha1(0, filesize) == "787f3206235ff5fbf2e01ddf5a47677d7bf181bd" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "4f76e0551ed1ff449cd4b0c81145a0a8cd85aa28" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "f8f3f444f1c0dc94ddcf5f9ed3c5dd888fbce7e2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "9dd40e01eb64f61b35afa04fa46409f83965dac8" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a9c778e71fde7476e6382d5e5f2d6afaddfd2680" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89989049350f7f535b3f4c9ca2948f4f8a428602" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "f2544771e9a86abad5c8f40182dd276f0c057233" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "9c402880b319b60e9cc6920ac3a6aa143b278aba" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "b64d02d628b2ce421e17729361aa308f6594313e" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "c5e9f3f4f4e0d6ed5e09d4d34271dc3aa0c97302" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d25c773155b38b362792c4e4a2c0ae08ce9efdfd" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "51ed45057e16e422deeb66dfbd1d473c86df31c7" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.20.yar b/php-malware-finder/whitelists/Spip/spip-2.0.20.yar new file mode 100644 index 0000000..75311ab --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.20.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2020 +{ + condition: + /* Spip2020 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "482a99e69784763c27242676bd1f2546d1ff23ba" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "e544016d3a061a6ddfd20320af2efbf979b1c159" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "0bc415fac7c598c6e465a2c1e23b653b4b8d9ea2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5c17c07a8216c60242a70997fc8cb4f510b8110e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d55a7f5d60bd636e92402f24e628f1eb75b1f5c4" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89c47a33e91e85938de86ca00c9007a6d1be5605" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b3a8d630dab45d41dc3fe4ef468eef63f595a17f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bdf0e22f523ae48a2888af44c43e346f78c66ede" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "ebcdcd0a17313a4579c85ca75893ef18547e32eb" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "46bf85bd990d48f9769bc04ef27db1f2080f0f1b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "8b17f193d4c43fb9f3f5e73e92e924a459cf8928" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.21.yar b/php-malware-finder/whitelists/Spip/spip-2.0.21.yar new file mode 100644 index 0000000..1723466 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.21.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2021 +{ + condition: + /* Spip2021 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "482a99e69784763c27242676bd1f2546d1ff23ba" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "e544016d3a061a6ddfd20320af2efbf979b1c159" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "0bc415fac7c598c6e465a2c1e23b653b4b8d9ea2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5c17c07a8216c60242a70997fc8cb4f510b8110e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d55a7f5d60bd636e92402f24e628f1eb75b1f5c4" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89c47a33e91e85938de86ca00c9007a6d1be5605" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b3a8d630dab45d41dc3fe4ef468eef63f595a17f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bdf0e22f523ae48a2888af44c43e346f78c66ede" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "ebcdcd0a17313a4579c85ca75893ef18547e32eb" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "46bf85bd990d48f9769bc04ef27db1f2080f0f1b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "8b17f193d4c43fb9f3f5e73e92e924a459cf8928" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.22.yar b/php-malware-finder/whitelists/Spip/spip-2.0.22.yar new file mode 100644 index 0000000..32e1bef --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.22.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2022 +{ + condition: + /* Spip2022 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "482a99e69784763c27242676bd1f2546d1ff23ba" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "e544016d3a061a6ddfd20320af2efbf979b1c159" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "0bc415fac7c598c6e465a2c1e23b653b4b8d9ea2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5c17c07a8216c60242a70997fc8cb4f510b8110e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d55a7f5d60bd636e92402f24e628f1eb75b1f5c4" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89c47a33e91e85938de86ca00c9007a6d1be5605" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b3a8d630dab45d41dc3fe4ef468eef63f595a17f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bdf0e22f523ae48a2888af44c43e346f78c66ede" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "ebcdcd0a17313a4579c85ca75893ef18547e32eb" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "46bf85bd990d48f9769bc04ef27db1f2080f0f1b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "8b17f193d4c43fb9f3f5e73e92e924a459cf8928" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.23.yar b/php-malware-finder/whitelists/Spip/spip-2.0.23.yar new file mode 100644 index 0000000..759482c --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.23.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2023 +{ + condition: + /* Spip2023 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "482a99e69784763c27242676bd1f2546d1ff23ba" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "e544016d3a061a6ddfd20320af2efbf979b1c159" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "0bc415fac7c598c6e465a2c1e23b653b4b8d9ea2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5c17c07a8216c60242a70997fc8cb4f510b8110e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d55a7f5d60bd636e92402f24e628f1eb75b1f5c4" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89c47a33e91e85938de86ca00c9007a6d1be5605" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b3a8d630dab45d41dc3fe4ef468eef63f595a17f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bdf0e22f523ae48a2888af44c43e346f78c66ede" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "ebcdcd0a17313a4579c85ca75893ef18547e32eb" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "46bf85bd990d48f9769bc04ef27db1f2080f0f1b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "8b17f193d4c43fb9f3f5e73e92e924a459cf8928" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.24.yar b/php-malware-finder/whitelists/Spip/spip-2.0.24.yar new file mode 100644 index 0000000..d2a9d16 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.24.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2024 +{ + condition: + /* Spip2024 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "8b9d3444001fcb6139686627ce01ece992f2a634" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "52725b54bf80563ca169824197426465dbec14c0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "7854b6d8564b34f706fe1d099cfba71fbebbd485" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "57f87d7fcd74ad4feeac8375b4271a968c45e5ef" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ef03eedd4a3b1e6a8324705d1dedff8381449ba9" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "65fdab4f4cf311366862c581f76cb49bfb4d14bd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3e66ebf49bc283513107415ea1cd6d4a03e8876d" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ffb958155f7bd019f1d2e4a440fdce3597ab1ccf" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "a95c3f091fefcbad74256b01f03347c30f3f7fc1" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6d888df1a659915e4922a2789577f451ec683868" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "3c0d8276d3c358354f54987b857cc488698daede" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.25.yar b/php-malware-finder/whitelists/Spip/spip-2.0.25.yar new file mode 100644 index 0000000..9332788 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.25.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2025 +{ + condition: + /* Spip2025 */ + hash.sha1(0, filesize) == "3375a62f3dc53273c8cae81ebbb627012163e6cf" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "8b9d3444001fcb6139686627ce01ece992f2a634" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "52725b54bf80563ca169824197426465dbec14c0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "7854b6d8564b34f706fe1d099cfba71fbebbd485" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "57f87d7fcd74ad4feeac8375b4271a968c45e5ef" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ef03eedd4a3b1e6a8324705d1dedff8381449ba9" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "65fdab4f4cf311366862c581f76cb49bfb4d14bd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "579c73a56f8f48cf92d98d78112d1f83dd54b06e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ffb958155f7bd019f1d2e4a440fdce3597ab1ccf" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "a95c3f091fefcbad74256b01f03347c30f3f7fc1" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6d888df1a659915e4922a2789577f451ec683868" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "3c0d8276d3c358354f54987b857cc488698daede" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.26.yar b/php-malware-finder/whitelists/Spip/spip-2.0.26.yar new file mode 100644 index 0000000..bc8069d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.26.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2026 +{ + condition: + /* Spip2026 */ + hash.sha1(0, filesize) == "6833296d87255015a95bc164b8c948727164167b" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "8b9d3444001fcb6139686627ce01ece992f2a634" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "52725b54bf80563ca169824197426465dbec14c0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "7854b6d8564b34f706fe1d099cfba71fbebbd485" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "57f87d7fcd74ad4feeac8375b4271a968c45e5ef" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ef03eedd4a3b1e6a8324705d1dedff8381449ba9" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "65fdab4f4cf311366862c581f76cb49bfb4d14bd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "579c73a56f8f48cf92d98d78112d1f83dd54b06e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ffb958155f7bd019f1d2e4a440fdce3597ab1ccf" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "8550c889fe2c663e5f2f3c972d368c8f1767b433" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6d888df1a659915e4922a2789577f451ec683868" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "3c0d8276d3c358354f54987b857cc488698daede" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.3.yar b/php-malware-finder/whitelists/Spip/spip-2.0.3.yar new file mode 100644 index 0000000..a7598dd --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.3.yar @@ -0,0 +1,23 @@ +import "hash" + +private rule Spip203 +{ + condition: + /* Spip203 */ + hash.sha1(0, filesize) == "787f3206235ff5fbf2e01ddf5a47677d7bf181bd" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "4f76e0551ed1ff449cd4b0c81145a0a8cd85aa28" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "e6faee4f64f2de58fe1d4a29dfa51233a19c969c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "9dd40e01eb64f61b35afa04fa46409f83965dac8" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a9c778e71fde7476e6382d5e5f2d6afaddfd2680" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89989049350f7f535b3f4c9ca2948f4f8a428602" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "6b33a20a01be080989aea6df8c869274057f451a" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "9c402880b319b60e9cc6920ac3a6aa143b278aba" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "b64d02d628b2ce421e17729361aa308f6594313e" or // spip/ecrire/inc/plugin.php + hash.sha1(0, filesize) == "c5e9f3f4f4e0d6ed5e09d4d34271dc3aa0c97302" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d25c773155b38b362792c4e4a2c0ae08ce9efdfd" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "51ed45057e16e422deeb66dfbd1d473c86df31c7" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.5.yar b/php-malware-finder/whitelists/Spip/spip-2.0.5.yar new file mode 100644 index 0000000..8efb1d1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.5.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip205 +{ + condition: + /* Spip205 */ + hash.sha1(0, filesize) == "787f3206235ff5fbf2e01ddf5a47677d7bf181bd" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "9b84605696990b904a22b54ff9ba5f2e8f48025a" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "16e1a4001a5a9fb8d05aad7d27f5d31abeac6a95" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "115d591dabf2e1c72653072b9efaf4c2c1b949fb" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "77754b181cf538a41c1232918ffb8865efde5d00" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89989049350f7f535b3f4c9ca2948f4f8a428602" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "5c5204c5d002934f1d0d9dc5ecbaf3f69137d26d" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "978e561d5e3605762c6ef657df3ee189fabc16f5" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "c5e9f3f4f4e0d6ed5e09d4d34271dc3aa0c97302" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d25c773155b38b362792c4e4a2c0ae08ce9efdfd" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "51ed45057e16e422deeb66dfbd1d473c86df31c7" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.6.yar b/php-malware-finder/whitelists/Spip/spip-2.0.6.yar new file mode 100644 index 0000000..9823613 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.6.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip206 +{ + condition: + /* Spip206 */ + hash.sha1(0, filesize) == "787f3206235ff5fbf2e01ddf5a47677d7bf181bd" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "9b84605696990b904a22b54ff9ba5f2e8f48025a" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "ae6182b42c8df38db20b3b42fc786b1c6fc53b18" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "115d591dabf2e1c72653072b9efaf4c2c1b949fb" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "77754b181cf538a41c1232918ffb8865efde5d00" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89989049350f7f535b3f4c9ca2948f4f8a428602" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "7e72768e7268a1146319c9405afd4a21fe9a1aa7" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "978e561d5e3605762c6ef657df3ee189fabc16f5" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "c5e9f3f4f4e0d6ed5e09d4d34271dc3aa0c97302" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d25c773155b38b362792c4e4a2c0ae08ce9efdfd" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "51ed45057e16e422deeb66dfbd1d473c86df31c7" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.7.yar b/php-malware-finder/whitelists/Spip/spip-2.0.7.yar new file mode 100644 index 0000000..7eef2a4 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.7.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip207 +{ + condition: + /* Spip207 */ + hash.sha1(0, filesize) == "787f3206235ff5fbf2e01ddf5a47677d7bf181bd" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "9b84605696990b904a22b54ff9ba5f2e8f48025a" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "a4282d28c5e65c25994697ddac07bf20d163efbb" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "115d591dabf2e1c72653072b9efaf4c2c1b949fb" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "77754b181cf538a41c1232918ffb8865efde5d00" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "89989049350f7f535b3f4c9ca2948f4f8a428602" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "6938d6318688bc3bcbfee2604a87a6ad4d59d09d" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "978e561d5e3605762c6ef657df3ee189fabc16f5" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "50c103d3c7da00c50c6ac6c55235170577339e08" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d25c773155b38b362792c4e4a2c0ae08ce9efdfd" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "51ed45057e16e422deeb66dfbd1d473c86df31c7" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.8.yar b/php-malware-finder/whitelists/Spip/spip-2.0.8.yar new file mode 100644 index 0000000..8fcaa8f --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.8.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip208 +{ + condition: + /* Spip208 */ + hash.sha1(0, filesize) == "787f3206235ff5fbf2e01ddf5a47677d7bf181bd" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "9b84605696990b904a22b54ff9ba5f2e8f48025a" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "f5dc604866a3b2409f2b67ef41734446d8f4993f" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "115d591dabf2e1c72653072b9efaf4c2c1b949fb" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "77754b181cf538a41c1232918ffb8865efde5d00" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "e01d8db08fe44943bebf339fea1d93a452d53d35" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "6938d6318688bc3bcbfee2604a87a6ad4d59d09d" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "978e561d5e3605762c6ef657df3ee189fabc16f5" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "50c103d3c7da00c50c6ac6c55235170577339e08" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "af11b7a27a24cf422ad6b6f7955a580404389be8" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + hash.sha1(0, filesize) == "51ed45057e16e422deeb66dfbd1d473c86df31c7" or // spip/ecrire/req/mysql.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.0.9.yar b/php-malware-finder/whitelists/Spip/spip-2.0.9.yar new file mode 100644 index 0000000..a55aca0 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.0.9.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip209 +{ + condition: + /* Spip209 */ + hash.sha1(0, filesize) == "4b1a3ab16e5fb507f475f3fb114789694bb1ab35" or // spip/ecrire/exec/export_all.php + hash.sha1(0, filesize) == "043171a629df7acbab2efe725e652f2c32458cb5" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "22bb4f10f27b2a8a9db814d0cc06fd4b3ed8ed0e" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f96b68ac7314ef20af74a734c0184c4091ab0eed" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "954554efd716288f7d6ac0b7aceca72c95879021" or // spip/ecrire/inc/import.php + hash.sha1(0, filesize) == "a477b95106e87b7a06e724e2921c5c3c65e5c1ab" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "9533304ed66c0d7beea00cc9d286b6586cefc047" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae5db7abbda4fcabdce95ae74826f82cd8f30158" or // spip/ecrire/inc/filtres_images.php + hash.sha1(0, filesize) == "50c103d3c7da00c50c6ac6c55235170577339e08" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "4da59835139e8c8dcf6926b4fbd188752c554eab" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "af11b7a27a24cf422ad6b6f7955a580404389be8" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "06b34506497af8307a2b86424f850ad8173eb4fc" or // spip/ecrire/base/import_all.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.0.yar b/php-malware-finder/whitelists/Spip/spip-2.1.0.yar new file mode 100644 index 0000000..bbd6c13 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.0.yar @@ -0,0 +1,19 @@ +import "hash" + +private rule Spip210 +{ + condition: + /* Spip210 */ + hash.sha1(0, filesize) == "3c4943ac0df58038005583904ec261fa3cdfdb77" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "e25e39f00e239cb7d7e44e5580d724554054f046" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "0f8c204dd35523e795454d068aedbb2fef0100b0" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "c700b1f40ae570f0dad7f6015219015bc746092e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "91bdd09f34b2dcbb77d5b6f1d3b727495f1e24ab" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "38719fe1e984c4f5d96dee91eb16f23414a4bb5b" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bb5fd31743abaffa96eaddd87ce85b18321d10ff" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e5143f8b9aac7e551e9f274044ecd7dacaf7422e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.1.yar b/php-malware-finder/whitelists/Spip/spip-2.1.1.yar new file mode 100644 index 0000000..2239926 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.1.