Changeset 3488330

Timestamp:

03/22/2026 05:30:36 PM (7 days ago)

Author:

freelancebo

Message:

v2.3.0: Database spam detection, homepage HTML output scanning, improved hidden content detection, gambling/SEO spam signatures

Location:

freelancebo-sentra-control/trunk

Files:

• freelancebo-sentra-control.php (modified) (2 diffs)
• includes/modules/class-sentra-malware-scanner.php (modified) (2 diffs)
• readme.txt (modified) (3 diffs)

freelancebo-sentra-control/trunk/freelancebo-sentra-control.php

@@ -4 +4 @@
  * Plugin URI: https://freelancebo.it
  * Description: WordPress security agent - connects to FreelanceBo Sentra Control central console for WAF, malware scanning, brute force protection, and file integrity monitoring.
- * Version: 2.2.5
+ * Version: 2.3.0
  * Author: Freelancebo
  * License: GPL-2.0-or-later
@@ -12 +12 @@
 if (!defined('ABSPATH')) exit;
 
-define("SENTRA_VERSION", "2.2.5");
+define("SENTRA_VERSION", "2.3.0");
 define('SENTRA_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('SENTRA_PLUGIN_URL', plugin_dir_url(__FILE__));

freelancebo-sentra-control/trunk/includes/modules/class-sentra-malware-scanner.php

@@ -31 +31 @@
         'inet_pton.*cidr|cidr.*inet_pton' => ['name' => 'IP Range Check (Cloaking)', 'severity' => 'high'],
 
-        // === Hidden content injection ===
-        'position:\s*absolute[^"]*?left:\s*-[5-9]\d{3,}px' => ['name' => 'Hidden Content Injection (off-screen)', 'severity' => 'high'],
+        // === Hidden content injection (file-level) ===
+        'position:\s*(?:absolute|fixed)[^"]*?(?:left|top):\s*-[5-9]\d{3,}px' => ['name' => 'Hidden Content Injection (off-screen)', 'severity' => 'high'],
         'opacity:\s*0\.00[1-9].*?z-index:\s*-1' => ['name' => 'Hidden Content Injection (invisible)', 'severity' => 'high'],
+
+        // === Gambling / SEO spam link patterns in PHP files ===
+        'href.*(?:casino|slots\.org|betting|lottoland|justcasino|merkurslots|amazonslots)' => ['name' => 'Gambling/SEO Spam Link in PHP', 'severity' => 'critical'],
+        'display:\s*none[^"]*?(?:casino|slots|betting|gambling|roulette|poker)' => ['name' => 'Hidden Gambling Content in PHP', 'severity' => 'critical'],
 
