From beeff013bb5bf3a2a910dc8850d30441f064b515 Mon Sep 17 00:00:00 2001 From: Marco Cesarato Date: Tue, 6 Oct 2020 20:15:57 +0200 Subject: [PATCH] feat: improve whitelist system and some code improvement BREAKING CHANGE: csv whitelist doesn't work anymore --- .gitignore | 2 +- README.md | 4 +- TODO.md | 2 - dist/scanner | Bin 644168 -> 644214 bytes dist/version | 2 +- src/Actions.php | 151 +++++++++++++++++++++++++++++++++ src/Application.php | 101 ++++++---------------- src/CSV.php | 83 ------------------ src/Console.php | 2 +- src/index.php | 3 +- whitelists/wordpress-5.5.1.csv | 56 ------------ 11 files changed, 183 insertions(+), 223 deletions(-) create mode 100644 src/Actions.php delete mode 100644 src/CSV.php delete mode 100644 whitelists/wordpress-5.5.1.csv diff --git a/.gitignore b/.gitignore index c674910..9aa8f2a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,7 @@ scanner_infected.log scanner.log -scanner_whitelist.csv +scanner_whitelist.json vendor/** .idea diff --git a/README.md b/README.md index 2f4b199..e750254 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # AMWSCAN - PHP Antimalware Scanner -**Version:** 0.5.2.75 beta +**Version:** 0.5.3.93 beta **Github:** https://github.com/marcocesarato/PHP-Antimalware-Scanner @@ -129,7 +129,7 @@ When a malware is detected you will have the following choices (except when scan - Dry run evil line code fixer `(fix code and confirm after a visual check)` [`--auto-clean-line`] - Open with vim `(need php -d disable_functions='')` - Open with nano `(need php -d disable_functions='')` -- Add to whitelist `(add to ./scanner_whitelist.csv)` +- Add to whitelist `(add to ./scanner-whitelist.json)` - Show source - Ignore [`--auto-skip`] diff --git a/TODO.md b/TODO.md index 2f2948b..4cbeb7b 100644 --- a/TODO.md +++ b/TODO.md @@ -3,8 +3,6 @@ ## TODO * Output with EventSource + Offset mapping for continue scan -* Separate Actions from Application -* Whitelist with start and length * Checksum files of the most popular platform for a whitelist (and implement the check with checksum) for no have more false positive 1. Wordpress 2. WooCommerce diff --git a/dist/scanner b/dist/scanner index 1416fef7244109c7e153cc515804b9d20a98dc62..86ea2b14afe39d80c9c170528784106ffd4ba4c3 100644 GIT binary patch delta 4049 zcmd5$L*#vmzBBC-uC1A(>_3T=f}Z9GeJKpOf`I5WRu0Si_03ADKm5$&4)c79F2=IA4I=L*vO1{ zK1so6^NOG49Evm5&7nltYO++gy{>Q=$6PdQGGO|fJZX|V<4L&LE4ci4-g?oCo5^3d zam8isfJcZ^=LTINmk(QlE=dwXerH!8;`flosmM&8*~6Jg`*WO*Y?+3#s2YmHV4A78 z)xtn3$H>`a)J+DseRwvhdxbNA{YaaZagvN(+;}*3#0Gz-13#sOnvfo5zdD7Ct3vrC z^E{UfFTXln;T<^2Srhvit7|$dG0#(F3<>Tv7ea80Hd$Hy_~?YJhRI=(k`pZJY(^;k zNKgK~n=|E(^qTp8XFalv^!8vzcyjbf zR8{Hnc$NoNc8ikW6~mGehc8K73#9*~6#m<1fM1*|0bei!K08ogjt>oS|u0YG|BLhZcDGX5JN=oYxeX(qfw-eu)NicM#5JlZ7x5#_BL0TP+k;Q zPDz2s(_XB59L>=$e&2+mM@$~1omxF>D%>u~jpCB3BrOY?ymI6HhB`;U<-uyS)B_T` ztSmlGVIxi5ur(}ryJG31hMz{Z_DLh)iZr>(oNENw@@r#if<7D8&Cg@>IdkQM@(A)l z#jsSJl~@WzSdp@Xi2tbmGBNCQg+i`gE9^V}9XNk5g<+Ayo4Nd#TJobE6&0EKI0)RD z(EypVlA~Mg9~Z&mx_tQlie4QrcTiIMK4*j)w-y|AxpdzEZ5g#cr%NrJ;U(AD=ed!D&7uVBmi^3_lmGVxN{=Ys$j!KM`W{lkbY%17yu1Qk_S==b0 z_GEeV#?Blaz<`;vNTTFry$FnZF*Ns=z=c5$F6>E3u_`3Ed8vhQ(*4Znk-du%Ta>6` z&Ge-y;1%q48OO?QSiT+_`|%@iDxm-EBDgzP1^9P)aN)8xdhVwS5yH@UYz9;x(??tO zImU4mKsiaMIXMwd{k(4+-^;_mp%OV@Paj(WZyxwpedUH_R9u%@z5PTm6x*-dJhKyAJru^C9Zi`a%lnF+;4(i3$-I6 zST|Vys0fl;4w<3-L>nC3tAi_pPkh4&#&JFv8Ib7H$L=ICr)BHp(x8?vfjz&pndqsi zekY8lJ=h`oVd^6X>PEO2I{fKvAdIiWwm-$8n zel)x^vZc-5;G>;9oQga8ZPc+aUPK-?