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip211 +{ + condition: + /* Spip211 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0de7d4c7966b3af98fbd73bc4d98674fda14ff36" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "1cf52970054a608460f9aaaa921f18a2b456a0c9" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "5a427def0d094d23c4ce835e2841c948491ea4a1" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "4b01b5830608f8bafeea1fc0b409afb9e8983bc8" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "9614c47a86a296e0d672a71b27c478e1dc44f226" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "91bdd09f34b2dcbb77d5b6f1d3b727495f1e24ab" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "750eaa980b933109bbc2dcf85d15e1c339209130" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "bb5fd31743abaffa96eaddd87ce85b18321d10ff" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e5143f8b9aac7e551e9f274044ecd7dacaf7422e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.10.yar b/php-malware-finder/whitelists/Spip/spip-2.1.10.yar new file mode 100644 index 0000000..a0e0c78 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.10.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2110 +{ + condition: + /* Spip2110 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "5226ac2e151244c7345dbe5304a0c53067f8bee0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d072b32ae106bfad54b2074bc079766f89db62dc" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "25851685e286f6566970fb46df78caaabaf2440c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "6debf02d7dc8eb087559313ecf6626928d35c6e9" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.11.yar b/php-malware-finder/whitelists/Spip/spip-2.1.11.yar new file mode 100644 index 0000000..aee8af4 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.11.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2111 +{ + condition: + /* Spip2111 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "4ede151396c343e5f26b57fa56f4e3818b352502" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "a2271edd39913835a7dc7e5dc5f05c1823992a6d" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d072b32ae106bfad54b2074bc079766f89db62dc" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "232d924fb11850a4e64fc51d38f3e1eaaa7e192f" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ec896b1e9f8535a3bdffe7502ebc0bc2e354ab7e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.12.yar b/php-malware-finder/whitelists/Spip/spip-2.1.12.yar new file mode 100644 index 0000000..28bd421 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.12.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2112 +{ + condition: + /* Spip2112 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "db1e3e1a343b84de1064f46fd57c7f3ffec21a37" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d072b32ae106bfad54b2074bc079766f89db62dc" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "232d924fb11850a4e64fc51d38f3e1eaaa7e192f" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "06585af679ee1765a301d87ab1aad762931bb31f" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ec896b1e9f8535a3bdffe7502ebc0bc2e354ab7e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.13.yar b/php-malware-finder/whitelists/Spip/spip-2.1.13.yar new file mode 100644 index 0000000..e76fda1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.13.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2113 +{ + condition: + /* Spip2113 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "c003ac9641924fdef979b4e1d2b7abd41318fd7d" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86982244306a7d32e1dca538b0665f4888350a2b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "af75e12bd267675dad0f7b0b4242fbc9ed0e40d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a7a7852437fb818949add62ff89ac53daef85a1e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "b73b7677b1e8a6a2e6cd1607e5ee38cf24c2f4df" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1d603d6045ef221e53fc38511dc30baba5072e58" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae784b2a688a723ea158261fabd400fc11c435b8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "876664d400c9fc510642d1fab84180a0c150586b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "fb1dd74bf8c2beb0a086546ef58c5a7aa7253ff9" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.14.yar b/php-malware-finder/whitelists/Spip/spip-2.1.14.yar new file mode 100644 index 0000000..913ff7f --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.14.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2114 +{ + condition: + /* Spip2114 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "89e2982f930fc0665b6f57b9c5955ac5af9f8c00" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86982244306a7d32e1dca538b0665f4888350a2b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "af75e12bd267675dad0f7b0b4242fbc9ed0e40d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a7a7852437fb818949add62ff89ac53daef85a1e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "b73b7677b1e8a6a2e6cd1607e5ee38cf24c2f4df" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1d603d6045ef221e53fc38511dc30baba5072e58" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae784b2a688a723ea158261fabd400fc11c435b8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "876664d400c9fc510642d1fab84180a0c150586b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "fb1dd74bf8c2beb0a086546ef58c5a7aa7253ff9" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.15.yar b/php-malware-finder/whitelists/Spip/spip-2.1.15.yar new file mode 100644 index 0000000..f83b62b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.15.yar @@ -0,0 +1,19 @@ +import "hash" + +private rule Spip2115 +{ + condition: + /* Spip2115 */ + hash.sha1(0, filesize) == "89e2982f930fc0665b6f57b9c5955ac5af9f8c00" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86982244306a7d32e1dca538b0665f4888350a2b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "af75e12bd267675dad0f7b0b4242fbc9ed0e40d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a7a7852437fb818949add62ff89ac53daef85a1e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "b73b7677b1e8a6a2e6cd1607e5ee38cf24c2f4df" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1d603d6045ef221e53fc38511dc30baba5072e58" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae784b2a688a723ea158261fabd400fc11c435b8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "876664d400c9fc510642d1fab84180a0c150586b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "fb1dd74bf8c2beb0a086546ef58c5a7aa7253ff9" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.16.yar b/php-malware-finder/whitelists/Spip/spip-2.1.16.yar new file mode 100644 index 0000000..6108cd5 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.16.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2116 +{ + condition: + /* Spip2116 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "89e2982f930fc0665b6f57b9c5955ac5af9f8c00" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86982244306a7d32e1dca538b0665f4888350a2b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "af75e12bd267675dad0f7b0b4242fbc9ed0e40d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a7a7852437fb818949add62ff89ac53daef85a1e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "b73b7677b1e8a6a2e6cd1607e5ee38cf24c2f4df" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1d603d6045ef221e53fc38511dc30baba5072e58" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae784b2a688a723ea158261fabd400fc11c435b8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "876664d400c9fc510642d1fab84180a0c150586b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "fb1dd74bf8c2beb0a086546ef58c5a7aa7253ff9" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.17.yar b/php-malware-finder/whitelists/Spip/spip-2.1.17.yar new file mode 100644 index 0000000..3b1814d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.17.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2117 +{ + condition: + /* Spip2117 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "89e2982f930fc0665b6f57b9c5955ac5af9f8c00" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86982244306a7d32e1dca538b0665f4888350a2b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "af75e12bd267675dad0f7b0b4242fbc9ed0e40d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a7a7852437fb818949add62ff89ac53daef85a1e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "b73b7677b1e8a6a2e6cd1607e5ee38cf24c2f4df" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1d603d6045ef221e53fc38511dc30baba5072e58" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae784b2a688a723ea158261fabd400fc11c435b8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "876664d400c9fc510642d1fab84180a0c150586b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "fb1dd74bf8c2beb0a086546ef58c5a7aa7253ff9" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.18.yar b/php-malware-finder/whitelists/Spip/spip-2.1.18.yar new file mode 100644 index 0000000..d83a50c --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.18.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2118 +{ + condition: + /* Spip2118 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "89e2982f930fc0665b6f57b9c5955ac5af9f8c00" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86982244306a7d32e1dca538b0665f4888350a2b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "af75e12bd267675dad0f7b0b4242fbc9ed0e40d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a7a7852437fb818949add62ff89ac53daef85a1e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2826bfd18fa0fb6ff88837ea7820e874c278455c" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1d603d6045ef221e53fc38511dc30baba5072e58" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae784b2a688a723ea158261fabd400fc11c435b8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "876664d400c9fc510642d1fab84180a0c150586b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "fb1dd74bf8c2beb0a086546ef58c5a7aa7253ff9" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.19.yar b/php-malware-finder/whitelists/Spip/spip-2.1.19.yar new file mode 100644 index 0000000..9759a0d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.19.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2119 +{ + condition: + /* Spip2119 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "89e2982f930fc0665b6f57b9c5955ac5af9f8c00" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86982244306a7d32e1dca538b0665f4888350a2b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "af75e12bd267675dad0f7b0b4242fbc9ed0e40d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a7a7852437fb818949add62ff89ac53daef85a1e" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2826bfd18fa0fb6ff88837ea7820e874c278455c" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1d603d6045ef221e53fc38511dc30baba5072e58" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "ae784b2a688a723ea158261fabd400fc11c435b8" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "876664d400c9fc510642d1fab84180a0c150586b" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "fb1dd74bf8c2beb0a086546ef58c5a7aa7253ff9" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.2.yar b/php-malware-finder/whitelists/Spip/spip-2.1.2.yar new file mode 100644 index 0000000..b493368 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.2.yar @@ -0,0 +1,20 @@ +import "hash" + +private rule Spip212 +{ + condition: + /* Spip212 */ + hash.sha1(0, filesize) == "2b03b8b4bc2a19e81a4101160abb927b7a5adcce" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "07682d799b2d36fd09d35bce74e7c0e9e6cf763c" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "4b01b5830608f8bafeea1fc0b409afb9e8983bc8" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "6c56847d5807c7fe41f0ca5f31812c09c63ebcae" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "91bdd09f34b2dcbb77d5b6f1d3b727495f1e24ab" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "3e72415a3a10c8f236d8ff3ca32bee37a2db182b" or // spip/ecrire/inc/texte.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3cf8c485fa57f49b807673e504d4779b42f58fb9" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "5da60b6622a43677d0a42b8b7cf37d0d7d41aac3" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e5143f8b9aac7e551e9f274044ecd7dacaf7422e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.20.yar b/php-malware-finder/whitelists/Spip/spip-2.1.20.yar new file mode 100644 index 0000000..fd116e1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.20.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2120 +{ + condition: + /* Spip2120 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "380e5158053cd99f1244e580858e040f5302b752" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "459f59f5062d372f3d55b9528b143c7240d9f83a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "b4c41747819dc030536702c3e30cafacf2c4ab50" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "7853a8863a9f2f5e6b263f7d6df3ecee0d39f07c" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "59044f264917d6dcc0b0902faaf3d04850a97abd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ea9576105ce1411f41e49923269bc7a112d97103" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "a191e5df94564c0a3de3ca7e229c133b46c7f6e9" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6a584e64625d7fd5d81c8507552e37994c71616f" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e28ff7e8d0ccc6ad7fc1d6e58a63f6452d884cfb" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.21.yar b/php-malware-finder/whitelists/Spip/spip-2.1.21.yar new file mode 100644 index 0000000..d0e7033 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.21.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2121 +{ + condition: + /* Spip2121 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "380e5158053cd99f1244e580858e040f5302b752" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "459f59f5062d372f3d55b9528b143c7240d9f83a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "b4c41747819dc030536702c3e30cafacf2c4ab50" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "7853a8863a9f2f5e6b263f7d6df3ecee0d39f07c" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "59044f264917d6dcc0b0902faaf3d04850a97abd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ea9576105ce1411f41e49923269bc7a112d97103" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "a191e5df94564c0a3de3ca7e229c133b46c7f6e9" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6a584e64625d7fd5d81c8507552e37994c71616f" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e28ff7e8d0ccc6ad7fc1d6e58a63f6452d884cfb" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.22.yar b/php-malware-finder/whitelists/Spip/spip-2.1.22.yar new file mode 100644 index 0000000..d86d673 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.22.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2122 +{ + condition: + /* Spip2122 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "72d9aef4a1f5f6638492914cca6456443cf44387" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "459f59f5062d372f3d55b9528b143c7240d9f83a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "b4c41747819dc030536702c3e30cafacf2c4ab50" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "7853a8863a9f2f5e6b263f7d6df3ecee0d39f07c" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "59044f264917d6dcc0b0902faaf3d04850a97abd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ea9576105ce1411f41e49923269bc7a112d97103" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "a191e5df94564c0a3de3ca7e229c133b46c7f6e9" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6a584e64625d7fd5d81c8507552e37994c71616f" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e28ff7e8d0ccc6ad7fc1d6e58a63f6452d884cfb" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.23.yar b/php-malware-finder/whitelists/Spip/spip-2.1.23.yar new file mode 100644 index 0000000..9067162 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.23.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2123 +{ + condition: + /* Spip2123 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "72d9aef4a1f5f6638492914cca6456443cf44387" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "459f59f5062d372f3d55b9528b143c7240d9f83a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "b4c41747819dc030536702c3e30cafacf2c4ab50" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "7853a8863a9f2f5e6b263f7d6df3ecee0d39f07c" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "59044f264917d6dcc0b0902faaf3d04850a97abd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ea9576105ce1411f41e49923269bc7a112d97103" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "a191e5df94564c0a3de3ca7e229c133b46c7f6e9" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6a584e64625d7fd5d81c8507552e37994c71616f" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e28ff7e8d0ccc6ad7fc1d6e58a63f6452d884cfb" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.24.yar b/php-malware-finder/whitelists/Spip/spip-2.1.24.yar new file mode 100644 index 0000000..48f1798 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.24.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2124 +{ + condition: + /* Spip2124 */ + hash.sha1(0, filesize) == "18c0e9241a7718ed4dd47bb23b23b718b2218104" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "86788fe2243fc7513c0226ffa24f7ecb0a71851c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "e69b3b97ca66e39ed743208c1a6e09d00f22d9ae" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "fa9bb2513a6a06a7662dfc20624b9bed3d7785e0" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "070ac6dd13610245023599114cf2b35027a37042" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "7853a8863a9f2f5e6b263f7d6df3ecee0d39f07c" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "59044f264917d6dcc0b0902faaf3d04850a97abd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "dd778f2fb4b06c14b1eab4001cdf8704ac5bfe95" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "931f85bc3f48791820331c5f77308795c9a7ae6f" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6a584e64625d7fd5d81c8507552e37994c71616f" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e28ff7e8d0ccc6ad7fc1d6e58a63f6452d884cfb" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.25.yar b/php-malware-finder/whitelists/Spip/spip-2.1.25.yar new file mode 100644 index 0000000..e750823 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.25.