Changeset 3380286

Timestamp:

10/17/2025 05:48:37 PM (4 months ago)

Author:

wpfixit

Message:

Added new infection patterns to find bad files

Location:

folder-auditor

Files:

• tags/4.4 (added)
• tags/4.4/assets (added)
• tags/4.4/assets/admin.js (added)
• tags/4.4/assets/brand-banner.webp (added)
• tags/4.4/assets/dark-icon.png (added)
• tags/4.4/assets/email.jpg (added)
• tags/4.4/assets/icon.png (added)
• tags/4.4/assets/style.css (added)
• tags/4.4/folder-auditor.php (added)
• tags/4.4/includes (added)
• tags/4.4/includes/bridge (added)
• tags/4.4/includes/bridge/class-wpfa-mainwp-bridge.php (added)
• tags/4.4/includes/bridge/unlock-relock.php (added)
• tags/4.4/includes/class-wp-folder-auditor.php (added)
• tags/4.4/includes/handlers (added)
• tags/4.4/includes/handlers/handler-actions.php (added)
• tags/4.4/includes/handlers/handler-content.php (added)
• tags/4.4/includes/handlers/handler-htaccess.php (added)
• tags/4.4/includes/handlers/handler-plugins.php (added)
• tags/4.4/includes/handlers/handler-root.php (added)
• tags/4.4/includes/handlers/handler-scanner.php (added)
• tags/4.4/includes/handlers/handler-settings.php (added)
• tags/4.4/includes/handlers/handler-themes.php (added)
• tags/4.4/includes/handlers/handler-uploads.php (added)
• tags/4.4/includes/helpers (added)
• tags/4.4/includes/helpers/admin.php (added)
• tags/4.4/includes/helpers/health-score (added)
• tags/4.4/includes/helpers/health-score/health-score-display.php (added)
• tags/4.4/includes/helpers/health-score/health-score-functions.php (added)
• tags/4.4/includes/helpers/html-export.php (added)
• tags/4.4/includes/helpers/lock-system (added)
• tags/4.4/includes/helpers/lock-system/folder-locker.php (added)
• tags/4.4/includes/helpers/lock-system/traits (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Actions.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Assets.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Cache.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FS.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_FSModal.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_NoticesBar.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Request.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Status.php (added)
• tags/4.4/includes/helpers/lock-system/traits/WPFA_Folder_Locker_Trait_Targets.php (added)
• tags/4.4/includes/helpers/reports (added)
• tags/4.4/includes/helpers/reports/Guard-Dog-Security-Report.html (added)
• tags/4.4/includes/helpers/reports/index.html (added)
• tags/4.4/includes/helpers/safe-paths.php (added)
• tags/4.4/includes/helpers/scanner (added)
• tags/4.4/includes/helpers/scanner/scanner.php (added)
• tags/4.4/includes/helpers/security-headers.php (added)
• tags/4.4/includes/helpers/user-security.php (added)
• tags/4.4/includes/summaries (added)
• tags/4.4/includes/summaries/summary-content.php (added)
• tags/4.4/includes/summaries/summary-htaccess.php (added)
• tags/4.4/includes/summaries/summary-plugins.php (added)
• tags/4.4/includes/summaries/summary-root.php (added)
• tags/4.4/includes/summaries/summary-themes.php (added)
• tags/4.4/includes/summaries/summary-totals.php (added)
• tags/4.4/includes/summaries/summary-uploads.php (added)
• tags/4.4/includes/views (added)
• tags/4.4/includes/views/view-audit.php (added)
• tags/4.4/includes/views/view-content.php (added)
• tags/4.4/includes/views/view-dashboard.php (added)
• tags/4.4/includes/views/view-header.php (added)
• tags/4.4/includes/views/view-htaccess-files.php (added)
• tags/4.4/includes/views/view-html-export.php (added)
• tags/4.4/includes/views/view-plugins.php (added)
• tags/4.4/includes/views/view-root.php (added)
• tags/4.4/includes/views/view-scanner.php (added)
• tags/4.4/includes/views/view-security.php (added)
• tags/4.4/includes/views/view-settings.php (added)
• tags/4.4/includes/views/view-themes.php (added)
• tags/4.4/includes/views/view-uploads.php (added)
• tags/4.4/readme.txt (added)
• trunk/folder-auditor.php (modified) (1 diff)
• trunk/includes/helpers/reports/Guard-Dog-Security-Report.html (modified) (5 diffs)
• trunk/includes/helpers/scanner/scanner.php (modified) (10 diffs)
• trunk/readme.txt (modified) (3 diffs)