_Df?RGN$^v~1{5itd}$*>l=u zv?al{BW7A?xv+C6KRWbIYD>Zd@{S&rlUq5cK&KQkDa%DgdpVR=sy27E!j)?vR^H@K zIjATuMDw~j=V1X7;gBUA^XzS8y$}l1ZzXaw2Niym*ewoOM;XQNzpg5)29<;*Xp@2^e3mzLe-h?KRf6PTQX-;7?{p!S3 zRq{>ASb|c0xzdEoaUevh8p#bLMTqg#{HrF;O zu&yoJl#Q{G@>RMmVkP|1E*UFH=8aIYsc9(+n}i@}e{9mUwo+HM+Pa2zLaH{{zH|K! zuxbxW$LF5&JCL@E*$jB(dhL0IgS6N{@^JYfI=^q?* z(w>mO!HZOazdUTMN?&+D_J!&L{Q+yXrU${w8Xf9`T1gt$cSLPz|KZDXwQ<{AwB4}% zNoqEq6IG%8nyy$1`=V;Gu}cK5i&>C~`njWHQ+A3CUhhFk}EzOBIU%nwu3_>OIx6glUPC ze|1$s9|G?UZ^e2^tiPtcV9k)J*D98>(OydX`*|5hjd&++SJYd ze3(`3J*8yt1z^)DM%R6>#(OEVy~Lv^WVOju>vAwNxh%Jw{U2j?Kcsqa{FIdIYu|Dux>) zOW=)>btOqhNrcegU4n{vF!aizNaMNe9Qgi}5r(g_Fh85i2(ahJ1l}F1gW>T-Ffy%& z3!{WeBh{l020s18@|c?c*JY7+$8IrTnph2g9oNHi=k<{<&bR3_|1&=;0Ppw@b=+YN zwq7z}j3cHAGm{hcA&>*G^-A5T?__}^k`MNG8enFu2*}$e_-yhgG3(B(pzL+Sof;9& zttp4KoF3Mlsf3xcdDM>X(@xF`BRg@Z*M`Tr5IlFakV@}y`ynt{0(&o1(qXh)s>nWR zKo-o-CpLAqI~}b%IxNI|Ff1vOFND#HG(-pkH!gR<=+A4wxs!!YURex3GM2>_QOC}) zc`#$_%yhd{$1qz(R|CFU)RuC@dJ631aXrirXT$MoYYdUjj5e)rvZXLry$bC?np_5j zmqkRE6m^;magm0YrK4|{mKE$;YYTdKOi^s;2#uH0chcfBGrJliHaE>d>#q*L-D`R< zUTjJa5=w5TgaO0#WW;*u#Y}wHL8Fr<52mb^L%p)#=x{jOyE~H$-Mz>8TkC{)pqYbq}aOp3udMS{(5pN>P!rx3}Y2T8{#`TQ_9Zi4UfHUBx- zk`ii9tS-W*GCSfhr&3sL|x}OG_TG9DIoA+Ur<&&lGk%Y#&V4c!amQzuq>o#rRu~0 zB$!$hwJO1C`m*z)ni8KuJ7xzJJjqVAlxA88%(N`mxQUYM_;1ggxAnVQ9Ygz_SVT)F)!F99})~wV*kRK00a`)K;0GKnCXFY{Ph5KJ!P7^VnppWC{gEWA<`lT_U zsS9;x>$4i+rRLgy9~n$3+?yyXJUq}T8!L+~u;G~^c)hl`Fi{;SM@Qn+H;=K~nW3sK z+A^`}uw`M(#+HLE7n^>ns*C;XTdH`A-KxWqRqeOf(!|5mkz4G0jB%**#D(8)`Q6-~ ZpLLubJ@;y3Q*C1-ewJlyT)$=gzW^7r1nmF- diff --git a/dist/version b/dist/version index 9eb6069..3d96081 100644 --- a/dist/version +++ b/dist/version @@ -1 +1 @@ -0.5.2.75 \ No newline at end of file +0.5.3.93 \ No newline at end of file diff --git a/src/Actions.php b/src/Actions.php new file mode 100644 index 0000000..e0b047f --- /dev/null +++ b/src/Actions.php @@ -0,0 +1,151 @@ +/si', '', $code); + } + + return $code; + } + + /** + * Clean Evil Code Line. + * + * @param $code + * @param $pattern_found + * + * @return string + */ + public static function cleanEvilCodeLine($code, $pattern_found) + { + $lines = explode(PHP_EOL, $code); + foreach ($pattern_found as $pattern) { + unset($lines[(int)$pattern['line'] - 1]); + } + $code = implode(PHP_EOL, $lines); + + return $code; + } + + /** + * Delete File. + * + * @param $file + * + * @return bool + */ + public static function deleteFile($file) + { + return unlink($file); + } + + /** + * Move to Quarantine. + * + * @param $file + * + * @return string + */ + public static function moveToQuarantine($file) + { + $quarantine = Application::$pathQuarantine . str_replace(realpath(Application::currentDirectory()), '', $file); + if (!is_dir(dirname($quarantine))) { + if (!mkdir($concurrentDirectory = dirname($quarantine), 0755, true) && !is_dir($concurrentDirectory)) { + throw new \RuntimeException(sprintf('Directory "%s" was