         // === Admin post hiding (SEO spam) ===
@@ -202 +206 @@
         }
 
+        // Include database spam scan
+        $db_findings = $this->scan_database_spam();
+        $findings = array_merge($findings, $db_findings);
+
+        // Include homepage HTML output scan
+        $html_findings = $this->scan_homepage_output();
+        $findings = array_merge($findings, $html_findings);
+
         return $findings;
     }
+
+    /**
+     * Scan WordPress database for SEO spam injection.
+     * Checks wp_options and wp_posts for gambling/casino link patterns.
+     */
+    public function scan_database_spam() {
+        global $wpdb;
+        $findings = [];
+
+        $spam_patterns = [
+            'amazonslots', 'merkurslots', 'lottoland', 'justcasino',
+            'casino-online', 'betting-site', 'poker-room', 'slot-machine',
+        ];
+
+        // Check wp_options (widgets, theme settings, custom blocks)
+        foreach ($spam_patterns as $pattern) {
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+            $results = $wpdb->get_results($wpdb->prepare(
+                "SELECT option_name, LENGTH(option_value) as val_len FROM {$wpdb->options} WHERE option_value LIKE %s LIMIT 5",
+                '%' . $wpdb->esc_like($pattern) . '%'
+            ));
+            foreach ($results as $row) {
+                $findings[] = [
+                    'file'      => "database:wp_options:{$row->option_name}",
+                    'signature' => 'SEO Spam in Database (wp_options)',
+                    'severity'  => 'critical',
+                    'size'      => (int) $row->val_len,
+                    'modified'  => current_time('Y-m-d H:i:s'),
+                    'detail'    => "Pattern: {$pattern}",
+                ];
+            }
+        }
+
+        // Check wp_posts for spam links in content
+        $link_patterns = ['casino', 'slots.org', 'betting', 'lottoland', 'justcasino', 'amazonslots', 'merkurslots'];
+        foreach ($link_patterns as $pattern) {
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+            $posts = $wpdb->get_results($wpdb->prepare(
+                "SELECT ID, post_title, post_type FROM {$wpdb->posts} WHERE (post_content LIKE %s OR post_excerpt LIKE %s) AND post_status != %s LIMIT 5",
+                '%' . $wpdb->esc_like($pattern) . '%',
+                '%' . $wpdb->esc_like($pattern) . '%',
+                'trash'
+            ));
+            foreach ($posts as $post) {
+                $findings[] = [
+                    'file'      => "database:wp_posts:ID={$post->ID}",
+                    'signature' => 'SEO Spam in Post Content',
+                    'severity'  => 'critical',
+                    'size'      => 0,
+                    'modified'  => current_time('Y-m-d H:i:s'),
+                    'detail'    => "Post: {$post->post_title} (type: {$post->post_type}), pattern: {$pattern}",
+                ];
+            }
+        }
+
+        // Check wp_postmeta for spam in custom fields
+        $meta_patterns = ['casino', 'slots.org', 'betting', 'gambling'];
+        foreach ($meta_patterns as $pattern) {
+            // phpcs:ignore WordPress.DB.DirectDatabaseQuery
+            $metas = $wpdb->get_results($wpdb->prepare(
+                "SELECT post_id, meta_key FROM {$wpdb->postmeta} WHERE meta_value LIKE %s LIMIT 5",
+                '%' . $wpdb->esc_like($pattern) . '%'
+            ));
+            foreach ($metas as $meta) {
+                $findings[] = [
+                    'file'      => "database:wp_postmeta:post_id={$meta->post_id}",
+                    'signature' => 'SEO Spam in Post Meta',
+                    'severity'  => 'high',
+                    'size'      => 0,
+                    'modified'  => current_time('Y-m-d H:i:s'),
+                    'detail'    => "Meta key: {$meta->meta_key}, pattern: {$pattern}",
+                ];
+            }
+        }
+
+        return $findings;
+    }
+
+    /**
+     * Scan the site homepage HTML output for hidden spam injection.
+     * Detects spam that lives in the database or is injected via hooks,
+     * not visible in PHP source files.
+     */
+    public function scan_homepage_output() {
+        $findings = [];
+
+        $home_url = get_home_url();
+        $response = wp_remote_get($home_url, [
+            'timeout'    => 15,
+            'sslverify'  => false,
+            'user-agent' => 'Sentra Security Scanner',
+        ]);
+
+        if (is_wp_error($response)) {
+            return $findings;
+        }
+
+        $html = wp_remote_retrieve_body($response);
+        if (empty($html)) {
+            return $findings;
+        }
+
+        // 1. Check for hidden divs with off-screen positioning (common spam injection)
+        if (preg_match_all('/position:\s*(?:absolute|fixed)[^"\']*?(?:left|top):\s*-\d{4,}px/i', $html, $matches)) {
+            $findings[] = [
+                'file'      => 'homepage_html_output',
+                'signature' => 'Hidden Content Injection (off-screen div in HTML output)',
+                'severity'  => 'critical',
+                'size'      => strlen($html),
+                'modified'  => current_time('Y-m-d H:i:s'),
+                'detail'    => 'Detected ' . count($matches[0]) . ' hidden off-screen element(s) in homepage HTML',
+            ];
+        }
+
+        // 2. Check for gambling/casino spam links in rendered HTML
+        $spam_link_pattern = '/href\s*=\s*["\']https?:\/\/[^"\']*(?:casino|slots\.org|betting|gambling|lottoland|justcasino|merkurslots|amazonslots)[^"\']*["\']/i';
+        if (preg_match_all($spam_link_pattern, $html, $link_matches)) {
+            $unique_links = array_unique($link_matches[0]);
+            $findings[] = [
+                'file'      => 'homepage_html_output',
+                'signature' => 'Gambling/Casino Spam Links in HTML Output',
+                'severity'  => 'critical',
+                'size'      => strlen($html),
+                'modified'  => current_time('Y-m-d H:i:s'),
+                'detail'    => 'Found ' . count($unique_links) . ' gambling spam link(s): ' . implode(', ', array_slice($unique_links, 0, 5)),
+            ];
+        }
+
+        // 3. Generic spam keyword detection in hidden elements
+        if (preg_match('/<div[^>]*style=[^>]*(?:display:\s*none|visibility:\s*hidden|position:\s*(?:absolute|fixed)[^"\']*-\d{3,})[^>]*>.*?(?:casino|slots|betting|gambling|roulette|poker)/is', $html)) {
+            $findings[] = [
+                'file'      => 'homepage_html_output',
+                'signature' => 'SEO Spam in Hidden HTML Element',
+                'severity'  => 'critical',
+                'size'      => strlen($html),
+                'modified'  => current_time('Y-m-d H:i:s'),
+            ];
+        }
+
+        return $findings;
+    }
 }

freelancebo-sentra-control/trunk/readme.txt

@@ -5 +5 @@
 Tested up to: 6.9
 Requires PHP: 7.4
-Stable tag: 2.2.5
+Stable tag: 2.3.0
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
@@ -74 +74 @@
 
 == Changelog ==
+
+= 2.3.0 =
+* NEW: Database spam detection - scans wp_options, wp_posts, wp_postmeta for SEO spam injection
+* NEW: Homepage HTML output scanning - detects hidden gambling/casino link injection
+* Improved hidden content detection: now catches position:fixed off-screen elements (not just absolute)
+* Added gambling/SEO spam link signatures for PHP file scanning
+* Detects common spam patterns: amazonslots, merkurslots, lottoland, justcasino, etc.
 
 = 2.2.5 =
@@ -197 +204 @@
 == Upgrade Notice ==
 
+= 2.3.0 =
+Major malware scanner upgrade: detects SEO spam injected in database and hidden gambling links in HTML output. Recommended for all users.
+
 = 2.2.2 =
 New auto-patching system: automatically fix security vulnerabilities, quarantine malware, and patch abandoned plugins.