folder-auditor/trunk/folder-auditor.php

@@ -3 +3 @@
  * Plugin Name: Guard Dog Security & Site Lock
  * Description: Helps WordPress administrators take full control of their site. It scans critical areas including the root directory, wp-content, plugins, themes, uploads, and .htaccess files to detect anything suspicious such as orphaned folders, leftover files, or hidden PHP in uploads. From the WordPress dashboard, you can safely review, download, or remove items that don’t belong, with built-in protection to ensure required resources remain untouched. In addition, Guard Dog Security lets you lock all files and folders as read-only, preventing unauthorized changes, additions, or deletions to your WordPress installation.
- * Version: 4.3
+ * Version: 4.4
  * Author: WP Fix It
  * Author URI: https://www.wpfixit.com

folder-auditor/trunk/includes/helpers/reports/Guard-Dog-Security-Report.html

@@ -1573 +1573 @@
         <div class="fa-export-header-details">
       <h1>WP Fix It Sandbox - Guard Dog Security Report</h1>
-      <div class="fa-export-meta">October 16, 2025 8:36 am</div>
+      <div class="fa-export-meta">October 17, 2025 7:03 am</div>
     </div>
   </div>
@@ -1664 +1664 @@
     </div>
     <div class="fa-desc">
-  28 installed • 3 active</div>
+  28 installed • 4 active</div>
   </div>
   <div class="fa-badges">
@@ -1731 +1731 @@
   <!-- Icon -->
   <div class="fa-sitelock-icon" aria-hidden="true">
-    <span class="dashicons dashicons-unlock"></span>
+    <span class="dashicons dashicons-lock"></span>
   </div>
   <!-- Title + status + desc -->
@@ -1737 +1737 @@
     <div class="fa-sitelock-titleline">
       <strong class="fa-sitelock-title">Site Lock Status - </strong>
-      <span class="fa-chip" style="background:#f54545;color:#fff;">
-        Unlocked      </span>
+      <span class="fa-chip" style="background:#1ab06f;color:#fff;">
+        Locked      </span>
     </div>
-    <p class="fa-sitelock-desc">Software updates, installs and removals are allowed. Turn on your Site Lock to harden file changes.</p>
+    <p class="fa-sitelock-desc">You have enabled Site Lock and below is the list of items that are locked and read only.</p>
   </div>
   <!-- CTA -->
   <div class="fa-sitelock-cta">
     <a href="https://test.wpfixithosting.com/wp-admin/admin.php?page=guard-dog-security&#038;tab=security#site-lock" class="wpfa-sexy-btn">
-      Enable Site Lock →
+      Open Site Lock Settings →
     </a>
   </div>
@@ -1751 +1751 @@
   <div class="fa-locked-section">
               <div class="fa-locked-row">
+          <h4 class="fa-locked-title">Folders Locked (12)</h4>
+          <div class="fa-pill-wrap">
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">error_log</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">mu-plugins</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">New directory</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">plugins</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">Some-Folder</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">themes</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">upgrade</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">upgrade-temp-backup</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">uploads</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-admin</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-content</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-includes</span>
+              </span>
+                      </div>
+        </div>
+                    <div class="fa-locked-row">
+          <h4 class="fa-locked-title">Files Locked (20)</h4>
+          <div class="fa-pill-wrap">
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">file-1.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">file-2.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">file-3.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">index.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">license.txt</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">readme.html</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-activate.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-blog-header.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-comments-post.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-config-sample.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-config.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-cron.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-links-opml.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-load.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-login.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-mail.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-settings.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-signup.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">wp-trackback.php</span>
+              </span>
+                          <span class="fa-pill fa-pill-success">
+                <span class="dashicons dashicons-lock" aria-hidden="true"></span>
+                <span class="fa-pill-label">xmlrpc.php</span>
+              </span>
+                      </div>
+        </div>
+        <div class="fa-locked-row">
         <h4 class="fa-locked-title">
       Folder Lock Exclusions (2)    </h4>