not created', $concurrentDirectory)); + } + } + rename($file, $quarantine); + + return $quarantine; + } + + /** + * Add to Whitelist. + * + * @param $file + * @param $pattern_found + * + * @return false|int + */ + public static function addToWhitelist($file, $pattern_found) + { + foreach ($pattern_found as $key => $pattern) { + $exploit = $pattern['key']; + $lineNumber = $pattern['line']; + $match = $pattern['match']; + $fileName = str_replace(Application::$pathScan, '', $file); + $key = md5($exploit . $fileName . $lineNumber); + Application::$whitelist[$key] = array( + 'file' => $fileName, + 'exploit' => $exploit, + 'line' => $lineNumber, + 'match' => $match, + ); + } + + return file_put_contents(Application::$pathWhitelist, json_encode(Application::$whitelist)); + } + + /** + * Open with VIM. + * + * @param $file + */ + public static function openWithVim($file) + { + $descriptors = array( + array('file', '/dev/tty', 'r'), + array('file', '/dev/tty', 'w'), + array('file', '/dev/tty', 'w'), + ); + $process = proc_open("vim '$file'", $descriptors, $pipes); + while (true) { + $proc_status = proc_get_status($process); + if ($proc_status['running'] == false) { + break; + } + } + } + + /** + * Open with Nano. + * + * @param $file + */ + public static function openWithNano($file) + { + $descriptors = array( + array('file', '/dev/tty', 'r'), + array('file', '/dev/tty', 'w'), + array('file', '/dev/tty', 'w'), + ); + $process = proc_open("nano '$file'", $descriptors, $pipes); + while (true) { + $proc_status = proc_get_status($process); + if ($proc_status['running'] == false) { + break; + } + } + } +} diff --git a/src/Application.php b/src/Application.php index 6ef34fa..fd72853 100644 --- a/src/Application.php +++ b/src/Application.php @@ -35,7 +35,7 @@ class Application * * @var string */ - public static $version = '0.5.2.75'; + public static $version = '0.5.3.93'; /** * Root path. @@ -70,7 +70,7 @@ class Application * * @var string */ - public static $pathWhitelist = '/scanner-whitelist.csv'; + public static $pathWhitelist = '/scanner-whitelist.json'; /** * Path to scan. @@ -235,8 +235,14 @@ private function init() self::$pathWhitelist = self::$root . self::$pathWhitelist; self::$pathLogsInfected = self::$root . self::$pathLogsInfected; - // Prepare whitelist - self::$whitelist = CSV::read(self::$pathWhitelist); + // Load whitelist + if (file_exists(self::$pathWhitelist)) { + self::$whitelist = file_get_contents(self::$pathWhitelist); + self::$whitelist = @json_decode(self::$whitelist, true); + if (!is_array(self::$whitelist)) { + self::$whitelist = array(); + } + } Definitions::optimizeSig(Definitions::$SIGNATURES); } @@ -857,14 +863,12 @@ private function scan($iterator) foreach ($pattern_found as $key => $pattern) { $lineNumber = $pattern['line']; $exploit = $pattern['key']; - $whitelist_filePath = trim($item[0], ' "'); - $whitelist_exploit = trim($item[1], ' "'); - $whitelist_lineNumber = trim($item[2], ' "'); - - // TODO: from char to length - if (strpos($_FILE_PATH, $whitelist_filePath) !