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2125 +{ + condition: + /* Spip2125 */ + hash.sha1(0, filesize) == "3b26aeedf64615fee8841935b8d8811a18aa7efd" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "bf8092c9f3704fa0701c9fb66d57657e7a7ac703" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "ca8a8cfdb3a02ec106286b8d6d834caea35fb20f" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "1b2338c7d8e369f9eab19d19f2087cfa722f4151" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "388a385bca6370a41238eb7318904ed74b46dc76" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "431eab8c1d1860e3f1da249e261f27b824ce2e06" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a0aa780ec08c8e1217ba7b111f9caee7da8d9071" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "cbfbac6d7a64171a0ffb7d6a127ea1f058f35289" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "7f8679c275aafce115364c4d8be1142bfa4d22a2" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "07668f2350714481d6ed2886831aff715f5061f4" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a507467968f31236562cc816181c7d29833b2e46" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.26.yar b/php-malware-finder/whitelists/Spip/spip-2.1.26.yar new file mode 100644 index 0000000..084b1d1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.26.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2126 +{ + condition: + /* Spip2126 */ + hash.sha1(0, filesize) == "3b26aeedf64615fee8841935b8d8811a18aa7efd" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "bf8092c9f3704fa0701c9fb66d57657e7a7ac703" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "ca8a8cfdb3a02ec106286b8d6d834caea35fb20f" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "1b2338c7d8e369f9eab19d19f2087cfa722f4151" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "388a385bca6370a41238eb7318904ed74b46dc76" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "431eab8c1d1860e3f1da249e261f27b824ce2e06" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a0aa780ec08c8e1217ba7b111f9caee7da8d9071" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "cbfbac6d7a64171a0ffb7d6a127ea1f058f35289" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "7f8679c275aafce115364c4d8be1142bfa4d22a2" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "07668f2350714481d6ed2886831aff715f5061f4" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a507467968f31236562cc816181c7d29833b2e46" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.27.yar b/php-malware-finder/whitelists/Spip/spip-2.1.27.yar new file mode 100644 index 0000000..abb06a9 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.27.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2127 +{ + condition: + /* Spip2127 */ + hash.sha1(0, filesize) == "c7042d7ade361ca2e914a7e9c430332898abea16" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "432128e06fdf854925657995c13e88b5269f25f9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "796ece21cbed92a4c549ac43f4b30e6d25ad6123" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "00cb6194f6473aa82264a5588f0125bfdc135cff" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "388a385bca6370a41238eb7318904ed74b46dc76" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "431eab8c1d1860e3f1da249e261f27b824ce2e06" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "6a1be35a3ef78a5474de9ae45c9374b6c0655540" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ac97759be82f0835a164bd40bc5cc6e339416e71" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "7f8679c275aafce115364c4d8be1142bfa4d22a2" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "07668f2350714481d6ed2886831aff715f5061f4" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a507467968f31236562cc816181c7d29833b2e46" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.28.yar b/php-malware-finder/whitelists/Spip/spip-2.1.28.yar new file mode 100644 index 0000000..e2a76a0 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.28.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip2128 +{ + condition: + /* Spip2128 */ + hash.sha1(0, filesize) == "6f2355a249e801532b24e7ba468d4ca61db82b29" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "c7042d7ade361ca2e914a7e9c430332898abea16" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "432128e06fdf854925657995c13e88b5269f25f9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "796ece21cbed92a4c549ac43f4b30e6d25ad6123" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "00cb6194f6473aa82264a5588f0125bfdc135cff" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "388a385bca6370a41238eb7318904ed74b46dc76" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "431eab8c1d1860e3f1da249e261f27b824ce2e06" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "6a1be35a3ef78a5474de9ae45c9374b6c0655540" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ac97759be82f0835a164bd40bc5cc6e339416e71" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "b46f96fbe2be9b01a0613142cfa75bafa74cf7e9" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "07668f2350714481d6ed2886831aff715f5061f4" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a507467968f31236562cc816181c7d29833b2e46" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.29.yar b/php-malware-finder/whitelists/Spip/spip-2.1.29.yar new file mode 100644 index 0000000..add4e0b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.29.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2129 +{ + condition: + /* Spip2129 */ + hash.sha1(0, filesize) == "06db802a5b24be0a5ab550c46425ce4fb75f2844" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "d4125a49a51d5081c729b5167a4963e2da788ed5" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "2f619fe089eebd6eb4f47908d7dd1ce415640220" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "deca8d575f46b467a1e9eca959a15e9f94f044b5" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "c4f43179ccf885ab6df3a606b2704c2c681d8200" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9d8015ea3b6289e4c3b9c6a14c17b98871aa3f28" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "e045a401b625d485d1d412fa478778f307b1a5de" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d71afea1645dfd43ea61c1b240ef3abd1e97b813" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "f8b476f66cdbabde60edaf55d56224c1f02f7ef2" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "2f28e6f5b63a597fb7fe435ff82bf87c24449421" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "481af0b2217f67d91048864c8e73e48775d850fd" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.3.yar b/php-malware-finder/whitelists/Spip/spip-2.1.3.yar new file mode 100644 index 0000000..d3c2267 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.3.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip213 +{ + condition: + /* Spip213 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "9dc76e638ec53f967da68df1aeca380b24422caf" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d3373f28f086a559b7d998a5a301cea4dd6b4943" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "879076f1532ee72c1126eaf407afc19c08a9f371" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ca1e4ce656fcd3815752ccbdecbabf45af6343b6" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "7341766b428e1c601c1fc05f9933716c87c31ee0" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "73a33af955f196f6e539c2a6d4ae88359b7b8b92" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "6239e830975e2b723af8d647097693f8e88c5f08" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6594e63630b6c2b8dc4d042ae5dd90739ae5844c" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "e5143f8b9aac7e551e9f274044ecd7dacaf7422e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.30.yar b/php-malware-finder/whitelists/Spip/spip-2.1.30.yar new file mode 100644 index 0000000..921a12c --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.30.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip2130 +{ + condition: + /* Spip2130 */ + hash.sha1(0, filesize) == "d4b08df2c0b84b8220f6203c0c0caa35f2572ad7" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "d4125a49a51d5081c729b5167a4963e2da788ed5" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "2f619fe089eebd6eb4f47908d7dd1ce415640220" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "58b5b1e8537b7c68ff5afe024d204295ce5a5c84" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "c4f43179ccf885ab6df3a606b2704c2c681d8200" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9d8015ea3b6289e4c3b9c6a14c17b98871aa3f28" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "e045a401b625d485d1d412fa478778f307b1a5de" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "64ec16d9406084c2bf393ea4decf09bb902704dc" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "a931bfdfa9457eaca2a0d1328e728ec1a063a601" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "90fe7e0ccaf51ef8941ffbea8a74131138a97b71" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "481af0b2217f67d91048864c8e73e48775d850fd" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.4.yar b/php-malware-finder/whitelists/Spip/spip-2.1.4.yar new file mode 100644 index 0000000..16e7ad6 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.4.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip214 +{ + condition: + /* Spip214 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "4a645ac5f3562b34104ebb7581748551ac0602f4" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "030c3df3d3eeaf79301a551d51f56df1dbcf59e7" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "25851685e286f6566970fb46df78caaabaf2440c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3b6714b2f59199ac427226d87052ed596eab7125" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.5.yar b/php-malware-finder/whitelists/Spip/spip-2.1.5.yar new file mode 100644 index 0000000..41ba758 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.5.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip215 +{ + condition: + /* Spip215 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "4a645ac5f3562b34104ebb7581748551ac0602f4" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "030c3df3d3eeaf79301a551d51f56df1dbcf59e7" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "25851685e286f6566970fb46df78caaabaf2440c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3b6714b2f59199ac427226d87052ed596eab7125" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.6.yar b/php-malware-finder/whitelists/Spip/spip-2.1.6.yar new file mode 100644 index 0000000..6514570 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.6.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip216 +{ + condition: + /* Spip216 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "5226ac2e151244c7345dbe5304a0c53067f8bee0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "030c3df3d3eeaf79301a551d51f56df1dbcf59e7" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "25851685e286f6566970fb46df78caaabaf2440c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3b6714b2f59199ac427226d87052ed596eab7125" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.7.yar b/php-malware-finder/whitelists/Spip/spip-2.1.7.yar new file mode 100644 index 0000000..660cc7d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.7.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip217 +{ + condition: + /* Spip217 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "5226ac2e151244c7345dbe5304a0c53067f8bee0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d072b32ae106bfad54b2074bc079766f89db62dc" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "25851685e286f6566970fb46df78caaabaf2440c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1a1c22c761216d8ecaf416353b7219fe7e45b166" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.8.yar b/php-malware-finder/whitelists/Spip/spip-2.1.8.yar new file mode 100644 index 0000000..bae0fc4 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.8.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip218 +{ + condition: + /* Spip218 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "5226ac2e151244c7345dbe5304a0c53067f8bee0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d072b32ae106bfad54b2074bc079766f89db62dc" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "25851685e286f6566970fb46df78caaabaf2440c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1a1c22c761216d8ecaf416353b7219fe7e45b166" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-2.1.9.yar b/php-malware-finder/whitelists/Spip/spip-2.1.9.yar new file mode 100644 index 0000000..6fef68d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-2.1.9.yar @@ -0,0 +1,21 @@ +import "hash" + +private rule Spip219 +{ + condition: + /* Spip219 */ + hash.sha1(0, filesize) == "630c2427057d967a6f882fd43f972c60c8db39f7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "9ea46c1bf4cf060dd4142b63cc2f6e9fe59ad9e9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "5226ac2e151244c7345dbe5304a0c53067f8bee0" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d072b32ae106bfad54b2074bc079766f89db62dc" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "25851685e286f6566970fb46df78caaabaf2440c" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1bd3853493963c4bb0b113046e2eff900a055f37" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ff86d34f64f749d5f238b580a6b3def162848da4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "6debf02d7dc8eb087559313ecf6626928d35c6e9" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "89de7a5f16651a8f6a4e9e4f4b5217f0200c939c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "7000d4c2e2d2c0e13392cef74f7ff6f948e36151" or // spip/ecrire/inc/import_insere.php + hash.sha1(0, filesize) == "a456416c5c7d144bbd83c4ca35c470d695b1558e" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.0-alpha1.yar b/php-malware-finder/whitelists/Spip/spip-3.0.0-alpha1.yar new file mode 100644 index 0000000..0dc618b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.0-alpha1.yar @@ -0,0 +1,20 @@ +import "hash" + +private rule Spip300alpha1 +{ + condition: + /* Spip300alpha1 */ + hash.sha1(0, filesize) == "8615ad457bef12e074c6b6cbd996aa97e127dfc9" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "b63b0e9571a1b2ef0bf6437cc0bd8386d26138f2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "aada28b5731bc868bcfa234fdcbdaac96ed1ed4a" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "e5f23ce2a017786ce96c9ad19dec7e799b9be7b5" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "570ab7e04ea9e0118c66a8ce544febfa971b8e84" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4f49e37786c597e4033f17049ff35bbc19f0308f" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "a6ac64667efc28fd5228349d07d4747a17d1dd89" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "8e27e3027353b5a2ab85d6eeab8893d655b6a429" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "bfe7ea306b51c824398a1be736c5f0cbfc2f3e8c" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "03a70265e9ffac88c95df9218459acee5ea60b2f" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.0-beta.yar b/php-malware-finder/whitelists/Spip/spip-3.0.0-beta.yar new file mode 100644 index 0000000..f4a9167 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.0-beta.yar @@ -0,0 +1,20 @@ +import "hash" + +private rule Spip300beta +{ + condition: + /* Spip300beta */ + hash.sha1(0, filesize) == "8615ad457bef12e074c6b6cbd996aa97e127dfc9" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "53c701e783c439aa2e8456e824ef0b4ad3a6a124" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "10fdfd44283995b0f381fdf8ef85df98eb5974f2" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f207b9f736809a84f9967f130fb6ced3ade32d41" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "570ab7e04ea9e0118c66a8ce544febfa971b8e84" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "50c0f20bb4aec3ea747f3185ae4b3b87eac60b09" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "4c94349ba8619f61120d498c1524c62e20437a7c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "15f789427801fbf813f832ea1150de9dc5b6521e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "8e27e3027353b5a2ab85d6eeab8893d655b6a429" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "cd912d00971cf0d1f0f2c334da32543c4043d471" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "03a70265e9ffac88c95df9218459acee5ea60b2f" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.0-beta2.yar b/php-malware-finder/whitelists/Spip/spip-3.0.0-beta2.yar new file mode 100644 index 0000000..8202aec --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.0-beta2.yar @@ -0,0 +1,22 @@ +import "hash" + +private rule Spip300beta2 +{ + condition: + /* Spip300beta2 */ + hash.sha1(0, filesize) == "f1e03ce61691d8a233a0bff08649289e10f2cdb0" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "3e46a581bb63c4f657fc03f6f84f11edf3310f18" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "4f299c397dfdb111689388062000fc6a8b16e31b" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "f26c88320e6c39087bd914bc95402f3709d6e436" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "71cd5aeae36ef87c3b2459554b6f6c22663ffd4d" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f207b9f736809a84f9967f130fb6ced3ade32d41" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "165cd77dfb569c0942a0979d173e33820c6f1b2c" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "7e78bd653ad6357e158cb4c204586f388094b226" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "a89b840fe1a48dd24243e0cc0ffb2d921e5aa4ed" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "03ac04a71d9bcb3c1297a4226ebf40392d31d88c" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5a34afc8e9af01bb36eaf5d8653841caf5e35c40" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "e8fac0e098e4b2e4fdb285ac55a446e725927dd4" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.0-rc.yar b/php-malware-finder/whitelists/Spip/spip-3.0.0-rc.yar new file mode 100644 index 0000000..05b6951 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.0-rc.yar @@ -0,0 +1,24 @@ +import "hash" + +private rule Spip300rc +{ + condition: + /* Spip300rc */ + hash.sha1(0, filesize) == "e607baf42606d4bfaf5c092f34d2bad84d017380" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "feadb6f60a64cd48e22696f0242fa2dde09add67" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "109ebd9bab42445fcafe0bf7e49859591837c8dc" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "09080b6dd1b382e08dfeee7086e3905bbbdb9d1a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "146a1af99ef816a80ff04bb22246842f68011baa" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "3b481d11474f915a6ce5ee66dd4a97afb858a9dc" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "7e318f6c7c8e150e1b8286b2aa9f0e2034a02fe6" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "f152cde7405a28d5e9c1cd5865b89113ee0d6bbc" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3ffd35448c53489c2c1b6b56af87b8ae51991086" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "0b9653750988dfb9d16c0137342a5489aca3bb4b" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "881067a72842eef1bf475adb7e4b941ac514e0e8" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e664db419be56240f3257b1104811671be5960f3" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "20dee93616592eb17741a5bb8f1aefed52565a38" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "86c6913271382071bafaea5a4e91e52391645a33" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.0.yar b/php-malware-finder/whitelists/Spip/spip-3.0.0.yar new file mode 100644 index 0000000..b1e4a68 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.0.