folder-auditor/trunk/includes/helpers/scanner/scanner.php

@@ -41 +41 @@
 
     protected function wpfa_list_files( string $directory, array $opts = [] ) : array {
-    $allowed_ext = '/(?:\.(?:php|html|txt|md|js|css|scss|less|json|xml|svg|htaccess|ini|user\.ini)$)/i';
+    //$allowed_ext = '/(?:\.(?:php|html|txt|md|js|css|scss|less|json|xml|svg|htaccess|ini|user\.ini)$)/i';
+    $allowed_ext = '/(?:\.(?:php|html|txt|md|js|css|scss|less|json|xml|svg|htaccess|ini|user\.ini)$|(?:\/[^\/\.]+$))/i';
 
         // Resolve common WP paths (same as in your scanner)
@@ -107 +108 @@
                         continue;
                     }
-                    $path = wp_normalize_path( $fileinfo->getPathname() );
-
-                    // Only allowed extensions / names / .well-known subtree
-                    if ( ! preg_match( $allowed_ext, $path ) ) {
-                        continue;
-                    }
-                    $files[] = $path;
+            $path = wp_normalize_path( $fileinfo->getPathname() );
+
+$bn = basename( $path );
+
+// If no extension, peek at first few bytes so we can still catch ELF/MZ/Mach-O
+if ( strpos( $bn, '.' ) === false ) {
+    $head = @file_get_contents( $path, false, null, 0, 4 );
+    if ( $head !== false ) {
+        // If header matches known binary magics, force it into the scan list
+        if ( $head === "\x7FELF" || $head === "MZ" || $head === "\xCF\xFA\xED" ) {
+            $files[] = $path;
+            continue;
+        }
+    }
+}
+
+            // --- HARD GUARDS to keep "Full" scans from choking on giant/no-ext files ---
+
+// 1) Skip symlinks (can loop or point out of tree)
+if ( $fileinfo->isLink() ) {
+    continue;
+}
+
+// 2) Skip very large files (logs, dumps, backups with no extension)
+$size = @filesize( $path );
+if ( $size !== false && $size > 20 * 1024 * 1024 ) { // 20MB cap; raise/lower if you want
+    continue;
+}
+
+// 3) If the filename has NO extension (allowed by your regex), quickly sniff for binary.
+//    Binary / blob files (often huge) will contain NUL bytes and should be skipped.
+$bn = basename( $path );
+if ( ! preg_match( '/\.[A-Za-z0-9]+$/', $bn ) ) {
+    $head = @file_get_contents( $path, false, null, 0, 512 );
+    if ( $head !== false && strpos( $head, "\0" ) !== false ) {
+        continue; // looks binary
+    }
+
+    // Also skip very common extensionless log names that get huge
+    if ( in_array( $bn, [ 'error_log', 'php_errors', 'php_errors.log', 'slow_query_log' ], true ) ) {
+        continue;
+    }
+}
+
+
+// 4) (Optional but recommended) skip known heavy dirs that never contain PHP you care about
+$path_lc = strtolower( $path );
+if (
+    strpos( $path_lc, '/wp-content/cache/' ) !== false ||
+    strpos( $path_lc, '/node_modules/' ) !== false ||
+    strpos( $path_lc, '/.git/' ) !== false ||
+    strpos( $path_lc, '/.svn/' ) !== false
+) {
+    continue;
+}
+            
+            // NEW: skip the scanner file itself so it never enters the queue
+            $scanner_file = wp_normalize_path( __FILE__ );
+            if ( realpath( $path ) === realpath( $scanner_file ) ) {
+                continue;
+            }
+            
+            // Only allowed extensions / names / .well-known subtree
+            if ( ! preg_match( $allowed_ext, $path ) ) {
+                continue;
+            }
+            $files[] = $path;
                 }
             } catch ( Throwable $e ) {
@@ -240 +301 @@
             }
     
