Wordfence Security – Firewall & Malware Scan - Version 3.2.5

Version Description

  • Moved all attack signatures out of the plugin to prevent Wordfence being detected as malicious in a false positive.
Download this release

Release Info

Developer mmaunder
Plugin Icon 128x128 Wordfence Security – Firewall & Malware Scan
Version 3.2.5
Comparing to
See all releases

Code changes from version 3.2.4 to 3.2.5

lib/wordfenceConstants.php CHANGED
@@ -1,5 +1,5 @@
1
<?php
2
- define('WORDFENCE_API_VERSION', '2.1');
3
define('WORDFENCE_API_URL_SEC', 'https://noc1.wordfence.com/');
4
define('WORDFENCE_API_URL_NONSEC', 'http://noc1.wordfence.com/');
5
define('WORDFENCE_MAX_SCAN_TIME', 600);
1
<?php
2
+ define('WORDFENCE_API_VERSION', '2.2');
3
define('WORDFENCE_API_URL_SEC', 'https://noc1.wordfence.com/');
4
define('WORDFENCE_API_URL_NONSEC', 'http://noc1.wordfence.com/');
5
define('WORDFENCE_MAX_SCAN_TIME', 600);
lib/wordfenceScanner.php CHANGED
@@ -3,8 +3,6 @@ require_once('wordfenceConstants.php');
3
require_once('wordfenceClass.php');
4
require_once('wordfenceURLHoover.php');
5
class wordfenceScanner {
6
- protected $sigs = array();
7
- protected $sigPattern = "";
8
//serialized:
9
protected $path = '';
10
protected $fileList = array();
@@ -15,15 +13,16 @@ class wordfenceScanner {
15
private $totalFilesScanned = 0;
16
private $startTime = false;
17
private $lastStatusTime = false;
18
public function __sleep(){
19
- return array('path', 'fileList', 'results', 'errorMsg', 'apiKey', 'wordpressVersion', 'urlHoover', 'totalFilesScanned', 'startTime', 'lastStatusTime');
20
}
21
public function __wakeup(){
22
- $this->setupSigs();
23
}
24
public function __construct($apiKey, $wordpressVersion, $fileList, $path){
25
$this->apiKey = $apiKey;
26
$this->wordpressVersion = $wordpressVersion;
27
$this->fileList = $fileList; //A long string of <2 byte network order short showing filename length><filename>
28
if($path[strlen($path) - 1] != '/'){
29
$path .= '/';
@@ -38,77 +37,12 @@ class wordfenceScanner {
38
$this->setupSigs();
39
}
40
private function setupSigs(){
41
- //Set up sigs
42
- $this->sigs = array(
43
- array('\$QBDB51E25BF9A7F3D2475072803D1C36D', "antichat.php, cgi.php and possibly others, this is the var they assign the code to"),
44
- array('\$login\s*=\s*"c99"|\$pass\s*=\s*"c99"|\$sess_cookie\s*=\s*"c9'.'9shvars"', "several lines of c99 decoded"),
45
- array('C9'.'9Shell v\.', "c99.php"),
46
- array('passthru\s*\(\s*getenv\s*\(\s*"HTTP_ACCEPT_LANGUAGE', "accept_language HTTP header backdoor"),
47
- array('runcommand\s*\([\'"]etcpasswdfile', "Ajax_PHP Command Shell"),
48
- array('exesysform', "AK-74 Security Team Web Shell"),
49
- array('\$password\s*=\s*[\'"]antichat', "Antichat shell"),
50
- array('if\s*\(\s*\$action\s*==\s*["\']phpeval', "Antichat shell"),
51
- array('Can\'t open file, permission denide', "Antichat spelling error"),
52
- array('tmp[\'"],\s*["\']phpshell', "Ayyildiz Tim -AYT- Shell v 2.1 Biz"),
53
- array('\$this_file\?op=phpinfo', "aZRaiLPhp v1.0"),
54
- array('\.\s*\$server_ip\s*=\s*gethostbyname\s*\(\$SERVER_NAME', "c0derz shell [csh] v. 0.1.1"),
55
- array('dosyayicek', "c99_locus7s and c99_PSych0"),
56
- array('c99_sess_put', "c99_locus7s, c99_PSych0, c99_w4cking, RedhatC99 "),
57
- array('PHP Safe\-Mode Bypass', "c99_w4cking"),
58
- array('fonksiyonlary_kapat', "CasuS"),
59
- array('Dim szCMD, szTempFile', "CmdAsp.asp"),
60
- array('Open base dir: \$hopenbasedir', "Crystal shell"),
61
- array('find config.inc.php files', "Many c99 variants including NFM, Perl, Predator, CTT, r57, Redhatc99"),
62
- array('find all .htpasswd files', "Many c99 variants including NFM, Perl, Predator, CTT, r57, Redhatc9"),
63
- array('function anonim_mail', "Cybershell"),
64
- array('\$_SESSION\[aupass\]=md5\(\$aupassword', "Cybershell"),
65
- array('echo\s+htmlspecialchars\(\s*crypt\(\s*fread', "dC3 Security Crew Shell PRiV"),