== false && - $exploit == $whitelist_exploit && - (self::$settings['whitelist-only-path'] || (!self::$settings['whitelist-only-path'] && $lineNumber == $whitelist_lineNumber))) { + $match = $pattern['match']; + + if (strpos($_FILE_PATH, $item['file']) !== false && + $match === $item['match'] && + $exploit === $item['exploit'] && + (self::$settings['whitelist-only-path'] || (!self::$settings['whitelist-only-path'] && $lineNumber == $item['line']))) { $in_whitelist++; } } @@ -946,37 +950,20 @@ private function scan($iterator) } Console::newLine(); if ($confirm2 === 'y') { - unlink($_FILE_PATH); + Actions::deleteFile($_FILE_PATH); self::$summaryRemoved[] = $_FILE_PATH; Console::writeLine("File '$_FILE_PATH' removed!", 2, 'green'); $_WHILE = false; } } elseif (in_array($confirmation, array('2', 'quarantine'))) { // Move to quarantine - $quarantine = self::$pathQuarantine . str_replace(realpath(self::currentDirectory()), '', $_FILE_PATH); - - if (!is_dir(dirname($quarantine))) { - if (!mkdir($concurrentDirectory = dirname($quarantine), 0755, true) && !is_dir($concurrentDirectory)) { - throw new \RuntimeException(sprintf('Directory "%s" was not created', $concurrentDirectory)); - } - } - rename($_FILE_PATH, $quarantine); + $quarantine = Actions::moveToQuarantine($_FILE_PATH); self::$summaryQuarantine[] = $quarantine; Console::writeLine("File '$_FILE_PATH' moved to quarantine!", 2, 'green'); $_WHILE = false; } elseif (in_array($confirmation, array('3', 'clean')) && count($pattern_found) > 0) { // Remove evil code - foreach ($pattern_found as $pattern) { - preg_match('/(<\?php)(.*?)(' . preg_quote($pattern['match'], '/') . '[\s\r\n]*;?)/si', $fc, $match); - $match[2] = trim($match[2]); - $match[4] = trim($match[4]); - if (!empty($match[2]) || !empty($match[4])) { - $fc = str_replace($match[0], $match[1] . $match[2] . $match[4] . $match[5], $fc); - } else { - $fc = str_replace($match[0], '', $fc); - } - $fc = preg_replace('/<\?php[\s\r\n]*\?\>/si', '', $fc); - } + $fc = Actions::cleanEvilCode($fc, $pattern_found); Console::newLine(); $title = Console::title(' SANITIZED ', '='); @@ -1004,11 +991,7 @@ private function scan($iterator) } } elseif (in_array($confirmation, array('4', 'clean-line')) && count($pattern_found) > 0) { // Remove evil line code - $fc_expl = explode(PHP_EOL, $fc); - foreach ($pattern_found as $pattern) { - unset($fc_expl[(int)$pattern['line'] - 1]); - } - $fc = implode(PHP_EOL, $fc_expl); + $fc = Actions::cleanEvilCodeLine($fc, $pattern_found); Console::newLine(); @@ -1036,52 +1019,20 @@ private function scan($iterator) self::$summaryIgnored[] = $_FILE_PATH; } } elseif (in_array($confirmation, array('5', 'vim'))) { - // Edit with vim - $descriptors = array( - array('file', '/dev/tty', 'r'), - array('file', '/dev/tty', 'w'), - array('file', '/dev/tty', 'w'), - ); - $process = proc_open("vim '$_FILE_PATH'", $descriptors, $pipes); - while (true) { - $proc_status = proc_get_status($process); - if ($proc_status['running'] == false) { - break; - } - } + // Open with vim + Actions::openWithVim($_FILE_PATH); self::$summaryEdited[] = $_FILE_PATH; Console::writeLine("File '$_FILE_PATH' edited with vim!", 2, 'green'); self::$summaryRemoved[] = $_FILE_PATH; } elseif (in_array($confirmation, array('6', 'nano'))) { - // Edit