-            $path = array_shift( $state['queue'] );
-            $state['done']++;
-    
-            $contents = @file_get_contents( $path );
+        $path = array_shift( $state['queue'] );
+        $state['done']++;
+        
+        // NEW: skip the scanner file itself
+        $scanner_file = wp_normalize_path( __FILE__ );
+        if ( realpath( $path ) === realpath( $scanner_file ) ) {
+            $processed_this_step++;
+            continue;
+        }
+        
+        $contents = @file_get_contents( $path );
+
             if ( $contents === false ) {
                 $processed_this_step++;
@@ -350 +419 @@
         // Build file body
         $lines   = [];
-        $lines[] = 'WP Folder Auditor — Scan Report';
+        $lines[] = 'Guard Dog Security — Scan Report';
         $lines[] = 'Generated: ' . gmdate( 'm-d-Y H:i:s' ) . '';
         $lines[] = 'Site: ' . ( isset( $_SERVER['HTTP_HOST'] ) ? esc_url_raw( wp_unslash( $_SERVER['HTTP_HOST'] ) ) : '' );
@@ -378 +447 @@
 
         $body     = implode( "\r\n", $lines ) . "\r\n";
-        $filename = 'Folder-Auditor-Scan-Report-' . gmdate( 'm-d-Y' ) . '.txt';
+        $filename = 'Guard-Dog-Security-Scan-Report-' . gmdate( 'm-d-Y' ) . '.txt';
 
         // Output download
@@ -408 +477 @@
         }
         if ( empty( $scopes ) ) {
-            $scopes = [ 'themes' ]; // safe default
+            $scopes = [ 'full' ]; // safe default
         }
         $opts = [ 'scopes' => array_values( array_unique( $scopes ) ) ];
@@ -451 +520 @@
     
         // Allowlist (same as wpfa_list_files)
-        $allowed_ext = '/(?:\.(?:php|phtml|php7|pht|phtm|phar|html|css|js|htaccess|env|json|xml|lock|txt|md|po|mo|pot|log|ini|sql|csv)$'
+        //$allowed_ext = '/(?:\.(?:php|phtml|php7|pht|phtm|phar|html|css|js|htaccess|env|json|xml|lock|txt|md|po|mo|pot|log|ini|sql|csv)$'
+            //. '|(?:composer\.json|composer\.lock|package\.json|package-lock\.json|yarn\.lock|\.user\.ini|\.gitignore|\.gitattributes|\.editorconfig)$'
+            //. '|\/\.well-known\/)/i';
+            $allowed_ext = '/(?:\.(?:php|phtml|php7|pht|phtm|phar|html|css|js|htaccess|env|json|xml|lock|txt|md|po|mo|pot|log|ini|sql|csv)$'
             . '|(?:composer\.json|composer\.lock|package\.json|package-lock\.json|yarn\.lock|\.user\.ini|\.gitignore|\.gitattributes|\.editorconfig)$'
             . '|\/\.well-known\/)/i';
@@ -510 +582 @@
                     }
     
-                    $path = wp_normalize_path( $fileinfo->getPathname() );
-    
-                    // Only allowed extensions / names / .well-known subtree
-                    if ( ! preg_match( $allowed_ext, $path ) ) {
-                        continue;
-                    }
-    
+            $path = wp_normalize_path( $fileinfo->getPathname() );
+            
+            // NEW: skip the scanner file itself
+            $scanner_file = wp_normalize_path( __FILE__ );
+            if ( realpath( $path ) === realpath( $scanner_file ) ) {
+                continue;
+            }
+            
+            // Only allowed extensions / names / .well-known subtree
+            if ( ! preg_match( $allowed_ext, $path ) ) {
+                continue;
+            }
                     // meta counts
                     $__files_seen++;
@@ -589 +666 @@
         $lc = $contents;
         $filename = basename( $path );
+        
+        // Quick binary header detection
+$head = @file_get_contents( $path, false, null, 0, 4 );
+if ( $head === "\x7FELF" || $head === "MZ" || $head === "\xCF\xFA\xED" ) {
+    return true; // flag immediately
+}
 
