Added imap_open bug on definitions

README.md

@@ -2,7 +2,7 @@
 
 # AMWSCAN - PHP Antimalware Scanner
 
-**Version:** 0.5.0.66 beta
+**Version:** 0.5.0.67 beta
 
 **Github:** https://github.com/marcocesarato/PHP-Antimalware-Scanner
 

src/Definitions.php

@@ -23,29 +23,20 @@ class Definitions {
 		"eval_comment"            => '/(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\((?<=\().*?(?=\))\)/',
 		"eval_execution"          => '/(eval\(\$[a-z0-9_]+\((?<=\()@?\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si',
 		"align"                   => '/(\$\w+=[^;]*)*;\$\w+=@?\$\w+\((?<=\().*?(?=\))\)/si',
-		"b374k"                   => '/(\\\'|\")ev(\\\'|\")\.(\\\'|\")al(\\\'|\")\.(\\\'|\")\(\"\?>/i',
-		// b374k shell
-		"weevely3"                => '/\$\w=\$[a-zA-Z]\(\'\',\$\w\);\$\w\(\);/i',
-		// weevely3 launcher
-		"c99_launcher"            => '/;\$\w+\(\$\w+(,\s?\$\w+)+\);/i',
-		// http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
-		"too_many_chr"            => '/(chr\([\d]+\)\.){8}/i',
-		// concatenation of more than eight `chr()`
-		"concat"                  => '/(\$[\w\[\]\\\'\"]+\\.[\n\r]*){10}/i',
-		// concatenation of vars array
-		"concat_vars_with_spaces" => '/(\$([a-zA-Z0-9]+)[\s\r\n]*\.[\s\r\n]*){6}/',
-		// concatenation of more than 6 words, with spaces
-		"concat_vars_array"       => '/(\$([a-zA-Z0-9]+)(\{|\[)([0-9]+)(\}|\])[\s\r\n]*\.[\s\r\n]*){6}.*?(?=\})\}/i',
-		// concatenation of more than 6 words, with spaces
+		"b374k"                   => '/(\\\'|\")ev(\\\'|\")\.(\\\'|\")al(\\\'|\")\.(\\\'|\")\(\"\?>/i', // b374k shell
+		"weevely3"                => '/\$\w=\$[a-zA-Z]\(\'\',\$\w\);\$\w\(\);/i', // weevely3 launcher
+		"c99_launcher"            => '/;\$\w+\(\$\w+(,\s?\$\w+)+\);/i', // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+		"too_many_chr"            => '/(chr\([\d]+\)\.){8}/i', // concatenation of more than eight `chr()`
+		"concat"                  => '/(\$[\w\[\]\\\'\"]+\\.[\n\r]*){10}/i', // concatenation of vars array
+		"concat_vars_with_spaces" => '/(\$([a-zA-Z0-9]+)[\s\r\n]*\.[\s\r\n]*){6}/', // concatenation of more than 6 words, with spaces
+		"concat_vars_array"       => '/(\$([a-zA-Z0-9]+)(\{|\[)([0-9]+)(\}|\])[\s\r\n]*\.[\s\r\n]*){6}.*?(?=\})\}/i', // concatenation of more than 6 words, with spaces
 		"var_as_func"             => '/\$_(GET|POST|COOKIE|REQUEST|SERVER)[\s\r\n]*\[[^\]]+\][\s\r\n]*\((?<=\().*?(?=\))\)/i',
 		"global_var_string"       => '/\$\{[\s\r\n]*(\\\'|\")_(GET|POST|COOKIE|REQUEST|SERVER)(\\\'|\")[\s\r\n]*\}/i',
 		"extract_global"          => '/extract\([\s\r\n]*\$_(GET|POST|COOKIE|REQUEST|SERVER).*?(?=\))\)/i',
 		"escaped_path"            => '/(\\\\x[0-9abcdef]{2}[a-z0-9.-\/]{1,4}){4,}/i',
-		"include_icon"            => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')([^"\\\']*)(\.|\\\\056\\\\046\\\\2E)(\i|\\\\151|\\\\x69|\\\\105)(c|\\\\143\\\\099\\\\x63)(o|\\\\157\\\\111|\\\\x6f)(\"|\\\')((?=\))\))?/mi',
-		// Icon inclusion
+		"include_icon"            => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')([^"\\\']*)(\.|\\\\056\\\\046\\\\2E)(\i|\\\\151|\\\\x69|\\\\105)(c|\\\\143\\\\099\\\\x63)(o|\\\\157\\\\111|\\\\x6f)(\"|\\\')((?=\))\))?/mi',  // Icon inclusion