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip300 +{ + condition: + /* Spip300 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "607093329a017416344109bcc64a528758385003" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "0eb920cf614df8b7a793d2637149167af8027d5d" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "b0b5cf7030e47a9b526e458b1a72f21d3790a111" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "23f515173ba5c5a77e69cf760753f25527bd32b6" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "e607baf42606d4bfaf5c092f34d2bad84d017380" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "9b34de4140cf72dbd4409b29928e52ece0259478" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "dbee64e9d0df49b2f74eec6540db5fbd1b838f2a" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "258eede3be72eb57ee6e0932b8ff9239b753ae4d" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "09080b6dd1b382e08dfeee7086e3905bbbdb9d1a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9109667e201449b564d0645580b2f8f41e05d448" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1d19772d5d9ada288f1d27b07c271cecae54cb23" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2bf7f1e04c82478a25e238fe9d552b3f7dd04cbb" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "f152cde7405a28d5e9c1cd5865b89113ee0d6bbc" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b23e87708c90fdf0c35d96301ad4045bade9602f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "0b9653750988dfb9d16c0137342a5489aca3bb4b" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5c8bc255192c51fb0a45f9ef1edf02343a82f72e" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e664db419be56240f3257b1104811671be5960f3" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "20dee93616592eb17741a5bb8f1aefed52565a38" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "eeb09f7145218687e786837b400678999c38eb95" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.1.yar b/php-malware-finder/whitelists/Spip/spip-3.0.1.yar new file mode 100644 index 0000000..c65d6ec --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.1.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip301 +{ + condition: + /* Spip301 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "607093329a017416344109bcc64a528758385003" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "0eb920cf614df8b7a793d2637149167af8027d5d" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "b0b5cf7030e47a9b526e458b1a72f21d3790a111" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "23f515173ba5c5a77e69cf760753f25527bd32b6" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "e607baf42606d4bfaf5c092f34d2bad84d017380" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "9b34de4140cf72dbd4409b29928e52ece0259478" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "dbee64e9d0df49b2f74eec6540db5fbd1b838f2a" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "258eede3be72eb57ee6e0932b8ff9239b753ae4d" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "09080b6dd1b382e08dfeee7086e3905bbbdb9d1a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9109667e201449b564d0645580b2f8f41e05d448" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "1d19772d5d9ada288f1d27b07c271cecae54cb23" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2bf7f1e04c82478a25e238fe9d552b3f7dd04cbb" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "f152cde7405a28d5e9c1cd5865b89113ee0d6bbc" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b23e87708c90fdf0c35d96301ad4045bade9602f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "0b9653750988dfb9d16c0137342a5489aca3bb4b" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5c8bc255192c51fb0a45f9ef1edf02343a82f72e" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e664db419be56240f3257b1104811671be5960f3" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3d29757d99c1ef5d02bbbf62756f5f1b444b535f" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "eeb09f7145218687e786837b400678999c38eb95" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.10.yar b/php-malware-finder/whitelists/Spip/spip-3.0.10.yar new file mode 100644 index 0000000..8cdd455 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.10.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip3010 +{ + condition: + /* Spip3010 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "c57215834fc0afaaf5e34e9a9440f301f410dc86" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "d2dbf9703c8f34dbbef60165569ee7966e800806" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "ce05e0f09e4a51fdaed5bf9122425f53e370306e" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3c9ac90903ae53b29799b4d9fd4f0adf176a88a2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "a3252d541f84e4182f7fc13c970adeb1ccd7831d" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2cda2c72934b278c6a302a425e25214b07a98d7a" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "171e45c7be1f0ee494591e7858b218b07bf86407" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "f07af5950fedb6fbbd243214984478d4297ae659" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "0430d73488c8e2eaac64ab634806b83b8039e72d" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "68ecd1cf59f37bc757193cb8f52bd57419209811" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3a1fbc77d20e4e58de7ef133ed4d8e7c51d3c172" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.11.yar b/php-malware-finder/whitelists/Spip/spip-3.0.11.yar new file mode 100644 index 0000000..7b9ca4e --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.11.yar @@ -0,0 +1,31 @@ +import "hash" + +private rule Spip3011 +{ + condition: + /* Spip3011 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "8a8f3ed96b7a725f604760c4253786f14c8f132d" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "24101a9a8c137a8ed6e8a57a39ae471d5e5a326a" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6d4c2e88f971055195b1722178cb895616bbab89" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3c9ac90903ae53b29799b4d9fd4f0adf176a88a2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "a3252d541f84e4182f7fc13c970adeb1ccd7831d" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d768483b2c23dfd65c19e3a55ae064ab2ae68544" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "449c5c8a8b1f637b5443ae9195a0e11efb0698e1" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "b79986ffbb8163c0a3a1f5bf063e7cd35c4208c3" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "375e7aceec562377fae790fcb8e5918c25cc739e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "0430d73488c8e2eaac64ab634806b83b8039e72d" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "78f65e3f772bc3ca7715b52b885a254181dd48af" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "14fb47f6f39e03f046a1664e6050c64e2b226edd" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.12.yar b/php-malware-finder/whitelists/Spip/spip-3.0.12.yar new file mode 100644 index 0000000..af4aaeb --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.12.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3012 +{ + condition: + /* Spip3012 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3c9ac90903ae53b29799b4d9fd4f0adf176a88a2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "a3252d541f84e4182f7fc13c970adeb1ccd7831d" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d768483b2c23dfd65c19e3a55ae064ab2ae68544" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "449c5c8a8b1f637b5443ae9195a0e11efb0698e1" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "b79986ffbb8163c0a3a1f5bf063e7cd35c4208c3" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "9e626b1ec2d3f5ae7660ffc7e18a2c30233f9ffc" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "fd4257d5d839625533cac96251df5b405827356b" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d98e941bf0f420106ccb0c86b39b130d7a734080" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "14fb47f6f39e03f046a1664e6050c64e2b226edd" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.13.yar b/php-malware-finder/whitelists/Spip/spip-3.0.13.yar new file mode 100644 index 0000000..6c4cf94 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.13.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3013 +{ + condition: + /* Spip3013 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3c9ac90903ae53b29799b4d9fd4f0adf176a88a2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "a3252d541f84e4182f7fc13c970adeb1ccd7831d" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "d768483b2c23dfd65c19e3a55ae064ab2ae68544" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "449c5c8a8b1f637b5443ae9195a0e11efb0698e1" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "b79986ffbb8163c0a3a1f5bf063e7cd35c4208c3" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "9e626b1ec2d3f5ae7660ffc7e18a2c30233f9ffc" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "fd4257d5d839625533cac96251df5b405827356b" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d98e941bf0f420106ccb0c86b39b130d7a734080" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "14fb47f6f39e03f046a1664e6050c64e2b226edd" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.14.yar b/php-malware-finder/whitelists/Spip/spip-3.0.14.yar new file mode 100644 index 0000000..0b1fd0c --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.14.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3014 +{ + condition: + /* Spip3014 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "d5fe120e9a8f4641172557b23e906103e567e7ce" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "fda6ef95a5e4e168b9551e5e565f1271e15f4bd7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "c0623d4e022372ee990a163ffd54278bef6968a9" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "85be938100479774403f7f8de4955bd342fd124c" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "59cfcb0165909f12cebe21e1822273d378349918" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "a5e45389624fc2a4d17a1ead52cb616bb9082611" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "1abdaf75f0e9ce8e16ded743e4d7166fca49604d" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "99c5d523fdb5c14e1f66c22fc514a8dfaa805fdf" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "b81700acba1dd7b0aa7e8a974f51c4837a8bb39e" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "3b8f034e4baa8673fa8cd71e3bfede7ec5987497" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2db00687b8a986131bb2f0704788f3d62f78040e" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "5dcf4baf7835d4d7575830e43429e215c92b118d" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "9854b6c9ad24bcf60afcea14f3a2765cc7b85642" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b142af13a765303f63d70abd39830bb07c307aec" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "3f0f8e2babdc93d95bf8c275a3755000ce7eab39" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "a84afa9f7c5a2ebd5c5b59b471e10d18a1a08f8d" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e57c373295a17c0e3835b61682308a45cff1c5af" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "03d5d593e1e27c3ffb183cd9a042f042b5c21bca" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "374a0cf5a8df9cad403b14bdf3ecea25154e4e83" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.15.yar b/php-malware-finder/whitelists/Spip/spip-3.0.15.yar new file mode 100644 index 0000000..0479761 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.15.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3015 +{ + condition: + /* Spip3015 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "fda6ef95a5e4e168b9551e5e565f1271e15f4bd7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "3665e4d19c79f2805032b7d39624a342b0c120a4" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "c32c5a4cb4d32c957b293787e593ff89ade99d6a" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "99c5d523fdb5c14e1f66c22fc514a8dfaa805fdf" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "b81700acba1dd7b0aa7e8a974f51c4837a8bb39e" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "3b8f034e4baa8673fa8cd71e3bfede7ec5987497" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2db00687b8a986131bb2f0704788f3d62f78040e" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "5dcf4baf7835d4d7575830e43429e215c92b118d" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "9854b6c9ad24bcf60afcea14f3a2765cc7b85642" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b142af13a765303f63d70abd39830bb07c307aec" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "3f0f8e2babdc93d95bf8c275a3755000ce7eab39" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d3f8cd8b029134b74dadb84db06570539f17a1cb" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e57c373295a17c0e3835b61682308a45cff1c5af" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "03d5d593e1e27c3ffb183cd9a042f042b5c21bca" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "374a0cf5a8df9cad403b14bdf3ecea25154e4e83" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.16.yar b/php-malware-finder/whitelists/Spip/spip-3.0.16.yar new file mode 100644 index 0000000..faf10352 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.16.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3016 +{ + condition: + /* Spip3016 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "fda6ef95a5e4e168b9551e5e565f1271e15f4bd7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "3665e4d19c79f2805032b7d39624a342b0c120a4" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "c32c5a4cb4d32c957b293787e593ff89ade99d6a" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "99c5d523fdb5c14e1f66c22fc514a8dfaa805fdf" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "b81700acba1dd7b0aa7e8a974f51c4837a8bb39e" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "3b8f034e4baa8673fa8cd71e3bfede7ec5987497" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2db00687b8a986131bb2f0704788f3d62f78040e" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "5dcf4baf7835d4d7575830e43429e215c92b118d" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "9854b6c9ad24bcf60afcea14f3a2765cc7b85642" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b142af13a765303f63d70abd39830bb07c307aec" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "3f0f8e2babdc93d95bf8c275a3755000ce7eab39" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d3f8cd8b029134b74dadb84db06570539f17a1cb" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e57c373295a17c0e3835b61682308a45cff1c5af" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "03d5d593e1e27c3ffb183cd9a042f042b5c21bca" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "374a0cf5a8df9cad403b14bdf3ecea25154e4e83" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.17.yar b/php-malware-finder/whitelists/Spip/spip-3.0.17.yar new file mode 100644 index 0000000..fb9dd54 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.17.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3017 +{ + condition: + /* Spip3017 */ + hash.sha1(0, filesize) == "8c7e2ecbea8a39d3c0fb93e807772e38c40057e7" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "fda6ef95a5e4e168b9551e5e565f1271e15f4bd7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "3665e4d19c79f2805032b7d39624a342b0c120a4" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "c32c5a4cb4d32c957b293787e593ff89ade99d6a" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "1531c26b7b0456f3078402ee45e7aa57d8922a95" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "a6b2793de4194a28067ea3cb40b1d9bb3456e9c1" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "548908c76d77fbe0d0a73eded1ac96ea4c57198b" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "434634c773625c176898af0a380e13e7f12f5c38" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "20d000d71f063d44c7e406f958417a321a872169" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "9854b6c9ad24bcf60afcea14f3a2765cc7b85642" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "edbd03aea2aa9782481b504ba296f15c546e08fe" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "3f0f8e2babdc93d95bf8c275a3755000ce7eab39" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "5f0c9efcba72715f6d9d79753a6d85dc14911119" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e57c373295a17c0e3835b61682308a45cff1c5af" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "356bc62f2d7c694c68f3d7c194404c7dae786ca1" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "374a0cf5a8df9cad403b14bdf3ecea25154e4e83" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.18.yar b/php-malware-finder/whitelists/Spip/spip-3.0.18.yar new file mode 100644 index 0000000..5d1d1c0 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.18.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3018 +{ + condition: + /* Spip3018 */ + hash.sha1(0, filesize) == "f3517fda4f545666b6241fc8c2d95a277a22c455" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "fda6ef95a5e4e168b9551e5e565f1271e15f4bd7" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "a952b265f16bfe9a9c9374cf61c03ef05bd0bac3" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "c32c5a4cb4d32c957b293787e593ff89ade99d6a" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "1531c26b7b0456f3078402ee45e7aa57d8922a95" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "a6b2793de4194a28067ea3cb40b1d9bb3456e9c1" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "548908c76d77fbe0d0a73eded1ac96ea4c57198b" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "f6695e0d0c3ebe0c9c3f87fbdae21153fb6d75fd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "20d000d71f063d44c7e406f958417a321a872169" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "9854b6c9ad24bcf60afcea14f3a2765cc7b85642" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b5a46d0ea2edbd4ff40192d81d5ad0a2baa156a7" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "3f0f8e2babdc93d95bf8c275a3755000ce7eab39" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "77161c831baae6e55c3fec400cb3e03aab2e0300" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "1e530d54851737d6d5048fa71bef81a735b04581" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "df5e2db8d39f6b23f4e12335c0c070b05400f598" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "f853ba0b2b4082ea3b1b5a229f53548a749453ed" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.19.yar b/php-malware-finder/whitelists/Spip/spip-3.0.19.yar new file mode 100644 index 0000000..4885846 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.19.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3019 +{ + condition: + /* Spip3019 */ + hash.sha1(0, filesize) == "1175766016ad2e9e318b79d2f4496c362f89911c" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "5361b42a54f7348aaafa3f8e5b526c54bcf97963" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "4ae6c788ad3c15a3d68665cf674071d02fdbce1c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "e34913293d39349efdd47122ea2f4a364d24df55" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "1531c26b7b0456f3078402ee45e7aa57d8922a95" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "a6b2793de4194a28067ea3cb40b1d9bb3456e9c1" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "548908c76d77fbe0d0a73eded1ac96ea4c57198b" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "f6695e0d0c3ebe0c9c3f87fbdae21153fb6d75fd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "bc9ccc2ca2c47d3eaca6a4cbe21d6d1219a0957c" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "9854b6c9ad24bcf60afcea14f3a2765cc7b85642" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b5a46d0ea2edbd4ff40192d81d5ad0a2baa156a7" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "3f0f8e2babdc93d95bf8c275a3755000ce7eab39" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "77161c831baae6e55c3fec400cb3e03aab2e0300" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "1e530d54851737d6d5048fa71bef81a735b04581" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "df5e2db8d39f6b23f4e12335c0c070b05400f598" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "f853ba0b2b4082ea3b1b5a229f53548a749453ed" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.2.yar b/php-malware-finder/whitelists/Spip/spip-3.0.2.yar new file mode 100644 index 0000000..072e0a4 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.2.