         // --- Whitelist common safe libs to cut false positives
@@ -772 +855 @@
         return [ $raw, $norm ];
     }
-    
-    protected function wpfa_get_raw_patterns() : array {
-        // comment-aware (used on $raw) — flags even if disabled in comments
-        
-    return [
-        '\beval\s*\(\s*base64_decode\s*\(',
-        '\bpreg_replace\s*\(\s*([\'"])\s*([^\w\s\\])(?:\\.|(?!\2).)*\2(?=[A-Za-z]*e[A-Za-z]*\1)',
-        '\b(?:include|require|include_once|require_once)\s*(?:\(\s*)?[\'"]https?:\/\/',
-        '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\([^)]*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\b',
-        'shell_exec\s*\([^)]*\$_REQUEST',
-        '\b(?:file_put_contents|fopen|fwrite|fputs)\s*\(\s*\$[A-Za-z_]\w*\s*,\s*base64_decode\s*\(',
-        '[\'"]\s*e\s*[\'"]\s*\.\s*[\'"]\s*val\s*[\'"]',
-        '[\'"]\s*base\s*[\'"]\s*\.\s*[\'"]\s*64\s*[\'"]\s*\.\s*[\'"]\s*decode\s*[\'"]',
-        '\$\w+\s*=\s*[\'"][a-z]{1,3}[\'"]\s*;\s*\$\w+\s*=\s*[\'"][a-z]{1,3}[\'"]\s*;\s*\$\w+\s*=\s*\$\w+\s*\.\s*\$\w+\s*\.\s*[\'"](tem|val|sert)[\'"]\s*;',
-        'ob_implicit_flush\s*\(\s*true\s*\)\s*;[\s\S]{0,160}\bob_end_flush\s*\(',
-        '(?s)(?:OPENSSL_RAW_DATA.*substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"]|substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"].*OPENSSL_RAW_DATA|[\'"]<\s*\/?\s*scr?\s*[\'"]\s*\.\s*[\'"]r?ipt\s*>[\'"])',
-        '(?s)\$[A-Za-z_]\w*\s*=\s*\$_(?:POST|REQUEST)\s*;.*?isset\s*\(\s*\$[A-Za-z_]\w*\s*\[[\'"][a-z0-9_]{3,}[\'"]\]\s*\).*?\$\w+\s*\(\s*\.\.\.\$\w+\s*\)',
-        '(?s)readfile\s*\(\s*base64_decode\s*\(\s*["\'][^"\']{8,}["\']\s*\)\s*\)\s*;.*?eval\s*\(\s*.*?ob_get_clean\s*\(\s*\)\s*\)\s*;',
-        'function\s*uPqmvR\s*\(',
-        'function\s*yh1\s*\(',
-        '\bUpVwwHRQ\s*\(',
-        'array_map\(\s*[\'"]md5[\'"]\s*,\s*\$_COOKIE',
-        '\$gi6\[\d+\]\s*\(\s*\$_(?:COOKIE|POST|REQUEST)',
-        'include\s*\(\s*base64_decode\s*\(\s*\$[A-Za-z_]\w*\s*\)\s*(?:\.\s*)?\)\s*;',
-        'call_user_func\s*\(\s*new\s+LiteSpeedMetaDataStore'
-    ];
-
-    }
-    
-    protected function wpfa_get_patterns() : array {
-        // normalized patterns (used on $norm)
-        return [
-            '\b(?:fopen|fwrite|fputs|file_put_contents|file_get_contents|fclose|chmod|unlink)\s*\([^)]*base64_decode\s*\(',
-            'basename\s*\(\s*__FILE__\s*,\s*base64_decode\s*\(',
-            '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\([^)]*base64_decode\s*\(',
-            '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\b',