66
- array('proc_open\(\s*\$_REQUEST', "Dive Shell"),
67
- array('file_exists\([\'"]\/usr\/bin\/gcc', "DTool Pro"),
68
- array('find all \*\.php files with word [\'"]password', "Dx"),
69
- array('WebShell::Configuration', "Gamma Web Shell (perl)"),
70
- array('base64_decode\(\$prx', "GFS shell"),
71
- array('icq, command\-n\-conquer and shell nfm', "Various GFS variants"),
72
- array('open\(FILEHANDLE,\s*[\'"]cd\s+\$param\{dir\}', "go-shell (perl)"),
73
- array('document.PostActForm\#x27;, "GRP Webshell"),
74
- array('\$cmd 1> \/tmp\/cmdtemp 2>\&1\; cat', "h4ntu shell"),
75
- array('\$Düzenlecols, \$Düzenlerows', "iMHaBiRLiGi PHP FTP"),
76
- array('get_execution_method\s*\(', "ironshell and many others"),
77
- array('proc\s*=\s*runtime\.exec\(\s*cmd\s*\)', "JSP Web Shell"),
78
- array('eval>PHP Eval Code', "KAdot Universal Shell"),
79
- array('if\(\(\$_POST\[\'exe\'\]\) == "Execute"', "Lamashell"),
80
- array('cat \/etc\/passwd', "Liz0ziM and many other malicious apps"),
81
- array('exec\(\$com,\$arr\)', "Loaderz WEB Shell"),
82
- array('\$SFileName=\$PHP_SELF', "Macker's Private PHPShell"),
83
- array('if\s*\(isset\s*\(\$_POST\)\)\s*walkArray\(\s*\$_POST', "Macker's and some c99 variantes"),
84
- array('define\(\s*["\']PHPSHELL_VERSION[\'"]\s*,\s*[\'"]\d+', "Matamu and others"),
85
- array('If\s*\(\$file_name\)\s*\$header\s*\.=\s*"Content\-Transfer\-Encoding:\s*base64', "Moroccan Spamers Ma-EditioN By GhOsT"),
86
- array('\$MyShellVersion', "MyShell"),
87
- array('function viewSchema', "Mysql interface"),
88
- array('global \$HTTP_GET_VARS, \$HTTP_COOKIE_VARS, \$password', "mysql_tool"),
89
- array('\$file\s*=\s*[\'"]\/etc\/passwd[\'"];', "mysql.php"),
90
- array('move_uploaded_file\(\$_FILES\[\'probe\'\]\[\'tmp_name\'\]', "NCC-Shell"),
91
- array('["\']find all suid files[\'"]', "NetworkFileManager.php and variants"),
92
- array('["\']find all sgid files[\'"]', "NetworkFileManager.php and variants"),
93
- array('["\']find all config\.inc\.php files[\'"]', "NetworkFileManager.php and variants"),
94
- array('["\']find writeable directories and files[\'"]', "NetworkFileManager.php and variants"),
95
- array('xargs grep \-li password', "NetworkFileManager.php and variants"),
96
- array('\$filename\s*=\s*[\'"]\/etc\/passwd["\']', 'NFM 1.8, NIX Remote Web Shell and others'),
97
- array('function mvcp\(\$from', 'NGH, Webcommander'),
98
- array('find \/ \-type f \-name \.ht', 'NIX Remote Web Shell, nsTView and other variants'),
99
- array('passthru\(\$comd', 'NShell'),
100
- array('find \/ \-type f \-perm \-04000', 'nsTView and others'),
101
- array('bind\(S,sockaddr_in\(\$LISTEN_PORT,INADDR_ANY', 'Perl Web Shell by RST-GHC'),
102
- array('jmp_buf jmp;', 'PHANTASMA'),
103
- array('\b(?:system|exec|passthru|shell_exec|proc_open)[\r\n\s\t]*\([\r\n\s\t]*\$_(?:POST|GET|REQUEST|SERVER)', 'PHP Backdoor, many malicious apps and any badly written app')
104
-
105
-
106
- ); //End sigs
107
- $sigArr = array();
108
- foreach($this->sigs as $elem){
109
- $sigArr[] = $elem[0];
110
}
111
- $this->sigPattern = '/(' . implode('|', $sigArr) . ')/i';
112
}
113
public function scan($forkObj){
114
if(! $this->startTime){
@@ -195,7 +129,7 @@ array('\b(?:system|exec|passthru|shell_exec|proc_open)[\r\n\s\t]*\([\r\n\s\t]*\$
195
)
196
));
197
break;
198
- } else if(strpos($file, 'lib/wordfenceScanner.php') === false && preg_match($this->sigPattern, $data, $matches)){
199
$this->addResult(array(
200
'type' => 'file',
201
'severity' => 1,
@@ -214,7 +148,7 @@ array('\b(?:system|exec|passthru|shell_exec|proc_open)[\r\n\s\t]*\([\r\n\s\t]*\$
214
215
}
216
$longestNospace = wfUtils::longestNospace($data);
217
- if($longestNospace > 1000 && (strpos($data, 'eval') !== false || preg_match('/preg_replace\([^\(]+\/[a-z]*e/', $data)) ){
218
$this->addResult(array(
219
'type' => 'file',
220