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip302 +{ + condition: + /* Spip302 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "607093329a017416344109bcc64a528758385003" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "0eb920cf614df8b7a793d2637149167af8027d5d" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "b0b5cf7030e47a9b526e458b1a72f21d3790a111" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "70950f19939353b7b717bee22edff0beaed28bea" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "ffb795ca3f022acaddc4616c43900e31d2d6d933" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "845abaea91a50d3a389c19d9a6b686f9da0d8bc1" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "5e661c3962697a1ff045fa2fd496b26614c51101" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "37a3643080d62702ff0df40e3685135d1aa8475b" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "09080b6dd1b382e08dfeee7086e3905bbbdb9d1a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "fa54bf443e2d930436c72d14db8be0cd4412fbe6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f5db07ac0770a08116c4dc73d8b4ba10ef2c155d" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "47fafc33c04d31c441e21a385491472dbbc0dfc5" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "f152cde7405a28d5e9c1cd5865b89113ee0d6bbc" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "2033bc5bf421cde393b0c4b37f51614cdcc24573" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "b0187cde373c81679e15b3fea9e84ea9736a3b1b" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "0fafec9328294148084a0168f3c5e5b20e92bfe9" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "e664db419be56240f3257b1104811671be5960f3" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3d29757d99c1ef5d02bbbf62756f5f1b444b535f" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "eeb09f7145218687e786837b400678999c38eb95" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.20.yar b/php-malware-finder/whitelists/Spip/spip-3.0.20.yar new file mode 100644 index 0000000..2b96c5c --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.20.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3020 +{ + condition: + /* Spip3020 */ + hash.sha1(0, filesize) == "a3d79fad68856b9a0657e9df0aedd66ac48cc4ef" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "5361b42a54f7348aaafa3f8e5b526c54bcf97963" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "4ae6c788ad3c15a3d68665cf674071d02fdbce1c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "e34913293d39349efdd47122ea2f4a364d24df55" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "1531c26b7b0456f3078402ee45e7aa57d8922a95" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "a6b2793de4194a28067ea3cb40b1d9bb3456e9c1" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "548908c76d77fbe0d0a73eded1ac96ea4c57198b" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "f6695e0d0c3ebe0c9c3f87fbdae21153fb6d75fd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "bc9ccc2ca2c47d3eaca6a4cbe21d6d1219a0957c" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "576b572ad29a08996fc155d7e6dbdb3470fca380" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "a6ab1ac806c153a3618c53562b0e26e1738a97a0" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "f700efaeec4e6b53ae51cd86f298532e8a471f42" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "77161c831baae6e55c3fec400cb3e03aab2e0300" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "1e530d54851737d6d5048fa71bef81a735b04581" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "df5e2db8d39f6b23f4e12335c0c070b05400f598" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "f853ba0b2b4082ea3b1b5a229f53548a749453ed" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.21.yar b/php-malware-finder/whitelists/Spip/spip-3.0.21.yar new file mode 100644 index 0000000..63dd59e --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.21.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3021 +{ + condition: + /* Spip3021 */ + hash.sha1(0, filesize) == "f39bc92320ea59a4c9c06c153e0db1ab43a21726" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "5361b42a54f7348aaafa3f8e5b526c54bcf97963" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "4ae6c788ad3c15a3d68665cf674071d02fdbce1c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "e34913293d39349efdd47122ea2f4a364d24df55" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "e2991c1d924e317091b0e3c700186b2d6618c0d7" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "ea38ca240eaea3724422cdd631ea131f93fba589" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "548908c76d77fbe0d0a73eded1ac96ea4c57198b" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "5049225516fe0b8b4450e83c1ab176a6013e5cb3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "f6695e0d0c3ebe0c9c3f87fbdae21153fb6d75fd" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "bc9ccc2ca2c47d3eaca6a4cbe21d6d1219a0957c" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "576b572ad29a08996fc155d7e6dbdb3470fca380" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "5b502aecbbe010616dfa7ee12ffdcf217e38a262" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "f700efaeec4e6b53ae51cd86f298532e8a471f42" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "77161c831baae6e55c3fec400cb3e03aab2e0300" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "1e530d54851737d6d5048fa71bef81a735b04581" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "df5e2db8d39f6b23f4e12335c0c070b05400f598" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "f853ba0b2b4082ea3b1b5a229f53548a749453ed" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.22.yar b/php-malware-finder/whitelists/Spip/spip-3.0.22.yar new file mode 100644 index 0000000..7f8742e --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.22.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3022 +{ + condition: + /* Spip3022 */ + hash.sha1(0, filesize) == "4815dab7e50d4cfeedd2f94a30b32b20369042cb" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "de78095a1069491f01bef807da8e32c2b3f67d03" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "33239a52f5854f28c6b8afe321352c8165749b87" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "f3c042358a1b5939b8f3ee668b8b5a3e14cb1722" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "08de219415f7dd9052c9838f3af4407bc8084e22" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86f6806adbf777c958258caf405fc9fe2938966a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9f36f022e2bcbd4cc96667d6a0042400f1a64a55" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ddcb0023ff006e326cb5ccbe09a42345f8eee523" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "fec6cee5980cefb8b8deb0019950ef93275089f4" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "4987637906f53263d2cc314a60a3fbe801697baf" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "f5a6bf2e7449879b9cf6820f8a605717b42299f1" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "d667bb7a502789b1991736ef67860c4bca546e67" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "07dcb2053986bd6bd64ddf2dfa1e89fd34f6860e" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "4a4c9b795eb19ad3f47152cdeecf2c024370aa75" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "00fa4e02f794022824a31d7284a152f568f866d2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "426d5923bc71ac865ee8b54ff226be5437718687" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.23.yar b/php-malware-finder/whitelists/Spip/spip-3.0.23.yar new file mode 100644 index 0000000..8953c87 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.23.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3023 +{ + condition: + /* Spip3023 */ + hash.sha1(0, filesize) == "dabd1dfbe331c52cfe8a73e461768a19f616525c" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "de78095a1069491f01bef807da8e32c2b3f67d03" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "33239a52f5854f28c6b8afe321352c8165749b87" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "f3c042358a1b5939b8f3ee668b8b5a3e14cb1722" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "08de219415f7dd9052c9838f3af4407bc8084e22" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86f6806adbf777c958258caf405fc9fe2938966a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9f36f022e2bcbd4cc96667d6a0042400f1a64a55" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ddcb0023ff006e326cb5ccbe09a42345f8eee523" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "3d6d7a4a7e4ebe473fe6b5c5b691ef9869ee4e35" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "cbf1e0672db28ed0546c269b301eaad2bcedba09" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "f5a6bf2e7449879b9cf6820f8a605717b42299f1" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "cfed6291b35e018e0aab357d34a35ffa8f85b29b" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d9f5152ac245c19fe9f3eff43b70097c9b4efae1" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "4a4c9b795eb19ad3f47152cdeecf2c024370aa75" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "00fa4e02f794022824a31d7284a152f568f866d2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "426d5923bc71ac865ee8b54ff226be5437718687" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.24.yar b/php-malware-finder/whitelists/Spip/spip-3.0.24.yar new file mode 100644 index 0000000..8a2d3eb --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.24.yar @@ -0,0 +1,32 @@ +import "hash" + +private rule Spip3024 +{ + condition: + /* Spip3024 */ + hash.sha1(0, filesize) == "99c6842db7d1414d613aa590e90e1566fe4ba2c4" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "de78095a1069491f01bef807da8e32c2b3f67d03" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "33239a52f5854f28c6b8afe321352c8165749b87" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "f3c042358a1b5939b8f3ee668b8b5a3e14cb1722" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "08de219415f7dd9052c9838f3af4407bc8084e22" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86f6806adbf777c958258caf405fc9fe2938966a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9f36f022e2bcbd4cc96667d6a0042400f1a64a55" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ddcb0023ff006e326cb5ccbe09a42345f8eee523" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "3d6d7a4a7e4ebe473fe6b5c5b691ef9869ee4e35" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "cbf1e0672db28ed0546c269b301eaad2bcedba09" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "f5a6bf2e7449879b9cf6820f8a605717b42299f1" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "f032b85db3aea41848557453bfd05e5305477d51" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d9f5152ac245c19fe9f3eff43b70097c9b4efae1" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "4a4c9b795eb19ad3f47152cdeecf2c024370aa75" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "00fa4e02f794022824a31d7284a152f568f866d2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "426d5923bc71ac865ee8b54ff226be5437718687" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.25.yar b/php-malware-finder/whitelists/Spip/spip-3.0.25.yar new file mode 100644 index 0000000..f2aa826 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.25.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3025 +{ + condition: + /* Spip3025 */ + hash.sha1(0, filesize) == "98e470e2d4161873e6a9c595b8ce339e28dc58fa" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e29b675eec3ef0ca1bb68a27835fabeca7a54378" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "de78095a1069491f01bef807da8e32c2b3f67d03" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "33239a52f5854f28c6b8afe321352c8165749b87" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "f3c042358a1b5939b8f3ee668b8b5a3e14cb1722" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "08de219415f7dd9052c9838f3af4407bc8084e22" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86f6806adbf777c958258caf405fc9fe2938966a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9f36f022e2bcbd4cc96667d6a0042400f1a64a55" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ddcb0023ff006e326cb5ccbe09a42345f8eee523" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "76f9a3f8373dc1a2808f024595b7fda9d4e5219b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "cbf1e0672db28ed0546c269b301eaad2bcedba09" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "f5a6bf2e7449879b9cf6820f8a605717b42299f1" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "36a84842fc53006ac9d7756f4bb2aca84870643a" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "293d99b493de134f4df22c1063bf88529541d6ca" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "4a4c9b795eb19ad3f47152cdeecf2c024370aa75" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "00fa4e02f794022824a31d7284a152f568f866d2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "426d5923bc71ac865ee8b54ff226be5437718687" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.26.yar b/php-malware-finder/whitelists/Spip/spip-3.0.26.yar new file mode 100644 index 0000000..e016b5e --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.26.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3026 +{ + condition: + /* Spip3026 */ + hash.sha1(0, filesize) == "c00a1ad6175aaf5dce6949bdc4dd3cb53317056f" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "856d5ac799f06aa8ab527d1df6b50a3c11b124c7" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "d5bfc149671b8135ca01091f02f49b4de791336c" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "6f1d67a727f2befebc880fe0e94d118c1b109a5c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "cab53ffe498fb41b9cb1d4fffe595382642f1e5c" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "08de219415f7dd9052c9838f3af4407bc8084e22" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86f6806adbf777c958258caf405fc9fe2938966a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9f36f022e2bcbd4cc96667d6a0042400f1a64a55" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ddcb0023ff006e326cb5ccbe09a42345f8eee523" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "76f9a3f8373dc1a2808f024595b7fda9d4e5219b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "cbf1e0672db28ed0546c269b301eaad2bcedba09" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "f5a6bf2e7449879b9cf6820f8a605717b42299f1" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "b16189a6a7d62c09ee58f81aaaafbab48f99f671" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "293d99b493de134f4df22c1063bf88529541d6ca" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "4a4c9b795eb19ad3f47152cdeecf2c024370aa75" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "00fa4e02f794022824a31d7284a152f568f866d2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "426d5923bc71ac865ee8b54ff226be5437718687" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.27.yar b/php-malware-finder/whitelists/Spip/spip-3.0.27.yar new file mode 100644 index 0000000..09e446d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.27.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3027 +{ + condition: + /* Spip3027 */ + hash.sha1(0, filesize) == "31309833d8bcfa4ff47bf625b664b263fefcefb3" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "856d5ac799f06aa8ab527d1df6b50a3c11b124c7" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "d5bfc149671b8135ca01091f02f49b4de791336c" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "6f1d67a727f2befebc880fe0e94d118c1b109a5c" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "bcdff27d03c438c8d64ea3564706a46c9d8505ca" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "d9d89e491d16e42439918943d39a253bccb64b1a" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86f6806adbf777c958258caf405fc9fe2938966a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9f36f022e2bcbd4cc96667d6a0042400f1a64a55" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ddcb0023ff006e326cb5ccbe09a42345f8eee523" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "76f9a3f8373dc1a2808f024595b7fda9d4e5219b" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "cbf1e0672db28ed0546c269b301eaad2bcedba09" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "f5a6bf2e7449879b9cf6820f8a605717b42299f1" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "c8168e2b514fa6b04c92b12ec3e2244784e59c59" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "293d99b493de134f4df22c1063bf88529541d6ca" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "4a4c9b795eb19ad3f47152cdeecf2c024370aa75" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "00fa4e02f794022824a31d7284a152f568f866d2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "426d5923bc71ac865ee8b54ff226be5437718687" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.28.yar b/php-malware-finder/whitelists/Spip/spip-3.0.28.yar new file mode 100644 index 0000000..ed5140a --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.28.yar @@ -0,0 +1,33 @@ +import "hash" + +private rule Spip3028 +{ + condition: + /* Spip3028 */ + hash.sha1(0, filesize) == "ec15dbd3a39ea60b341ead7162a9ac8e8eab1c20" or // spip/CHANGELOG.txt + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "856d5ac799f06aa8ab527d1df6b50a3c11b124c7" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "9dd8204da4c1572569f3cc0cf20e9b046a9da500" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "ba9fd540d3e9f019de802fef2993bf7f55046d58" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "fad748ece1f7ae3bc9b1091bc89d4e738b5b1609" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "29ea63b4ef66119da88fcf05c065217480df0e6f" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "55c5952146e8b4df2d9407aa5d08f9e6afb531d0" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c0f02ace0cea5b74a810b5dcad5fdce045ed100f" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "d9d89e491d16e42439918943d39a253bccb64b1a" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "86f6806adbf777c958258caf405fc9fe2938966a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "9f36f022e2bcbd4cc96667d6a0042400f1a64a55" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "ddcb0023ff006e326cb5ccbe09a42345f8eee523" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "dc25d5c8d50ed57b319ab0e64ee7e8bb26ee6109" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "cbf1e0672db28ed0546c269b301eaad2bcedba09" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "f5a6bf2e7449879b9cf6820f8a605717b42299f1" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "c8168e2b514fa6b04c92b12ec3e2244784e59c59" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "cbb61611cd82bf0be82729f18e9e71d7a8789965" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "293d99b493de134f4df22c1063bf88529541d6ca" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "4a4c9b795eb19ad3f47152cdeecf2c024370aa75" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "00fa4e02f794022824a31d7284a152f568f866d2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "426d5923bc71ac865ee8b54ff226be5437718687" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.3.yar b/php-malware-finder/whitelists/Spip/spip-3.0.3.yar new file mode 100644 index 0000000..47a4d96 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.3.