-            '>\s*\/dev\/null\s*2>\s*\/dev\/null\s*&',
-            '(?:base64_encode\s*\(\s*){2,}[^)]*\)',
-            '(?:base64_decode\s*\(\s*){2,}[^)]*\)',
-            'openssl_(?:en|de)crypt\s*\([^,]+,\s*[\'"]?\s*aes\s*[-_ ]?(?:128|192|256)\s*[-_ ]?cbc[\'"]?\s*,[^)]*hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*[\'"][^\'"]{8,}[\'"]\s*,\s*true\s*\)[^)]*\)',
-            'substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*[\'"][^\'"]{8,}[\'"]\s*,\s*true\s*\)\s*,\s*0\s*,\s*16\s*\)',
-            '\b(?:include|require|include_once|require_once)\s*\(\s*base64_decode\s*\(',
-            '\b(?:include|require|include_once|require_once|file_get_contents|fopen)\s*\([^)]*(?:php:\/\/input|php:\/\/filter|data:\/\/)',
-            'md5\s*\(\s*uniqid\s*\([^)]*\)\s*\)\s*\.\s*[\'"]\.(?:php|phtml)\b',
-            'curl_init\s*\([^)]*\)\s*;[^;]*CURLOPT_(?:HTTPHEADER|COOKIE)[^;]*(?:Authorization|Cookie)[^;]*token\s*=\s*',
-            'wp_remote_request\s*\([^)]*\bheaders\b[^)]*(?:Authorization|Cookie)[\'"]\s*=>\s*[\'"][^\'"]*token=',
-            '`[^`]{1,200}`',
-            '[\'"]<\s*sc[\'"]\s*\.\s*[\'"]ript\s*>[\'"]',
-            '[\'"]<\/\s*scr[\'"]\s*\.\s*[\'"]ipt\s*>[\'"]',
-            'array\s*\(\s*(?:\s*[\'"][a-z0-9][\'"]\s*,){3,}\s*[\'"][a-z0-9][\'"]\s*\)',
-            '\$[A-Za-z_]\w*\s*=\s*\$\w+\s*\.\s*\$\w+\s*\.\s*[\'"](tem|xec)[\'"]',
-            '(?s)readfile\s*\(\s*base64_decode\s*\(.*?\)\s*\).*?eval\s*\(\s*.*?ob_get_clean\s*\(\s*\).*?\)',
-            '\$[A-Za-z_]\w*\s*=\s*\$[A-Za-z_]\w*\s*\[[\'"][a-z0-9_]{3,}[\'"]\]\s*;.*\$\w+\s*\(\s*\.\.\.\$\w+\s*\)',
-        'function\s*uPqmvR\s*\(',
-        'function\s*yh1\s*\(',
-        '\bUpVwwHRQ\s*\(',
-        'array_map\(\s*[\'"]md5[\'"]\s*,\s*\$_COOKIE',
-        '\$gi6\[\d+\]\s*\(\s*\$_(?:COOKIE|POST|REQUEST)',
-        'include\s*\(\s*base64_decode\s*\(\s*\$[A-Za-z_]\w*\s*\)\s*(?:\.\s*)?\)\s*;',
-        'call_user_func\s*\(\s*new\s+LiteSpeedMetaDataStore'
-        ];
-    }
+protected function wpfa_get_raw_patterns() : array {
+    return [
+        '^\x7fELF',
+        '^MZ',
+        '^\xCF\xFA\xED',
+        '\b(?:require|require_once|include|include_once)\s*\(?\s*(?:@?\s*)?(?:base64_decode|str_rot13|gzinflate|gzuncompress)\s*\(',
+        'error_reporting\\s*\\(\\s*0\\s*\\)\\s*;\\s*\\$LlCam\\s*=\\s*array\\(\\s*\"\\\\x5f\\\\107\\\\x45\\\\x54\"\\s*\\)\\s*;',
+        '\\$\\{\\s*\\$LlCam\\s*\\[\\s*0\\s*\\]\\s*\\}',
+        '@?require_once\\s*[\'"](?:\\\\x7a\\\\x69\\\\x70)[^\'"]*[\'"]',
+        '\\\\x65\\\\x64\\\\x31\\\\x31\\\\x30\\\\x62\\\\x65\\\\x62\\\\x63\\\\x65\\\\x39\\\\x2e\\\\x74\\\\x6d\\\\x70',