'severity' => 1,
@@ -231,14 +165,14 @@ array('\b(?:system|exec|passthru|shell_exec|proc_open)[\r\n\s\t]*\([\r\n\s\t]*\$
231
));
232
break;
233
}
234
- if(preg_match('/eval.*base'.'64_decode/i', $data)){
235
$this->addResult(array(
236
'type' => 'file',
237
'severity' => 1,
238
'ignoreP' => $this->path . $file,
239
'ignoreC' => $fileSum,
240
'shortMsg' => "This file may contain malicious executable code",
241
- 'longMsg' => "This file is a PHP executable file and contains an evaluation function and base"."64 decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.",
242
'data' => array(
243
'file' => $file,
244
'canDiff' => false,
@@ -282,7 +216,7 @@ array('\b(?:system|exec|passthru|shell_exec|proc_open)[\r\n\s\t]*\([\r\n\s\t]*\$
282
'ignoreP' => $this->path . $file,
283
'ignoreC' => md5_file($this->path . $file),
284
'shortMsg' => "File contains suspected malware URL: " . $this->path . $file,
285
- 'longMsg' => "This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes base"."64 when scanning files so the URL may not be visible if you view this file. The URL is: " . $result['URL'] . " - More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($result['URL']) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.",
286
'data' => array(
287
'file' => $file,
288
'badURL' => $result['URL'],
@@ -337,7 +271,7 @@ array('\b(?:system|exec|passthru|shell_exec|proc_open)[\r\n\s\t]*\([\r\n\s\t]*\$
337
}
338
public static function containsCode($arr){
339
foreach($arr as $elem){
340
- if(preg_match('/(?:base'.'64_decode|base'.'64_encode|eval|if|exists|isset|close|file|implode|fopen|while|feof|fread|fclose|fsockopen|fwrite|explode|chr|gethostbyname|strstr|filemtime|time|count|trim|rand|stristr|dir|mkdir|urlencode|ord|substr|unpack|strpos|sprintf)[\r\n\s\t]*\(/i', $elem)){
341
return true;
342
}
343
}
3
require_once('wordfenceClass.php');
4
require_once('wordfenceURLHoover.php');
5
class wordfenceScanner {
6
//serialized:
7
protected $path = '';
8
protected $fileList = array();
13
private $totalFilesScanned = 0;
14
private $startTime = false;
15
private $lastStatusTime = false;
16
+ private $patterns = "";
17
public function __sleep(){
18
+ return array('path', 'fileList', 'results', 'errorMsg', 'apiKey', 'wordpressVersion', 'urlHoover', 'totalFilesScanned', 'startTime', 'lastStatusTime', 'patterns');
19
}
20
public function __wakeup(){
21
}
22
public function __construct($apiKey, $wordpressVersion, $fileList, $path){
23
$this->apiKey = $apiKey;
24
$this->wordpressVersion = $wordpressVersion;
25
+ $this->api = new wfAPI($this->apiKey, $this->wordpressVersion);
26
$this->fileList = $fileList; //A long string of <2 byte network order short showing filename length><filename>
27
if($path[strlen($path) - 1] != '/'){
28
$path .= '/';
37
$this->setupSigs();
38
}
39
private function setupSigs(){
40
+ $this->api = new wfAPI($this->apiKey, $this->wordpressVersion);
41
+ $sigData = $this->api->call('get_patterns', array(), array());
42
+ if(! (is_array($sigData) && isset($sigData['sigPattern'])) ){
43
+ throw new Exception("Wordfence could not get the attack signature patterns from the scanning server.");
44
}
45
+ $this->patterns = $sigData;
46
}
47
public function scan($forkObj){
48
if(! $this->startTime){
129
)
130
));
131
break;
132
+ } else if(strpos($file, 'lib/wordfenceScanner.php') === false && preg_match($this->patterns['sigPattern'], $data, $matches)){
133
$this->addResult(array(
134
'type' => 'file',
135
'severity' => 1,
148
149
}
150
$longestNospace = wfUtils::longestNospace($data);
151
+ if($longestNospace > 1000 && (strpos($data, $this->patterns['pat1']) !== false || preg_match('/preg_replace\([^\(]+\/[a-z]*e/', $data)) ){
152
$this->addResult(array(
153
'type' => 'file',
154
'severity' => 1,
165
));
166
break;
167
}
168
+ if(preg_match($this->patterns['pat2'], $data)){
169
$this->addResult(array(