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip303 +{ + condition: + /* Spip303 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "a61845290d2df8a268da889baadd10687abf645f" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "0eb920cf614df8b7a793d2637149167af8027d5d" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "b0b5cf7030e47a9b526e458b1a72f21d3790a111" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "70950f19939353b7b717bee22edff0beaed28bea" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "ffb795ca3f022acaddc4616c43900e31d2d6d933" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "845abaea91a50d3a389c19d9a6b686f9da0d8bc1" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "5e661c3962697a1ff045fa2fd496b26614c51101" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "6c3dd2514154bdbb00220d0cf7ac90c0596917b4" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "09080b6dd1b382e08dfeee7086e3905bbbdb9d1a" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "fa54bf443e2d930436c72d14db8be0cd4412fbe6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f5db07ac0770a08116c4dc73d8b4ba10ef2c155d" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "e714623a51a6ae4b2dcf98db496bfed480add808" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "f152cde7405a28d5e9c1cd5865b89113ee0d6bbc" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "df3f20eba85982a10a3b5c868dca1ce49707d4a0" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "c1e651af962833e929124f0f3d63d6880cf2e004" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "0fafec9328294148084a0168f3c5e5b20e92bfe9" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "0474e0a59bbff1deefa3adf8663f4ef97468e139" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3d29757d99c1ef5d02bbbf62756f5f1b444b535f" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "eeb09f7145218687e786837b400678999c38eb95" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.4.yar b/php-malware-finder/whitelists/Spip/spip-3.0.4.yar new file mode 100644 index 0000000..10df245 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.4.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip304 +{ + condition: + /* Spip304 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "1c56604d0513a4791740b914f09b62e922f3696f" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "0eb920cf614df8b7a793d2637149167af8027d5d" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "e5400b6906a9c166dd3386c6061a3e27027e4567" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "70950f19939353b7b717bee22edff0beaed28bea" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "51ad49f30c63d0df79d8b580149f93dc23254928" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "d18bb1832508f46b0993b4600323a5441a850cc6" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6738ed19e644234ecf70b9013e8072d861297707" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "6c3dd2514154bdbb00220d0cf7ac90c0596917b4" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "bc8dbe1d771a5bb21315759c56ae350625a3c3ac" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "817b09cf23dc9de8fafd05cc088406b1329996d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "8d94ebc2658816a518fa909e2948889bbab8ba12" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "99ab279b212a8d58f10b04f7200ec742695d0bcc" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "a7ac4e5a05b638b162795f5b82ae0ecc0ee2aa2d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "50715d1635ae656e80ab3edde7ea505e02966fde" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "c1e651af962833e929124f0f3d63d6880cf2e004" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "bcad8049be8c91106183922fbdd95d13ae6289c1" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "8eae80cb0761eb030d86b8d26075cd164d475fd5" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "ce03ca264b7b4ade3047e159292469f4f424bff5" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.5.yar b/php-malware-finder/whitelists/Spip/spip-3.0.5.yar new file mode 100644 index 0000000..14313f1 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.5.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip305 +{ + condition: + /* Spip305 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "0eb920cf614df8b7a793d2637149167af8027d5d" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "e5400b6906a9c166dd3386c6061a3e27027e4567" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "70950f19939353b7b717bee22edff0beaed28bea" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "51ad49f30c63d0df79d8b580149f93dc23254928" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "d18bb1832508f46b0993b4600323a5441a850cc6" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6738ed19e644234ecf70b9013e8072d861297707" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "ee00bd66d5f01988ba9352c4e8721e6f6df6288e" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "bc8dbe1d771a5bb21315759c56ae350625a3c3ac" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "817b09cf23dc9de8fafd05cc088406b1329996d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "8d94ebc2658816a518fa909e2948889bbab8ba12" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "99ab279b212a8d58f10b04f7200ec742695d0bcc" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "a7ac4e5a05b638b162795f5b82ae0ecc0ee2aa2d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "50715d1635ae656e80ab3edde7ea505e02966fde" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "c1e651af962833e929124f0f3d63d6880cf2e004" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b972b917c54807e91562083c822dace29878f82f" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "a506365605c8c75e011775f4d30b155cb8d2eed7" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "8eae80cb0761eb030d86b8d26075cd164d475fd5" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "ce03ca264b7b4ade3047e159292469f4f424bff5" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.6.yar b/php-malware-finder/whitelists/Spip/spip-3.0.6.yar new file mode 100644 index 0000000..1243a49 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.6.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip306 +{ + condition: + /* Spip306 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "62ce03df9e2f659a1964f0485b7fb327ddb9d003" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "4f90ecb7d880fff12bb513532472a3f102048f6b" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "a10ea309baf551c8028f7b4e920644f94b1246be" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "e148d20704423c4cf70ddc6a066de6b10d405c2e" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "5c244f3b30bec90efc8f8891f916c800cef0df25" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2cda2c72934b278c6a302a425e25214b07a98d7a" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "171e45c7be1f0ee494591e7858b218b07bf86407" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "7ff7dc067d43299dd8df81cdb660aa4b459a67d5" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "42a9b5a99a33186b5d0c0665209efa7093c1b118" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "0113ee0fc0d736bae7abca5c3836f7c691edb1ac" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3a1fbc77d20e4e58de7ef133ed4d8e7c51d3c172" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.7.yar b/php-malware-finder/whitelists/Spip/spip-3.0.7.yar new file mode 100644 index 0000000..f3dd05e --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.7.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip307 +{ + condition: + /* Spip307 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "62ce03df9e2f659a1964f0485b7fb327ddb9d003" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "4f90ecb7d880fff12bb513532472a3f102048f6b" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "a10ea309baf551c8028f7b4e920644f94b1246be" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3c9ac90903ae53b29799b4d9fd4f0adf176a88a2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "5c244f3b30bec90efc8f8891f916c800cef0df25" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2cda2c72934b278c6a302a425e25214b07a98d7a" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "171e45c7be1f0ee494591e7858b218b07bf86407" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "7ff7dc067d43299dd8df81cdb660aa4b459a67d5" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "42a9b5a99a33186b5d0c0665209efa7093c1b118" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "0113ee0fc0d736bae7abca5c3836f7c691edb1ac" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3a1fbc77d20e4e58de7ef133ed4d8e7c51d3c172" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.8.yar b/php-malware-finder/whitelists/Spip/spip-3.0.8.yar new file mode 100644 index 0000000..df13fc3 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.8.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip308 +{ + condition: + /* Spip308 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "62ce03df9e2f659a1964f0485b7fb327ddb9d003" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "4f90ecb7d880fff12bb513532472a3f102048f6b" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "a10ea309baf551c8028f7b4e920644f94b1246be" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3c9ac90903ae53b29799b4d9fd4f0adf176a88a2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "0f2a1554a4b912da3d5830de6ff0db033304b065" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2cda2c72934b278c6a302a425e25214b07a98d7a" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "171e45c7be1f0ee494591e7858b218b07bf86407" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "1c59d13047f26718b9d853db0b21d2c44ee7b81b" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "42a9b5a99a33186b5d0c0665209efa7093c1b118" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6d59aed40a752e57ac080635bfc773632713c60d" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3a1fbc77d20e4e58de7ef133ed4d8e7c51d3c172" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.0.9.yar b/php-malware-finder/whitelists/Spip/spip-3.0.9.yar new file mode 100644 index 0000000..fdf8f20 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.0.9.yar @@ -0,0 +1,30 @@ +import "hash" + +private rule Spip309 +{ + condition: + /* Spip309 */ + hash.sha1(0, filesize) == "b97a86d5d85a92578c7c34fbcf2a4b7c3a27274d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "e1b6f79baaf43dd7d6a2f2acf327a157e8163f95" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2d77e688fd31886433dfa16ffac374c22fcc6ac0" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "0ee3140e1abe2cf37d819ebe6f263fb6579d8738" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "8caac0a4db7b8269cfb5a657ea09e399edcb8fb9" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "c57215834fc0afaaf5e34e9a9440f301f410dc86" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "d2dbf9703c8f34dbbef60165569ee7966e800806" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "ce05e0f09e4a51fdaed5bf9122425f53e370306e" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "dd1312131b8237abc32304170281f8c3eda36551" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3c9ac90903ae53b29799b4d9fd4f0adf176a88a2" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "a3252d541f84e4182f7fc13c970adeb1ccd7831d" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f030da7196bcf4b676d825cf564a8657f25aaa11" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "2cda2c72934b278c6a302a425e25214b07a98d7a" or // spip/ecrire/inc/distant.php + hash.sha1(0, filesize) == "171e45c7be1f0ee494591e7858b218b07bf86407" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "37c9c9febe9fc4c8b02a648ae3847952e9dc1480" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "f07af5950fedb6fbbd243214984478d4297ae659" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "42a9b5a99a33186b5d0c0665209efa7093c1b118" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b37107cac000b27a1b1962eb47756b76b3bbaaaa" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "143356e5b45bc2fe5b1b4eab9b3776001820db0e" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "91695cc83b4cecf4240db7dcfd7f191dde1593f2" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "3a1fbc77d20e4e58de7ef133ed4d8e7c51d3c172" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9477557439ce248a85cc48cd3e0ce4a77197804c" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.0-alpha.yar b/php-malware-finder/whitelists/Spip/spip-3.1.0-alpha.yar new file mode 100644 index 0000000..5688bdd --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.0-alpha.yar @@ -0,0 +1,25 @@ +import "hash" + +private rule Spip310alpha +{ + condition: + /* Spip310alpha */ + hash.sha1(0, filesize) == "bd675b1f5493c4c6510264122c24af830f0f6782" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "e8a8fd8bdcba0b6740d1e89881091258239821fb" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "c7df8a89d93f896def7d79139d6a39946b869859" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "1531c26b7b0456f3078402ee45e7aa57d8922a95" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "995d52dfeb1a92c5433c87433c350d57bcc0707b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "bd40bf31b5917c9a44b9b6834d65e8dc5bc1f8d6" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "236e48e800694fcdd642bf63163518143970b320" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "8ff242070c0bacb0e48f7218302fb257de498717" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "6a84146728f6ea48d952920f1e91c2a5a5178554" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "3242362366607667bdd09e773cb2055513d3141c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "d75d69ba8e4d51fe769bf199e946625c68704215" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "34dd3ca5ac98aec5fcc477b912294f441ce2fc52" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b5fc129a10c0ebdcf4feff903c20e7e6e7d6c581" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "67569f73b3ef8da6c4e5dfe3b383e7403e908878" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "6eedab3bbf70878b61cb4e56e509904470820b50" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "ee0173b426c4d711652b8ae70db59f45f39cd127" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "0119c99bbbf11a4e694a08291581b90781bbd98b" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.0-beta.yar b/php-malware-finder/whitelists/Spip/spip-3.1.0-beta.yar new file mode 100644 index 0000000..bc3e364 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.0-beta.yar @@ -0,0 +1,25 @@ +import "hash" + +private rule Spip310beta +{ + condition: + /* Spip310beta */ + hash.sha1(0, filesize) == "7b1f637cc568b72543cd86389e1fb5d06e694a86" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "5402a79606c1d3168b83c5f708ef3c7a00e3cbd3" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "e0934d4a65a81de3e8f63d0df44c18d49e7f6051" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "31ba09b685cde6171301962675d9485764c222ab" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "c180d338326db29bc1a748d62a659aac0d7d0337" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "5982da905c5e7ecea4c15286ec2f3f05f1843b46" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "73096306f831ba82aed0dda301a4f27ff9d5afd9" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "5734787dc8716c65e4ff48a41d75eed747bebd4e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "c89e378fb6d9c1ff22861453a61d9950f30e5029" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "175b096e1469d247205fa332e02fdf48f3f0e49c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "df224c85d6dba079b0e8603e24d5fe97c3c26291" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "530ca8b45431e15a25dc49eddf0dbb872c0daba7" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "b5fc129a10c0ebdcf4feff903c20e7e6e7d6c581" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "0b2e630c12052711c6f755902278e581f68cfc0d" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "a9bcb2489d0e2ae0385fbcdefdb364421f51807a" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "0031a28cd8a26310bba0670b13a8c0e7761a2ef2" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "40e70f97b420cc32ecca97b8c16202a7e2b8190b" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.0-rc.yar b/php-malware-finder/whitelists/Spip/spip-3.1.0-rc.yar new file mode 100644 index 0000000..5778b7b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.0-rc.yar @@ -0,0 +1,25 @@ +import "hash" + +private rule Spip310rc +{ + condition: + /* Spip310rc */ + hash.sha1(0, filesize) == "ca2c953455e19bff677124b42eeff8080d65cab5" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "c16f4ac1d8c24fb890d843062e4b43b199286859" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "e75ab8984dd379c3ccb647d2bc0d6ca9291b1128" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "f20f1a3d4724a23e424da5317eba6b4bc70f9873" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "0fe17979b96c0f64e15f2c39fb5fcd00ac25af11" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "1429fe919308164cdbdb75f5154dba6063f29212" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a1878d94e8144f97c78a601ca93262c2ed28b8ad" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "7a40f7a3cf49b5403b01fc28ecbd7c6c07778c47" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "0076db4bad924c7a140f35264fef336eca595e71" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "175b096e1469d247205fa332e02fdf48f3f0e49c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "7544dfcd439a7add4584f0098db80090a18a2f0e" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "530ca8b45431e15a25dc49eddf0dbb872c0daba7" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "9aa86c5a9b4ba1011a13681a8815c0968c8f13c7" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "051ec52a4257c9316088d2bd933a1eef5434b40b" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "a9bcb2489d0e2ae0385fbcdefdb364421f51807a" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4fbfcf3a279bc2e36e53f81eca6f3180fb53cd7c" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "40e70f97b420cc32ecca97b8c16202a7e2b8190b" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.0-rc2.yar b/php-malware-finder/whitelists/Spip/spip-3.1.0-rc2.yar new file mode 100644 index 0000000..19b0fd5 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.0-rc2.yar @@ -0,0 +1,27 @@ +import "hash" + +private rule Spip310rc2 +{ + condition: + /* Spip310rc2 */ + hash.sha1(0, filesize) == "ca2c953455e19bff677124b42eeff8080d65cab5" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "4c27a7f398b577ecfabf23aeac9b524b1dcce3ba" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "59ab1835e8dc17b7080988ae1e709bfdb66502da" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "e75ab8984dd379c3ccb647d2bc0d6ca9291b1128" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "77f5f4da639266221309fd852d7fea4d6d2b50f5" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "29ae86bcb09d2ffeb100e20730713497c4ac4924" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "131d247bbb12c42a214e746c4e3f3aab51e1f273" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "a1915c9c1ca1195f6109d48c0a90acc6931948d8" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "b1c3b991c540ed7bdc2e9c3a4fbdd52d10421f55" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "ce66d2ac4f0c6afae8a15cd1d8f56dacf55af844" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "52b979a85717cbb1a49ae128b64a4401a98bf13a" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "175b096e1469d247205fa332e02fdf48f3f0e49c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "eb22162453ed32052557583d2b7130d3ad96afea" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "24308223f3c9e794ad50e86262355ea971681520" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "a5a150166335a41c0f80f5f4023a3f398683a0da" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "e3e5d1e05db604db4cdd509090b7c945d2c4bd7f" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "9d3be1fe4253a7a959e253e3666baae45e1efd4d" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "7c3af9f2036b9e5f82c9d2331e26a334136e546e" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "2390ab44a56d3e74bd518d5418bebc7ef734ba42" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.0-rc3.yar