with nano - $descriptors = array( - array('file', '/dev/tty', 'r'), - array('file', '/dev/tty', 'w'), - array('file', '/dev/tty', 'w'), - ); - $process = proc_open("nano -c '$_FILE_PATH'", $descriptors, $pipes); - while (true) { - $proc_status = proc_get_status($process); - if ($proc_status['running'] == false) { - break; - } - } + // Open with nano + Actions::openWithNano($_FILE_PATH); self::$summaryEdited[] = $_FILE_PATH; Console::writeLine("File '$_FILE_PATH' edited with nano!", 2, 'green'); self::$summaryRemoved[] = $_FILE_PATH; } elseif (in_array($confirmation, array('7', 'whitelist'))) { // Add to whitelist - foreach ($pattern_found as $key => $pattern) { - //$exploit = preg_replace("/^(\S+) \[line [0-9]+\].*/si", "$1", $key); - //$lineNumber = preg_replace("/^\S+ \[line ([0-9]+)\].*/si", "$1", $key); - $exploit = $pattern['key']; - $lineNumber = $pattern['line']; - self::$whitelist[] = array(str_replace(self::$pathScan, '', $_FILE_PATH), $exploit, $lineNumber); - } - self::$whitelist = array_map('unserialize', array_unique(array_map('serialize', self::$whitelist))); - - // TODO: from char to length - if (CSV::write(self::$pathWhitelist, self::$whitelist)) { + if (Actions::addToWhitelist($_FILE_PATH, $pattern_found)) { self::$summaryWhitelist[] = $_FILE_PATH; Console::writeLine("Exploits of file '$_FILE_PATH' added to whitelist!", 2, 'green'); $_WHILE = false; @@ -1104,7 +1055,7 @@ private function scan($iterator) Console::display($title, 'white', 'red'); Console::newLine(2); } else { - // None + // Skip Console::writeLine("File '$_FILE_PATH' skipped!", 2, 'green'); self::$summaryIgnored[] = $_FILE_PATH; $_WHILE = false; diff --git a/src/CSV.php b/src/CSV.php deleted file mode 100644 index a50f045..0000000 --- a/src/CSV.php +++ /dev/null @@ -1,83 +0,0 @@ - - * @copyright Copyright (c) 2020 - * @license http://opensource.org/licenses/gpl-3.0.html GNU Public License - * - * @see https://github.com/marcocesarato/PHP-Antimalware-Scanner - */ - -namespace marcocesarato\amwscan; - -/** - * Class CSV. - */ -class CSV -{ - /** - * Read. - * - * @param $filename - * - * @return array - */ - public static function read($filename) - { - if (!file_exists($filename)) { - return array(); - } - $file_handle = fopen($filename, 'rb'); - $array = array(); - while (!feof($file_handle)) { - $array[] = fgetcsv($file_handle, 1024); - } - fclose($file_handle); - - return $array; - } - - /** - * Generate. - * - * @param $data - * @param string $delimiter - * @param string $enclosure - * - * @return string - */ - public static function generate($data, $delimiter = ',', $enclosure = '"') - { - $handle = fopen('php://temp', 'rb+'); - foreach ($data as $line) { - fputcsv($handle, $line, $delimiter, $enclosure); - } - $contents = ''; - rewind($handle); - while (!feof($handle)) { - $contents .