170
'type' => 'file',
171
'severity' => 1,
172
'ignoreP' => $this->path . $file,
173
'ignoreC' => $fileSum,
174
'shortMsg' => "This file may contain malicious executable code",
175
+ 'longMsg' => "This file is a PHP executable file and contains an " . $this->patterns['word1'] . " function and " . $this->patterns['word2'] . " decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.",
176
'data' => array(
177
'file' => $file,
178
'canDiff' => false,
216
'ignoreP' => $this->path . $file,
217
'ignoreC' => md5_file($this->path . $file),
218
'shortMsg' => "File contains suspected malware URL: " . $this->path . $file,
219
+ 'longMsg' => "This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes " . $this->patterns['word3'] . " when scanning files so the URL may not be visible if you view this file. The URL is: " . $result['URL'] . " - More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($result['URL']) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.",
220
'data' => array(
221
'file' => $file,
222
'badURL' => $result['URL'],
271
}
272
public static function containsCode($arr){
273
foreach($arr as $elem){
274
+ if(preg_match($this->patterns['pat3'], $elem)){
275
return true;
276
}
277
}
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: mmaunder
3
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure
4
Requires at least: 3.3.1
5
Tested up to: 3.4.1
6
- Stable tag: 3.2.4
7
8
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
9
@@ -153,6 +153,9 @@ or a theme, because often these have been updated to fix a security hole.
153
5. If you're technically minded, this is the under-the-hood view of Wordfence options where you can fine-tune your security settings.
154
155
== Changelog ==
156
= 3.2.4 =
157
* Improved country blocking to make bulk adding/deleting of countries much easier.
158
* Fixed bug that caused Google feed fetcher and other Google UA bots to get blocked if blocking of unverified Googlebots was enabled.
3
Tags: wordpress, security, wordpress security, security plugin, secure, anti-virus, malware, firewall, antivirus, virus, google safe browsing, phishing, scrapers, hacking, wordfence, securty, secrity, secure
4
Requires at least: 3.3.1
5
Tested up to: 3.4.1
6
+ Stable tag: 3.2.5
7
8
Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
9
153
5. If you're technically minded, this is the under-the-hood view of Wordfence options where you can fine-tune your security settings.
154
155
== Changelog ==
156
+ = 3.2.5 =
157
+ * Moved all attack signatures out of the plugin to prevent Wordfence being detected as malicious in a false positive.
158
+
159
= 3.2.4 =
160
* Improved country blocking to make bulk adding/deleting of countries much easier.
161
* Fixed bug that caused Google feed fetcher and other Google UA bots to get blocked if blocking of unverified Googlebots was enabled.
wordfence.php CHANGED
@@ -4,10 +4,10 @@ Plugin Name: Wordfence Security
4
Plugin URI: http://wordfence.com/
5
Description: Wordfence Security - Anti-virus and Firewall security plugin for WordPress
6
Author: Mark Maunder
7
- Version: 3.2.4
8
Author URI: http://wordfence.com/
9
*/
10
- define('WORDFENCE_VERSION', '3.2.4');
11
if(! defined('WORDFENCE_VERSIONONLY_MODE')){
12
if((int) @ini_get('memory_limit') < 64){
13
@ini_set('memory_limit', '64M'); //Some hosts have ini set at as little as 32 megs. 64 is the min sane amount of memory.
4
Plugin URI: http://wordfence.com/
5
Description: Wordfence Security - Anti-virus and Firewall security plugin for WordPress
6
Author: Mark Maunder
7
+ Version: 3.2.5
8
Author URI: http://wordfence.com/
9
*/
10
+ define('WORDFENCE_VERSION', '3.2.5');
11
if(! defined('WORDFENCE_VERSIONONLY_MODE')){
12
if((int) @ini_get('memory_limit') < 64){
13
@ini_set('memory_limit', '64M'); //Some hosts have ini set at as little as 32 megs. 64 is the min sane amount of memory.