b/php-malware-finder/whitelists/Spip/spip-3.1.0-rc3.yar new file mode 100644 index 0000000..dfddc27 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.0-rc3.yar @@ -0,0 +1,27 @@ +import "hash" + +private rule Spip310rc3 +{ + condition: + /* Spip310rc3 */ + hash.sha1(0, filesize) == "ca2c953455e19bff677124b42eeff8080d65cab5" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "a1dbd1e1e3a18a3191faa92ef4458de0455245e1" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "59ab1835e8dc17b7080988ae1e709bfdb66502da" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "e75ab8984dd379c3ccb647d2bc0d6ca9291b1128" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "77f5f4da639266221309fd852d7fea4d6d2b50f5" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "29ae86bcb09d2ffeb100e20730713497c4ac4924" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "131d247bbb12c42a214e746c4e3f3aab51e1f273" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "99147ea1931094f7e37f41d322ab3349ad1c9f94" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "b1c3b991c540ed7bdc2e9c3a4fbdd52d10421f55" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "57ebc09b83d355c72c6e34da6e0b25373128ceea" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "52b979a85717cbb1a49ae128b64a4401a98bf13a" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "175b096e1469d247205fa332e02fdf48f3f0e49c" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "75630a17ae812689518aa2c0308c9999a8bbf883" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "24308223f3c9e794ad50e86262355ea971681520" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "a5a150166335a41c0f80f5f4023a3f398683a0da" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "24d88129a7771a3c687db0ff173e5528c8df679a" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "9d3be1fe4253a7a959e253e3666baae45e1efd4d" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "7c3af9f2036b9e5f82c9d2331e26a334136e546e" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "2390ab44a56d3e74bd518d5418bebc7ef734ba42" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.0.yar b/php-malware-finder/whitelists/Spip/spip-3.1.0.yar new file mode 100644 index 0000000..9618f52 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.0.yar @@ -0,0 +1,40 @@ +import "hash" + +private rule Spip310 +{ + condition: + /* Spip310 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "9476709e7dc5977fea433759a419c5a124096578" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2c584e032daaf7d3b706a7bd47e12e0a499454ed" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "adae7d023784736c16543136a4d9e94a19403c36" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "a7f149153bcc9bbca4becde10d53b39b06468270" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "37e240b326a0e4b0c08f570d312cf3ec457140c6" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "875df058dcbca1870773f6b3322f211898f809f3" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "161b86f19a222a238f074a167ebeb114942f4945" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "b0b30fbf62fbc99c7fe885799d9cc14b16b58b37" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "06e4843b726eb5fd6e5d99415688e6901a94bb18" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "cd647da2716e1787b7fbef90f1fcbef0f772f606" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "f8c22f5da17b9632d2d9d2155ff6940b8ed1dc38" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f0c25c68eb3f14c1008362d95dff6cd7fe6ac5e3" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "7c847a8ef5be7f99114aaab2d83505f7cfbda1c3" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "46186c964d8b3dff600a61f31d99d3b8ef9dc4ad" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "378ad57b8dc9747638b214db5a91567d66683bdf" or // spip/ecrire/inc/flock.php + hash.sha1(0, filesize) == "aff9936154ae4ee8a659606389ebba1158f3f4b7" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "d32b1bf5b4f410255ca73702bd05fc601880993b" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.1.yar b/php-malware-finder/whitelists/Spip/spip-3.1.1.yar new file mode 100644 index 0000000..f7baeda --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.1.yar @@ -0,0 +1,39 @@ +import "hash" + +private rule Spip311 +{ + condition: + /* Spip311 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "9476709e7dc5977fea433759a419c5a124096578" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2c584e032daaf7d3b706a7bd47e12e0a499454ed" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "adae7d023784736c16543136a4d9e94a19403c36" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "a7f149153bcc9bbca4becde10d53b39b06468270" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "37e240b326a0e4b0c08f570d312cf3ec457140c6" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "875df058dcbca1870773f6b3322f211898f809f3" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "161b86f19a222a238f074a167ebeb114942f4945" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "b0b30fbf62fbc99c7fe885799d9cc14b16b58b37" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "06e4843b726eb5fd6e5d99415688e6901a94bb18" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "cd647da2716e1787b7fbef90f1fcbef0f772f606" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "f8c22f5da17b9632d2d9d2155ff6940b8ed1dc38" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "f0c25c68eb3f14c1008362d95dff6cd7fe6ac5e3" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "cd93cb2995ab2bbb31d73246d54e9871e156dd9c" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "aff9936154ae4ee8a659606389ebba1158f3f4b7" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "9f179308a8b07312a21f0df2c6ee91e3553bda8f" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.10.yar b/php-malware-finder/whitelists/Spip/spip-3.1.10.yar new file mode 100644 index 0000000..76b43df --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.10.yar @@ -0,0 +1,41 @@ +import "hash" + +private rule Spip3110 +{ + condition: + /* Spip3110 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "56b087a9fd140aedb233083f7755a5f3f0a47317" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "16c42b73f0e997b265856a1215e5dccb8042d19c" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "a9cb62e3cfcb70cd68a21b99315e87b7da314964" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "c05bbe90fbc39f1732d09929f1c7c9460bc9f69b" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "bb2e534f8b7c16b0337a323cccf2a0b5ae2bca14" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "c380ec312ba79f04aaa61795cfcef875d3a0561e" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "0a7d70a0f67cf8e61de4c797b2c9bd9691485db7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4d809fb99d7e1e6f66b32b039e51c035587832ad" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "14e6185f6d8f98f0a059e41f3080f6c76db74e00" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.quicktime.php + hash.sha1(0, filesize) == "1be1470a09bd44c4aca32bc632d2c52a5fe8ce0f" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "80bca8bf4ca2e6cda2cae72d741d0a4439402424" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "b8a83dcabe5c599a5f8ef5105bb21bd080c7f1b2" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "a34ebe3a8c143c9c6a8b523c0f1370aa1e546b69" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "b2992d970a4e6f646a8b67bd1d306d0049da50f4" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "484fcdd42226de2d476ee6329f416085a6234a16" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "d420e31eb36f1c040adb09e2c7a227d8d60f2011" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "6bca9b80b8918dea118ffc03dbdea547aba59cdb" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "304dddafc4686e64bb9a2c94df352cfc418c3193" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "94a0e61cb58919bc253c05ef50881e4c911916a6" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "71e311443d2d3de984fde6a7bacec8be1f12ba13" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6013a077e30c12038c5f2464e9f484adc95ae160" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "073b99feb6ecc8989af78cba59587ad37e330879" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "6357944b6d45a48721c707b9ec1901baed1398e3" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "613dc6035615e682f061ac84314620eeda4de840" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.2.yar b/php-malware-finder/whitelists/Spip/spip-3.1.2.yar new file mode 100644 index 0000000..3491f64 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.2.yar @@ -0,0 +1,39 @@ +import "hash" + +private rule Spip312 +{ + condition: + /* Spip312 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "9476709e7dc5977fea433759a419c5a124096578" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2c584e032daaf7d3b706a7bd47e12e0a499454ed" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "adae7d023784736c16543136a4d9e94a19403c36" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "cd647da2716e1787b7fbef90f1fcbef0f772f606" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "5670f69a9a25292ebb28331d7991ea9115c0cba9" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "70666022d9fa13b5b8d258b251fd0423f918e86b" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "565f37b6909d0ee76ad1e8baa27d35559f4d56b6" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "e16696c7ea9277a2f19762070627d0a0efdfd411" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.3.yar b/php-malware-finder/whitelists/Spip/spip-3.1.3.yar new file mode 100644 index 0000000..c81320e --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.3.yar @@ -0,0 +1,39 @@ +import "hash" + +private rule Spip313 +{ + condition: + /* Spip313 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "9476709e7dc5977fea433759a419c5a124096578" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2c584e032daaf7d3b706a7bd47e12e0a499454ed" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "adae7d023784736c16543136a4d9e94a19403c36" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "cd647da2716e1787b7fbef90f1fcbef0f772f606" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "5670f69a9a25292ebb28331d7991ea9115c0cba9" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "70666022d9fa13b5b8d258b251fd0423f918e86b" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "f8401c6959441f525d9da279b1d123154583912b" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "e16696c7ea9277a2f19762070627d0a0efdfd411" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.4.yar b/php-malware-finder/whitelists/Spip/spip-3.1.4.yar new file mode 100644 index 0000000..4938f9d --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.4.yar @@ -0,0 +1,40 @@ +import "hash" + +private rule Spip314 +{ + condition: + /* Spip314 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "9476709e7dc5977fea433759a419c5a124096578" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "2c584e032daaf7d3b706a7bd47e12e0a499454ed" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "488db5e77b5a7f549fce6d4429cf400c728985ab" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "cd647da2716e1787b7fbef90f1fcbef0f772f606" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "5670f69a9a25292ebb28331d7991ea9115c0cba9" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "70666022d9fa13b5b8d258b251fd0423f918e86b" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "514b20c506967ffc1f5206881fe5ca671ee6f09a" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "799cc5dd7d4a775341d6cfd8306b5f960fd5df64" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.5.yar b/php-malware-finder/whitelists/Spip/spip-3.1.5.yar new file mode 100644 index 0000000..07b6f25 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.5.yar @@ -0,0 +1,40 @@ +import "hash" + +private rule Spip315 +{ + condition: + /* Spip315 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "56b087a9fd140aedb233083f7755a5f3f0a47317" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "cd647da2716e1787b7fbef90f1fcbef0f772f606" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "5670f69a9a25292ebb28331d7991ea9115c0cba9" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "82c0f1dcf38acda1184b2f961c84ed90c71afaad" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "7f9048a05cb46b675a91a967d5edc649397185f4" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "55d73860029e3fabbdfdf0212bd6d2ab033734cb" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.6.yar b/php-malware-finder/whitelists/Spip/spip-3.1.6.yar new file mode 100644 index 0000000..f1ed39c --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.6.yar @@ -0,0 +1,40 @@ +import "hash" + +private rule Spip316 +{ + condition: + /* Spip316 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "56b087a9fd140aedb233083f7755a5f3f0a47317" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "cd647da2716e1787b7fbef90f1fcbef0f772f606" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "8bb24800218aa13d50493b6eaa4faabe45d0a8e9" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "82c0f1dcf38acda1184b2f961c84ed90c71afaad" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "7f9048a05cb46b675a91a967d5edc649397185f4" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "c4ed1d619f5c1df41676aa0a181882c78dc330e6" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.7.yar b/php-malware-finder/whitelists/Spip/spip-3.1.7.yar new file mode 100644 index 0000000..128de11 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.7.yar @@ -0,0 +1,40 @@ +import "hash" + +private rule Spip317 +{ + condition: + /* Spip317 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "56b087a9fd140aedb233083f7755a5f3f0a47317" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "9d7b4ac61fa55b8b12d5a3d1bc7b6344a78d9cec" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "4f31c5bd74cb0234b70c74fc089b672dd19535cd" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "2c87a6c24d800af24b9ddcfaa84ec912b0e24caa" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "82c0f1dcf38acda1184b2f961c84ed90c71afaad" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "9a2dd4403e4c92de0604eba8de445d719da21adf" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "2df034384ef60b9de0b5bf36e2bb7364118a1904" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.8.yar b/php-malware-finder/whitelists/Spip/spip-3.1.8.yar new file mode 100644 index 0000000..50c7b49 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.8.yar @@ -0,0 +1,40 @@ +import "hash" + +private rule Spip318 +{ + condition: + /* Spip318 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "56b087a9fd140aedb233083f7755a5f3f0a47317" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "9d7b4ac61fa55b8b12d5a3d1bc7b6344a78d9cec" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "4f31c5bd74cb0234b70c74fc089b672dd19535cd" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "d4b3fec6efd1b25296bf59c9646cb95aeb5e27a8" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "2c87a6c24d800af24b9ddcfaa84ec912b0e24caa" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "7b06e23dc34fd88fe4cde212a4b619221277dcd0" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "448fdc0734cfc005940339a58bf54501cc2c8d40" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "a21374ac9bcd1c5adadcd42427c967f005e7126e" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "d22219e7fd367ad9f435890cf87a4e43519ab439" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "2df034384ef60b9de0b5bf36e2bb7364118a1904" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.1.9.yar b/php-malware-finder/whitelists/Spip/spip-3.1.9.yar new file mode 100644 index 0000000..9818b69 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.1.9.yar @@ -0,0 +1,40 @@ +import "hash" + +private rule Spip319 +{ + condition: + /* Spip319 */ + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/svp/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "56b087a9fd140aedb233083f7755a5f3f0a47317" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "4059a82a059ccc2daaddadec3be3098feb443a00" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "6bad06056c0da047037151c493c0a5c18fabd472" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "33c86b79eaa831d525534c746d5da8b19fc27ff7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4f80a865e58c882f332eec5fff817709e98ecb4e" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "9f7898c33a366527be61aaf6e545d09556ebe7cd" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "a909484083aa169c1ac6d5dc72edff2e9513ca09" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "9d7b4ac61fa55b8b12d5a3d1bc7b6344a78d9cec" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "6a2c34e4180ad76ff963c1ff4cf70ffdd1855798" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "dfbba571406418decb59dd53d69df7b0b8422993" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "8b9d7b2b9340b2371e1a098beb9a7fb4158bf87b" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "9ae164cca0a70634626a94daf48ae95d7bb110d1" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "a34ebe3a8c143c9c6a8b523c0f1370aa1e546b69" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "b2992d970a4e6f646a8b67bd1d306d0049da50f4" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "484fcdd42226de2d476ee6329f416085a6234a16" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "d420e31eb36f1c040adb09e2c7a227d8d60f2011" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "6bca9b80b8918dea118ffc03dbdea547aba59cdb" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "304dddafc4686e64bb9a2c94df352cfc418c3193" or // spip/ecrire/inc/traduire.php + hash.sha1(0, filesize) == "94a0e61cb58919bc253c05ef50881e4c911916a6" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "71e311443d2d3de984fde6a7bacec8be1f12ba13" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "d42215363d8c9fbddeb6469438822f5274dda71a" or // spip/ecrire/inc/pclzip.php + hash.sha1(0, filesize) == "6013a077e30c12038c5f2464e9f484adc95ae160" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "073b99feb6ecc8989af78cba59587ad37e330879" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "6357944b6d45a48721c707b9ec1901baed1398e3" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "613dc6035615e682f061ac84314620eeda4de840" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2-alpha-1.yar b/php-malware-finder/whitelists/Spip/spip-3.2-alpha-1.yar new file mode 100644 index 0000000..f024538 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2-alpha-1.yar @@ -0,0 +1,25 @@ +import "hash" + +private rule Spip32alpha1 +{ + condition: + /* Spip32alpha1 */ + hash.sha1(0, filesize) == "1c2e2606ff56ab495f7c05ef98621eba431af882" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "13b94e6514153cd4d2964a5cbd26f3cb92016bb7" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "52083c613447850af39bb29855a829a1207139ea" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "7658e8e69e978f6855c7f0d8d890bb5df7d6fecb" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3ab60f2f114aa54abb9b177cbf54edfac4d7079b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "d602c70bbe275c7b63ccfcc65846c1148be4472e" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "b58ce1465aed1c633e1ea7fd8884a878bbaf7583" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "003ca93a7d814328dbd00c2d1be5821791403580" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "f9ac3f8256e5cfb4663e0ed572c3cb2c46c48d2d" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "5f039df0e5652b59ea7dd3c754a7346bbcd562b4" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.0-beta.yar b/php-malware-finder/whitelists/Spip/spip-3.2.0-beta.yar new file mode 100644 index 0000000..4d85d43 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.0-beta.yar @@ -0,0 +1,25 @@ +import "hash" + +private rule Spip320beta +{ + condition: + /* Spip320beta */ + hash.sha1(0, filesize) == "1c2e2606ff56ab495f7c05ef98621eba431af882" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "13b94e6514153cd4d2964a5cbd26f3cb92016bb7" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "52083c613447850af39bb29855a829a1207139ea" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "0a1ba970dd06ea49405a7d1c01bd02351d79b413" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3ab60f2f114aa54abb9b177cbf54edfac4d7079b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "d602c70bbe275c7b63ccfcc65846c1148be4472e" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "dfaca67b5813eae80d10ebc128432f8329b659f2" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "003ca93a7d814328dbd00c2d1be5821791403580" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "0dd06184c5f3c590969bcd1ff9ee9e64035b178f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "1d8aec287547de7463eb41957eeef2ccf51e7bba" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.0.yar b/php-malware-finder/whitelists/Spip/spip-3.2.0.yar new file mode 100644 index 0000000..6458c0b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.0.yar @@ -0,0 +1,39 @@ +import "hash" + +private rule Spip320 +{ + condition: + /* Spip320 */ + hash.sha1(0, filesize) == "07eea9a423ec890ced408f19be1b0a5e84c80c7e" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "2e62558953eaeaa964501094ca6fc01f94752765" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/archiviste/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "dd3511cc75670ef3df96e9d854c44132148db761" or // spip/plugins-dist/archiviste/inc/pclzip.