function optSig(&$sigs)
{
$sigs = array_unique($sigs);
// Add SigId
foreach ($sigs as &$s) {
$s .= '(?<X' . myCheckSum($s) . '>)';
}
unset($s);
$fix = array('([^\\?\\s])\\({0,1}\\.[\\+\\*]\\){0,1}\\2[a-z]*e' => '(?J)\\.[+*](?<=(?<d>[^\\?\\s])\\(..|(?<d>[^\\?\\s])..)\\)?\\g{d}[a-z]*e', 'http://.+?/.+?\\.php\\?a' => 'http://[^?\\s]++(?<=\\.php)\\?a', '\\s*[\'"]{0,1}.+?[\'"]{0,1}\\s*' => '.+?', '[\'"]{0,1}.+?[\'"]{0,1}' => '.+?');
$sigs = str_replace(array_keys($fix), array_values($fix), $sigs);
$fix = array('~^\\\\[d]\\+&@~' => '&@(?<=\\d..)', '~^((\\[\'"\\]|\\\\s|@)(\\{0,1\\}\\.?|[?*]))+~' => '');
$sigs = preg_replace(array_keys($fix), array_values($fix), $sigs);
optSigCheck($sigs);
$tmp = array();
foreach ($sigs as $i => $s) {
if (strpos($s, '.+') !== false || strpos($s, '.*') !== false) {
unset($sigs[$i]);
$tmp[] = $s;
}
}
usort($sigs, 'strcasecmp');
$txt = implode("\n", $sigs);
for ($i = 24; $i >= 1; $i > 4 ? $i -= 4 : --$i) {
$txt = preg_replace_callback('#^((?>(?:\\\\.|\\[.+?\\]|[^(\\n]|\\((?:\\\\.|[^)(\\n])++\\))(?:[*?+]\\+?|)){' . $i . ',}).*(?:\\n\\1(?![{?*+]).+)+#im', 'optMergePrefixes', $txt);
}
$sigs = array_merge(explode("\n", $txt), $tmp);
optSigCheck($sigs);
}
function CriticalPHP($l_FN, $l_Index, $l_Content, &$l_Pos, &$l_SigId)
{
global $g_ExceptFlex, $gXX_FlexDBShe, $gX_FlexDBShe, $g_FlexDBShe, $gX_DBShe, $g_DBShe, $g_Base64, $g_Base64Fragment, $g_CriticalFiles, $g_CriticalEntries;
// H24LKHLKJHKLHJGJG4567869869GGHJ
// need check file (by extension) ?
$l_SkipCheck = SMART_SCAN;
if ($l_SkipCheck) {
foreach ($g_CriticalFiles as $l_Ext) {
if (strpos($l_FN, $l_Ext) !== false) {
$l_SkipCheck = false;
break;
}
}
}
// need check file (by signatures) ?
if ($l_SkipCheck && preg_match('~' . $g_CriticalEntries . '~smiS', $l_Content, $l_Found)) {
$l_SkipCheck = false;
}
if (strpos($l_FN, '.php.') !== false) {
$g_Base64[] = $l_Index;
$g_Base64Fragment[] = '".php."';
$l_Pos = 0;
if (DEBUG_MODE) {
echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
AddResult($l_FN, $l_Index);
}
// if not critical - skip it
if ($l_SkipCheck && SMART_SCAN) {
if (DEBUG_MODE) {
echo "Skipped file, not critical.\n";
}
return false;
}
foreach ($g_FlexDBShe as $l_Item) {
if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
if (!CheckException($l_Content, $l_Found)) {
$l_Pos = $l_Found[0][1];
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 1: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
}
if (AI_EXPERT > 1) {
foreach ($gXX_FlexDBShe as $l_Item) {
if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
if (!CheckException($l_Content, $l_Found)) {
$l_Pos = $l_Found[0][1];
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 2: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
}
}
if (AI_EXPERT > 0) {
foreach ($gX_FlexDBShe as $l_Item) {
if (preg_match('#(' . $l_Item . ')#smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) {
if (!CheckException($l_Content, $l_Found)) {
$l_Pos = $l_Found[0][1];
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 3: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
}
}
$l_Content_lo = strtolower($l_Content);
foreach ($g_DBShe as $l_Item) {
$l_Pos = strpos($l_Content_lo, $l_Item);
if ($l_Pos !== false) {
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 4: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
if (AI_EXPERT) {
foreach ($gX_DBShe as $l_Item) {
$l_Pos = strpos($l_Content_lo, $l_Item);
if ($l_Pos !== false) {
$l_SigId = myCheckSum($l_Item);
if (DEBUG_MODE) {
echo "CRIT 5: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
if (strpos($l_FN, '.ph') !== false && AI_EXPERT > 1) {
// for php only
$g_Specials = array(');#');
foreach ($g_Specials as $l_Item) {
$l_Pos = stripos($l_Content, $l_Item);
if ($l_Pos !== false) {
$l_SigId = myCheckSum($l_Item);
return true;
}
}
}
}
if (strpos($l_Content, 'GIF89') === 0 && strpos($l_FN, '.php') !== false) {
$l_Pos = 0;
if (DEBUG_MODE) {
echo "CRIT 6: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
// detect uploaders / droppers
if (AI_EXPERT > 1) {
$l_Found = null;
if (filesize($l_FN) < 1024 && strpos($l_FN, '.ph') !== false && (($l_Pos = strpos($l_Content, 'multipart/form-data')) > 0 || ($l_Pos = strpos($l_Content, '$_FILE[') > 0) || ($l_Pos = strpos($l_Content, 'move_uploaded_file')) > 0 || preg_match('|\\bcopy\\s*\\(|smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE))) {
if ($l_Found != null) {
$l_Pos = $l_Found[0][1];
}
if (DEBUG_MODE) {
echo "CRIT 7: {$l_FN} matched [{$l_Item}] in {$l_Pos}\n";
}
return true;
}
}
// count number of base64_decode entries
$l_Count = substr_count($l_Content, 'base64_decode');
if ($l_Count > 10) {
$g_Base64[] = $l_Index;
$g_Base64Fragment[] = getFragment($l_Content, stripos($l_Content, 'base64_decode'));
if (DEBUG_MODE) {
echo "CRIT 10: {$l_FN} matched\n";
}
AddResult($l_FN, $l_Index);
}
return false;
}