+        'ycycsUnT3uBLqyUrzfdIDg23r',
+        '\beval\s*\(\s*base64_decode\s*\(',
+        '\bpreg_replace\s*\(\s*([\'"])\s*([^\w\s\\])(?:\\.|(?!\2).)*\2(?=[A-Za-z]*e[A-Za-z]*\1)',
+        '\b(?:include|require|include_once|require_once)\s*(?:\(\s*)?[\'"]https?:\/\/',
+        '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\([^)]*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\b',
+        'shell_exec\s*\([^)]*\$_REQUEST',
+        '\b(?:file_put_contents|fopen|fwrite|fputs)\s*\(\s*\$[A-Za-z_]\w*\s*,\s*base64_decode\s*\(',
+        '[\'"]\s*e\s*[\'"]\s*\.\s*[\'"]\s*val\s*[\'"]',
+        '[\'"]\s*base\s*[\'"]\s*\.\s*[\'"]\s*64\s*[\'"]\s*\.\s*[\'"]\s*decode\s*[\'"]',
+        '\$\w+\s*=\s*[\'"][a-z]{1,3}[\'"]\s*;\s*\$\w+\s*=\s*[\'"][a-z]{1,3}[\'"]\s*;\s*\$\w+\s*=\s*\$\w+\s*\.\s*\$\w+\s*\.\s*[\'"](tem|val|sert)[\'"]\s*;',
+        'ob_implicit_flush\s*\(\s*true\s*\)\s*;[\s\S]{0,160}\bob_end_flush\s*\(',
+        '(?s)(?:OPENSSL_RAW_DATA.*substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"]|substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"].*OPENSSL_RAW_DATA|[\'"]<\s*\/?\s*scr?\s*[\'"]\s*\.\s*[\'"]r?ipt\s*>[\'"])',
+        '(?s)\$[A-Za-z_]\w*\s*=\s*\$_(?:POST|REQUEST)\s*;.*?isset\s*\(\s*\$[A-Za-z_]\w*\s*\[[\'"][a-z0-9_]{3,}[\'"]\]\s*\).*?\$\w+\s*\(\s*\.\.\.\$\w+\s*\)',
+        '(?s)readfile\s*\(\s*base64_decode\s*\(\s*["\'][^"\']{8,}["\']\s*\)\s*\)\s*;.*?eval\s*\(\s*.*?ob_get_clean\s*\(\s*\)\s*\)\s*;',
+        'function\s*uPqmvR\s*\(',
+        'function\s*yh1\s*\(',
+        '\bUpVwwHRQ\s*\(',
+        'array_map\(\s*[\'"]md5[\'"]\s*,\s*\$_COOKIE',
+        '\$gi6\[\d+\]\s*\(\s*\$_(?:COOKIE|POST|REQUEST)',
+        'include\s*\(\s*base64_decode\s*\(\s*\$[A-Za-z_]\w*\s*\)\s*(?:\.\s*)?\)\s*;',
+        'call_user_func\s*\(\s*new\s+LiteSpeedMetaDataStore'
+    ];
 }
+
+protected function wpfa_get_patterns() : array {
+    return [
+        '^\x7fELF',
+        '^MZ',
+        '^\xCF\xFA\xED',
+        '\b(?:require|require_once|include|include_once)\s*\(?\s*(?:@?\s*)?(?:base64_decode|str_rot13|gzinflate|gzuncompress)\s*\(',
+        'error_reporting\\s*\\(\\s*0\\s*\\)\\s*;\\s*\\$LlCam\\s*=\\s*array\\s*\\(',
+        '\\$\\{\\s*\\$LlCam\\s*\\[\\s*0\\s*\\]\\s*\\}',
+        '@?require_once\\s*[\\\'\\"][^\\\'\\\"]{3,256}[\\\'\\"]',
+        'ed110bebce9\\.tmp',
+        'ycycsUnT3uBLqyUrzfdIDg23r',
+        '\b(?:fopen|fwrite|fputs|file_put_contents|file_get_contents|fclose|chmod|unlink)\s*\([^)]*base64_decode\s*\(',
+        'basename\s*\(\s*__FILE__\s*,\s*base64_decode\s*\(',