 		"backdoor_code"           => '/eva1fYlbakBcVSir/i',
-		"infected_comment"        => '/\/\*[a-z0-9]{5}\*\//i',
-		// usually used to detect if a file is infected yet
+		"infected_comment"        => '/\/\*[a-z0-9]{5}\*\//i', // usually used to detect if a file is infected yet
 		"hex_char"                => '/\\\\[Xx](5[Ff])/i',
 		"hacked_by"               => '/hacked[\s\r\n]*by/i',
 		"killall"                 => '/killall[\s\r\n]*\-9/i',
@@ -55,33 +46,25 @@ class Definitions {
 		"base64_inclusion"        => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')data\:text/plain;base64[\s\r\n]*\,[\s\r\n]*\$_GET\[[^\]]+\](\\\'|")[\s\r\n]*((?=\))\))?/si',
 		"clever_include"          => '/@?include[\s\r\n]*(\([\s\r\n]*)?("|\\\')[\s\r\n]*[^\.]+\.(png|jpe?g|gif|bmp|ico).*?("|\\\')[\s\r\n]*((?=\))\))?/i',
 		"basedir_bypass"          => '/curl_init[\s\r\n]*\([\s\r\n]*[\"\\\']file:\/\/.*?(?=\))\)/i',
-		"basedir_bypass2"         => '/file\:file\:\/\//i',
-		// https://www.intelligentexploit.com/view-details.html?id=8719
+		"basedir_bypass2"         => '/file\:file\:\/\//i', // https://www.intelligentexploit.com/view-details.html?id=8719
 		"non_printable"           => '/(function|return|base64_decode).{,256}[^\\x00-\\x1F\\x7F-\\xFF]{3}/i',
 		"double_var"              => '/\${[\s\r\n]*\${.*?}(.*)?}/i',
 		"double_var2"             => '/\${\$[0-9a-zA-z]+}/i',
 		"global_save"             => '/\[\s\r\n]*=[\s\r\n]*\$GLOBALS[\s\r\n]*\;[\s\r\n]*\$[\s\r\n]*\{/i',
-		"hex_var"                 => '/\$\{[\s\r\n]*(\\\'|\")\\\\x.*?(?=\})\}/i',
-		// check for ${"\xFF"}, IonCube use this method ${"\x
-		"register_function"       => '/register_[a-z]+_function[\s\r\n]*\([\s\r\n]*[\\\'\"][\s\r\n]*(eval|assert|passthru|exec|include|system|shell_exec|`).*?(?=\))\)/i',
-		// https://github.com/nbs-system/php-malware-finder/issues/41
+		"hex_var"                 => '/\$\{[\s\r\n]*(\\\'|\")\\\\x.*?(?=\})\}/i', // check for ${"\xFF"}, IonCube use this method ${"\x
+		"register_function"       => '/register_[a-z]+_function[\s\r\n]*\([\s\r\n]*[\\\'\"][\s\r\n]*(eval|assert|passthru|exec|include|system|shell_exec|`).*?(?=\))\)/i', // https://github.com/nbs-system/php-malware-finder/issues/41
 		"safemode_bypass"         => '/\x00\/\.\.\/|LD_PRELOAD/i',
 		"ioncube_loader"          => '/IonCube\_loader/i',
-		"nano"                    => '/\$[a-z0-9-_]+\[[^]]+\]\((?<=\().*?(?=\))\)/',
-		//https://github.com/UltimateHackers/nano
+		"nano"                    => '/\$[a-z0-9-_]+\[[^]]+\]\((?<=\().*?(?=\))\)/', //https://github.com/UltimateHackers/nano
 		"ninja"                   => '/base64_decode[^;]+getallheaders/',
-		"execution"               => '/\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)[\s\r\n]*\([\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/',
-		// function that takes a callback as 1st parameter
-		"execution2"              => '/\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)[\s\r\n]*\([\s\r\n]*[^,]+,[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/',
-		// functions that takes a callback as 2nd parameter