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "97d01f9470bc7fdb4d4f24df4346a016d04fa9d3" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "1a4ec58132fd9ad3a2482acd1d6deba46ecbccf9" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "fad9e9caabe9d63abcfd3971f2b4ab4615309292" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "b488fee123ca131bd0e6cd134c5d33fb26d4be51" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "ee600c4349374096fd744b665e1573c54795fee0" or // spip/plugins-dist/medias/inc/documents.php + hash.sha1(0, filesize) == "9fddfdc887a251e9c9aa443a437c50f07634c021" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "9c0d98b411f218e399a12088a9f51c4398441384" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "6196504bff9f4110a65ffcac880c1212a7bc99fd" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6f31bfbc8da6b34e5d90f997139e343282bc7b73" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "60b62f2caf0b39ddeead846ceb7eea28ca408adc" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "e4c528f05331a5eda8b558e2efe863d87500c215" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "26686804b7b7274acfdb3803c7aebcd5f7bc518b" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "4fd4390f9996cc1fd03a077c818d1ccfd2e97239" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "0cd17cacb86c5a05907b0b8024c6127bab9df301" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "1a5d425e354bc4fb177ad3598a0b85411b3de50c" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "ca089c46b99e2eff88c2658a30f5c000666996a9" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "f5de95ff3344ce7bce662117eb24487daf1c44b1" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "a780d850680a3d1e9139aaf94e5e8fc66b6f246a" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "6b1e6381a88e70c454faf648d13ac134dfa519e0" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "1d1f129a725be4d13314a62d266900b87dd17c59" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.0beta2.yar b/php-malware-finder/whitelists/Spip/spip-3.2.0beta2.yar new file mode 100644 index 0000000..cfb46a5 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.0beta2.yar @@ -0,0 +1,25 @@ +import "hash" + +private rule Spip320beta2 +{ + condition: + /* Spip320beta2 */ + hash.sha1(0, filesize) == "d1ff0e55ee01cce32addf08081f6c864950979b4" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "13b94e6514153cd4d2964a5cbd26f3cb92016bb7" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "52083c613447850af39bb29855a829a1207139ea" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "0a1ba970dd06ea49405a7d1c01bd02351d79b413" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3ab60f2f114aa54abb9b177cbf54edfac4d7079b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "d602c70bbe275c7b63ccfcc65846c1148be4472e" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "dfaca67b5813eae80d10ebc128432f8329b659f2" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "003ca93a7d814328dbd00c2d1be5821791403580" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "eba4892b87f330ec4667e2c04a6eadd319bac18f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "8d0cdb19872ec26b0c1c6d45028b41e97b717ac3" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.0beta3.yar b/php-malware-finder/whitelists/Spip/spip-3.2.0beta3.yar new file mode 100644 index 0000000..6479e2b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.0beta3.yar @@ -0,0 +1,25 @@ +import "hash" + +private rule Spip320beta3 +{ + condition: + /* Spip320beta3 */ + hash.sha1(0, filesize) == "d1ff0e55ee01cce32addf08081f6c864950979b4" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "13b94e6514153cd4d2964a5cbd26f3cb92016bb7" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "52083c613447850af39bb29855a829a1207139ea" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "0a1ba970dd06ea49405a7d1c01bd02351d79b413" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "3ab60f2f114aa54abb9b177cbf54edfac4d7079b" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "358d5ba151376f3464389a385e961ae9c008f4c3" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "dfaca67b5813eae80d10ebc128432f8329b659f2" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "003ca93a7d814328dbd00c2d1be5821791403580" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "aa63ef0954cfc69800ab5ee1beed1fcf7a05bf5d" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "eba4892b87f330ec4667e2c04a6eadd319bac18f" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "a52773a3e81a1e6bcd819a721fc727d11b0a157f" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "fb8f37c7af7d620f940b002f8165b074de0899e0" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "4bccc6ad32dac88736279729d7f4a2f5fbe2d1ba" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "9809044f8c1ac4bc4dbc33d72620cca720a3ec88" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.1.yar b/php-malware-finder/whitelists/Spip/spip-3.2.1.yar new file mode 100644 index 0000000..6d0c484 --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.1.yar @@ -0,0 +1,39 @@ +import "hash" + +private rule Spip321 +{ + condition: + /* Spip321 */ + hash.sha1(0, filesize) == "07eea9a423ec890ced408f19be1b0a5e84c80c7e" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "2e62558953eaeaa964501094ca6fc01f94752765" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/archiviste/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "dd3511cc75670ef3df96e9d854c44132148db761" or // spip/plugins-dist/archiviste/inc/pclzip.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "97d01f9470bc7fdb4d4f24df4346a016d04fa9d3" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "1a4ec58132fd9ad3a2482acd1d6deba46ecbccf9" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "fad9e9caabe9d63abcfd3971f2b4ab4615309292" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "b488fee123ca131bd0e6cd134c5d33fb26d4be51" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "ee600c4349374096fd744b665e1573c54795fee0" or // spip/plugins-dist/medias/inc/documents.php + hash.sha1(0, filesize) == "09364b795e9aaf6a0fc2aaa52127587986b3dc76" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "9c0d98b411f218e399a12088a9f51c4398441384" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "6196504bff9f4110a65ffcac880c1212a7bc99fd" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6f31bfbc8da6b34e5d90f997139e343282bc7b73" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "60b62f2caf0b39ddeead846ceb7eea28ca408adc" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "e4c528f05331a5eda8b558e2efe863d87500c215" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "4279591476c20f4405ee3dc78d942124e6c9944f" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "50f4b20facb57e59d7cb07f1f11dc0749e61a511" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "0cd17cacb86c5a05907b0b8024c6127bab9df301" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "1a5d425e354bc4fb177ad3598a0b85411b3de50c" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "5260b8f6cfafaafbf45c447dc91b2e4232601319" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "f5de95ff3344ce7bce662117eb24487daf1c44b1" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "a780d850680a3d1e9139aaf94e5e8fc66b6f246a" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "6b1e6381a88e70c454faf648d13ac134dfa519e0" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "1d1f129a725be4d13314a62d266900b87dd17c59" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.2.yar b/php-malware-finder/whitelists/Spip/spip-3.2.2.yar new file mode 100644 index 0000000..451feab --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.2.yar @@ -0,0 +1,39 @@ +import "hash" + +private rule Spip322 +{ + condition: + /* Spip322 */ + hash.sha1(0, filesize) == "07eea9a423ec890ced408f19be1b0a5e84c80c7e" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "2e62558953eaeaa964501094ca6fc01f94752765" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "b536e34e463a20132480567cf2464e88012f2224" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "8f3347b07542353407dcfb928aa9b62d79cbbf4a" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/archiviste/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "dd3511cc75670ef3df96e9d854c44132148db761" or // spip/plugins-dist/archiviste/inc/pclzip.php + hash.sha1(0, filesize) == "def6c258d9339b7f62a2d7179a59bd1496190c6f" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "97d01f9470bc7fdb4d4f24df4346a016d04fa9d3" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "516bad60f2c75ad890279da647506e62869c045b" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "1a4ec58132fd9ad3a2482acd1d6deba46ecbccf9" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "fad9e9caabe9d63abcfd3971f2b4ab4615309292" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "b488fee123ca131bd0e6cd134c5d33fb26d4be51" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "ee600c4349374096fd744b665e1573c54795fee0" or // spip/plugins-dist/medias/inc/documents.php + hash.sha1(0, filesize) == "09364b795e9aaf6a0fc2aaa52127587986b3dc76" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "9c0d98b411f218e399a12088a9f51c4398441384" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "6196504bff9f4110a65ffcac880c1212a7bc99fd" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6f31bfbc8da6b34e5d90f997139e343282bc7b73" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "81fd449bc6793e48939ec212d816f90598c32c18" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "f144b1800a1891e09db62cc5f2dce75ee7fcfed7" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "ee9cdf57c995ef43677e44b184f3cf70443b1ac7" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "bb7dfd926e9690a3dc3bf42b0d2b328766bcaa56" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "8d6a94cce430fe9c5cee5baae98e1ab216c9a269" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "94a0e61cb58919bc253c05ef50881e4c911916a6" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3c19f16291d1669efaa5a9bdf587da4471055475" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "f8170fb9117253a34c228ea87ca717370ba6b992" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "073b99feb6ecc8989af78cba59587ad37e330879" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "6357944b6d45a48721c707b9ec1901baed1398e3" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "a623f17ede67d68bae2a036d823cd994cb5d86df" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.3.yar b/php-malware-finder/whitelists/Spip/spip-3.2.3.yar new file mode 100644 index 0000000..e6b9c2b --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.3.yar @@ -0,0 +1,41 @@ +import "hash" + +private rule Spip323 +{ + condition: + /* Spip323 */ + hash.sha1(0, filesize) == "07eea9a423ec890ced408f19be1b0a5e84c80c7e" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "2e62558953eaeaa964501094ca6fc01f94752765" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "16c42b73f0e997b265856a1215e5dccb8042d19c" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "a9cb62e3cfcb70cd68a21b99315e87b7da314964" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/archiviste/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "dd3511cc75670ef3df96e9d854c44132148db761" or // spip/plugins-dist/archiviste/inc/pclzip.php + hash.sha1(0, filesize) == "c05bbe90fbc39f1732d09929f1c7c9460bc9f69b" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "bb2e534f8b7c16b0337a323cccf2a0b5ae2bca14" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "c380ec312ba79f04aaa61795cfcef875d3a0561e" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "0a7d70a0f67cf8e61de4c797b2c9bd9691485db7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4d809fb99d7e1e6f66b32b039e51c035587832ad" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "14e6185f6d8f98f0a059e41f3080f6c76db74e00" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.quicktime.php + hash.sha1(0, filesize) == "1be1470a09bd44c4aca32bc632d2c52a5fe8ce0f" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "80bca8bf4ca2e6cda2cae72d741d0a4439402424" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "c47edc3edeb6badc9a7cf8dd0844ffc7af9e932d" or // spip/plugins-dist/medias/inc/documents.php + hash.sha1(0, filesize) == "2ab0c8e305955053306d95ea5ee6f88e9d02afd8" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "9c0d98b411f218e399a12088a9f51c4398441384" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "6196504bff9f4110a65ffcac880c1212a7bc99fd" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6f31bfbc8da6b34e5d90f997139e343282bc7b73" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "81fd449bc6793e48939ec212d816f90598c32c18" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "f144b1800a1891e09db62cc5f2dce75ee7fcfed7" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "ee9cdf57c995ef43677e44b184f3cf70443b1ac7" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "bb7dfd926e9690a3dc3bf42b0d2b328766bcaa56" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "8d6a94cce430fe9c5cee5baae98e1ab216c9a269" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "94a0e61cb58919bc253c05ef50881e4c911916a6" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3c19f16291d1669efaa5a9bdf587da4471055475" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "f8170fb9117253a34c228ea87ca717370ba6b992" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "073b99feb6ecc8989af78cba59587ad37e330879" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "6357944b6d45a48721c707b9ec1901baed1398e3" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "a623f17ede67d68bae2a036d823cd994cb5d86df" or // spip/ecrire/base/dump.php + false +} diff --git a/php-malware-finder/whitelists/Spip/spip-3.2.4.yar b/php-malware-finder/whitelists/Spip/spip-3.2.4.yar new file mode 100644 index 0000000..538d71f --- /dev/null +++ b/php-malware-finder/whitelists/Spip/spip-3.2.4.yar @@ -0,0 +1,41 @@ +import "hash" + +private rule Spip324 +{ + condition: + /* Spip324 */ + hash.sha1(0, filesize) == "07eea9a423ec890ced408f19be1b0a5e84c80c7e" or // spip/plugins-dist/svp/lang/paquet-svp_nl.php + hash.sha1(0, filesize) == "2e62558953eaeaa964501094ca6fc01f94752765" or // spip/plugins-dist/svp/inc/svp_phraser.php + hash.sha1(0, filesize) == "16c42b73f0e997b265856a1215e5dccb8042d19c" or // spip/plugins-dist/filtres_images/filtres/images_lib.php + hash.sha1(0, filesize) == "a9cb62e3cfcb70cd68a21b99315e87b7da314964" or // spip/plugins-dist/filtres_images/filtres/images_transforme.php + hash.sha1(0, filesize) == "154a8a1896b92944252b4071500d099a22bae38d" or // spip/plugins-dist/archiviste/lib/pcltar/pcltrace.lib.php + hash.sha1(0, filesize) == "dd3511cc75670ef3df96e9d854c44132148db761" or // spip/plugins-dist/archiviste/inc/pclzip.php + hash.sha1(0, filesize) == "c05bbe90fbc39f1732d09929f1c7c9460bc9f69b" or // spip/plugins-dist/medias/lib/getid3/write.metaflac.php + hash.sha1(0, filesize) == "bb2e534f8b7c16b0337a323cccf2a0b5ae2bca14" or // spip/plugins-dist/medias/lib/getid3/getid3.lib.php + hash.sha1(0, filesize) == "c380ec312ba79f04aaa61795cfcef875d3a0561e" or // spip/plugins-dist/medias/lib/getid3/write.vorbiscomment.php + hash.sha1(0, filesize) == "0a7d70a0f67cf8e61de4c797b2c9bd9691485db7" or // spip/plugins-dist/medias/lib/getid3/module.audio.shorten.php + hash.sha1(0, filesize) == "4d809fb99d7e1e6f66b32b039e51c035587832ad" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.matroska.php + hash.sha1(0, filesize) == "14e6185f6d8f98f0a059e41f3080f6c76db74e00" or // spip/plugins-dist/medias/lib/getid3/module.audio-video.quicktime.php + hash.sha1(0, filesize) == "1be1470a09bd44c4aca32bc632d2c52a5fe8ce0f" or // spip/plugins-dist/medias/lib/getid3/getid3.php + hash.sha1(0, filesize) == "80bca8bf4ca2e6cda2cae72d741d0a4439402424" or // spip/plugins-dist/medias/lib/getid3/module.tag.id3v2.php + hash.sha1(0, filesize) == "c47edc3edeb6badc9a7cf8dd0844ffc7af9e932d" or // spip/plugins-dist/medias/inc/documents.php + hash.sha1(0, filesize) == "2ab0c8e305955053306d95ea5ee6f88e9d02afd8" or // spip/plugins-dist/textwheel/inc/texte.php + hash.sha1(0, filesize) == "9c0d98b411f218e399a12088a9f51c4398441384" or // spip/ecrire/lang/ecrire_ar.php + hash.sha1(0, filesize) == "6196504bff9f4110a65ffcac880c1212a7bc99fd" or // spip/ecrire/lang/ecrire_ru.php + hash.sha1(0, filesize) == "6f31bfbc8da6b34e5d90f997139e343282bc7b73" or // spip/ecrire/lang/ecrire_uk.php + hash.sha1(0, filesize) == "bf65f67644a4060449fb7c0f7434cb0960a11181" or // spip/ecrire/lang/ecrire_fa.php + hash.sha1(0, filesize) == "81fd449bc6793e48939ec212d816f90598c32c18" or // spip/ecrire/public/assembler.php + hash.sha1(0, filesize) == "f144b1800a1891e09db62cc5f2dce75ee7fcfed7" or // spip/ecrire/public/composer.php + hash.sha1(0, filesize) == "ee9cdf57c995ef43677e44b184f3cf70443b1ac7" or // spip/ecrire/public/criteres.php + hash.sha1(0, filesize) == "bb7dfd926e9690a3dc3bf42b0d2b328766bcaa56" or // spip/ecrire/inc/autoriser.php + hash.sha1(0, filesize) == "8d6a94cce430fe9c5cee5baae98e1ab216c9a269" or // spip/ecrire/inc/install.php + hash.sha1(0, filesize) == "319a2625eeef5d83492e6a2f30c2c21012edccc4" or // spip/ecrire/inc/idna_convert.class.php + hash.sha1(0, filesize) == "94a0e61cb58919bc253c05ef50881e4c911916a6" or // spip/ecrire/inc/puce_statut.php + hash.sha1(0, filesize) == "456cde6dc26bb9048e137527bc340be7d4f9f754" or // spip/ecrire/inc/charger_php_extension.php + hash.sha1(0, filesize) == "3c19f16291d1669efaa5a9bdf587da4471055475" or // spip/ecrire/inc/utils.php + hash.sha1(0, filesize) == "f8170fb9117253a34c228ea87ca717370ba6b992" or // spip/ecrire/inc/filtres.php + hash.sha1(0, filesize) == "073b99feb6ecc8989af78cba59587ad37e330879" or // spip/ecrire/inc/urls.php + hash.sha1(0, filesize) == "6357944b6d45a48721c707b9ec1901baed1398e3" or // spip/ecrire/inc/queue.php + hash.sha1(0, filesize) == "a623f17ede67d68bae2a036d823cd994cb5d86df" or // spip/ecrire/base/dump.php + false +}