+        '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\([^)]*base64_decode\s*\(',
+        '\b(?:exec|shell_exec|system|passthru|proc_open|popen|pcntl_exec)\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SERVER)\b',
+        '>\s*\/dev\/null\s*2>\s*\/dev\/null\s*&',
+        '(?:base64_encode\s*\(\s*){2,}[^)]*\)',
+        '(?:base64_decode\s*\(\s*){2,}[^)]*\)',
+        'openssl_(?:en|de)crypt\s*\([^,]+,\s*[\'"]?\s*aes\s*[-_ ]?(?:128|192|256)\s*[-_ ]?cbc[\'"]?\s*,[^)]*hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*[\'"][^\'"]{8,}[\'"]\s*,\s*true\s*\)[^)]*\)',
+        'substr\s*\(\s*hash\s*\(\s*[\'"]sha256[\'"]\s*,\s*[\'"][^\'"]{8,}[\'"]\s*,\s*true\s*\)\s*,\s*0\s*,\s*16\s*\)',
+        '\b(?:include|require|include_once|require_once)\s*\(\s*base64_decode\s*\(',
+        '\b(?:include|require|include_once|require_once|file_get_contents|fopen)\s*\([^)]*(?:php:\/\/input|php:\/\/filter|data:\/\/)',
+        'md5\s*\(\s*uniqid\s*\([^)]*\)\s*\)\s*\.\s*[\'"]\.(?:php|phtml)\b',
+        'curl_init\s*\([^)]*\)\s*;[^;]*CURLOPT_(?:HTTPHEADER|COOKIE)[^;]*(?:Authorization|Cookie)[^;]*token\s*=\s*',
+        'wp_remote_request\s*\([^)]*\bheaders\b[^)]*(?:Authorization|Cookie)[\'"]\s*=>\s*[\'"][^\'"]*token=',
+        '`[^`]{1,200}`',
+        '[\'"]<\s*sc[\'"]\s*\.\s*[\'"]ript\s*>[\'"]',
+        '[\'"]<\/\s*scr[\'"]\s*\.\s*[\'"]ipt\s*>[\'"]',
+        'array\s*\(\s*(?:\s*[\'"][a-z0-9][\'"]\s*,){3,}\s*[\'"][a-z0-9][\'"]\s*\)',
+        '\$[A-Za-z_]\w*\s*=\s*\$\w+\s*\.\s*\$\w+\s*\.\s*[\'"](tem|xec)[\'"]',
+        '(?s)readfile\s*\(\s*base64_decode\s*\(.*?\)\s*\).*?eval\s*\(\s*.*?ob_get_clean\s*\(\s*\).*?\)',
+        '\$[A-Za-z_]\w*\s*=\s*\$[A-Za-z_]\w*\s*\[[\'"][a-z0-9_]{3,}[\'"]\]\s*;.*\$\w+\s*\(\s*\.\.\.\$\w+\s*\)',
+        'function\s*uPqmvR\s*\(',
+        'function\s*yh1\s*\(',
+        '\bUpVwwHRQ\s*\(',
+        'array_map\(\s*[\'"]md5[\'"]\s*,\s*\$_COOKIE',
+        '\$gi6\[\d+\]\s*\(\s*\$_(?:COOKIE|POST|REQUEST)',
+        'include\s*\(\s*base64_decode\s*\(\s*\$[A-Za-z_]\w*\s*\)\s*(?:\.\s*)?\)\s*;',
+        'call_user_func\s*\(\s*new\s+LiteSpeedMetaDataStore'
+    ];
+}
+}

folder-auditor/trunk/readme.txt

@@ -6 +6 @@
 Tested up to: 6.8
 Requires PHP: 7.4
-Stable tag: 4.3
+Stable tag: 4.4
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -93 +93 @@
 == Changelog ==
 
+= 4.4 =
+* Added new infection patterns to find bad files
+
 = 4.3 =
 * Setup MainWP bridge for unlock relock when running updates
@@ -195 +198 @@
 == Upgrade Notice ==
 
+= 4.4 =
+* Added new infection patterns to find bad files
+
 = 4.3 =
 * Setup MainWP bridge for unlock relock when running updates