-		"execution3"              => '/\b(array_(diff|intersect)_u(key|assoc)|array_udiff)[\s\r\n]*\([\s\r\n]*([^,]+[\s\r\n]*,?)+[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER))[\s\r\n]*\[[^]]+\][\s\r\n]*\)+[\s\r\n]*;/',
-		// functions that takes a callback as 2nd parameter
+		"execution"               => '/\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)[\s\r\n]*\([\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/', // function that takes a callback as 1st parameter
+		"execution2"              => '/\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)[\s\r\n]*\([\s\r\n]*[^,]+,[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER)).*?(?=\))\)/',  // functions that takes a callback as 2nd parameter
+		"execution3"              => '/\b(array_(diff|intersect)_u(key|assoc)|array_udiff)[\s\r\n]*\([\s\r\n]*([^,]+[\s\r\n]*,?)+[\s\r\n]*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\\\?@?\$_(GET|REQUEST|POST|COOKIE|SERVER))[\s\r\n]*\[[^]]+\][\s\r\n]*\)+[\s\r\n]*;/',// functions that takes a callback as 2nd parameter
 		"shellshock"              => '/\(\)[\s\r\n]*{[\s\r\n]*[a-z:][\s\r\n]*;[\s\r\n]*}[\s\r\n]*;/',
 		"silenced_eval"           => '/@eval[\s\r\n]*\((?<=\().*?(?=\))\)/',
 		"silence_inclusion"       => '/@(include|include_once|require|require_once)[\s\r\n]+([\s\r\n]*\()?("|\\\')([^"\\\']*)(\\\\x[0-9a-f]{2,}.*?){2,}([^"\\\']*)("|\\\')[\s\r\n]*((?=\))\))?/si',
 		"silence_inclusion2"      => '/@(include|include_once|require|require_once)[\s\r\n]+([\s\r\n]*\()?("|\\\')([^"\\\']*)(\\[0-9]{3,}.*?){2,}([^"\\\']*)("|\\\')[\s\r\n]*((?=\))\))?/si',
-		"ssi_exec"                => '/\<\!\-\-\#exec[\s\r\n]*cmd\=/i',
-		//http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
+		"ssi_exec"                => '/\<\!\-\-\#exec[\s\r\n]*cmd\=/i', //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
 		"htaccess_handler"        => '/SetHandler[\s\r\n]*application\/x\-httpd\-php/i',
 		"htaccess_type"           => '/AddType\s+application\/x-httpd-(php|cgi)/i',
 		"file_prepend"            => '/php_value[\s\r\n]*auto_prepend_file/i',
@@ -104,6 +87,8 @@ class Definitions {
 		"etc_passwd"              => '/(\/)*etc\/+passwd\/*/si',
 		"etc_shadow"              => '/(\/)*etc\/+shadow\/*/si',
 		"explode_chr"             => '/explode[\s\r\n]*\(chr[\s\r\n]*\([\s\r\n]*\(?\d{3}([\s\r\n]*-[\s\r\n]*\d{3})?[\s\r\n]*\).*?(?=\))\)/si',
+		"imap_open"               => '/imap_open\((\\\'|\"){(\\\'|\")[\s\r\n]*\.[\s\r\n]*\$_(GET|POST|SERVER|COOKIE|REQUEST).*?(?=\))\)/si', // check https://bugs.php.net/bug.php?id=76428
+		"imap_open_proxy"         => '/x[\s\r\n]*\-oProxyCommand[\s\r\n]*\=(.*?\|base64(\\\\t\-d)?(\|sh)?)?/si'
 	);
 
 	// Default functions definitions
@@ -3308,7 +3293,7 @@ public static function optimizeSig(&$sigs) {
 		usort($sigs, 'strcasecmp');
 		$txt = implode("\n", $sigs);
 
-		for($i = 24; $i >= 1; ($i > 4) ? $i -= 4 : -- $i) {
+		for($i = 24; $i >= 1; ($i > 4) ? $i -= 4 : --$i) {
 			$txt = preg_replace_callback('#^((?>(?:\\\\.|\\[.+?\\]|[^(\n]|\((?:\\\\.|[^)(\n])++\))(?:[*?+]\+?|\{\d+(?:,\d*)?\}[+?]?|)){' . $i . ',})[^\n]*+(?:\\n\\1(?![{?*+]).+)+#im', array(__CLASS__, 'optimizeMergePrefixes'), $txt);
 		}