= fread($handle, 8192); - } - fclose($handle); - - return $contents; - } - - /** - * Write. - * - * @param $filename - * @param $data - * @param string $delimiter - * @param string $enclosure - * - * @return false|int - */ - public static function write($filename, $data, $delimiter = ',', $enclosure = '"') - { - $csv = self::generate($data, $delimiter, $enclosure); - - return file_put_contents($filename, $csv); - } -} diff --git a/src/Console.php b/src/Console.php index 02ee67b..928da4b 100644 --- a/src/Console.php +++ b/src/Console.php @@ -102,7 +102,7 @@ public static function header() self::display($title, 'black', 'green'); self::newLine(); - $title = self::title('PHP Antimalware Scanner' . $version); + $title = self::title('PHP Antimalware Scanner ' . $version); self::display($title, 'black', 'green'); self::newLine(); diff --git a/src/index.php b/src/index.php index af15176..48a793b 100644 --- a/src/index.php +++ b/src/index.php @@ -2,11 +2,10 @@ namespace marcocesarato\amwscan; +include_once 'Actions.php'; include_once 'Argument.php'; include_once 'Argv.php'; include_once 'Console.php'; -include_once 'CSV.php'; -include_once 'CSV.php'; include_once 'Definitions.php'; include_once 'Flag.php'; include_once 'Deobfuscator.php'; diff --git a/whitelists/wordpress-5.5.1.csv b/whitelists/wordpress-5.5.1.csv deleted file mode 100644 index c15c219..0000000 --- a/whitelists/wordpress-5.5.1.csv +++ /dev/null @@ -1,56 +0,0 @@ -"wp-admin\includes\class-pclzip.php",nano,2627 -"wp-admin\includes\class-pclzip.php",eval,4068 -"wp-admin\includes\file.php",nano,733 -"wp-admin\includes\class-wp-debug-data.php",exec,611 -"wp-includes\class-json.php",eval,24 -"wp-includes\class-snoopy.php",eval,678 -"wp-includes\class-snoopy.php",exec,1018 -"wp-includes\rest-api.php",nano,1437 -"wp-includes\SimplePie\Parse\Date.php",concat_vars_with_spaces,837 -"wp-includes\sodium_compat\autoload.php",assert,54 -"wp-includes\Text\Diff\Engine\native.php",assert,96 -"wp-includes\Text\Diff\Engine\shell.php",shell_exec,50 -"wp-includes\Text\Diff\Engine\shell.php",assert,86 -"wp-includes\Text\Diff.php",assert,317 -"wp-content\plugins\health-check\includes\class-health-check-debug-data.php",exec,550 -"wp-content\plugins\jetpack\modules\custom-css\custom-css\preprocessors\scss.inc.php",nano,1196 -"wp-content\plugins\jetpack\modules\sharedaddy\sharing-service.php",nano,45 -"wp-content\plugins\jetpack\_inc\lib\class.core-rest-api-endpoints.php",execution,1211 -"wp-content\plugins\js_composer\include\classes\core\class-vc-manager.php",system,376 -"wp-content\plugins\js_composer\include\classes\shortcodes\vc-column.php",double_var2,67 -"wp-content\plugins\js_composer\include\classes\shortcodes\vc-row.php",double_var2,87 -"wp-content\plugins\loco-translate\src\package\Bundle.php",system,58 -"wp-content\plugins\query-monitor\collectors\environment.php",exec,291 -"wp-content\plugins\revslider\includes\InstagramScraper\Instagram.php",double_var2,668 -"wp-content\plugins\simple-tags\inc\class.widgets.php",double_var2,99 -"wp-content\plugins\woocommerce\includes\admin\class-wc-admin-setup-wizard.php",nano,801 -"wp-content\plugins\woocommerce\includes\admin\reports\class-wc-report-sales-by-product.php",execution2,47 -"wp-content\plugins\woocommerce\includes\libraries\class-wc-eval-math.php",nano,80 -"wp-content\plugins\woocommerce\includes\wc-core-functions.php",nano,1957 -"wp-content\plugins\woocommerce\packages\woocommerce-admin\src\API\Reports\DataStore.php",nano,533 -"wp-content\plugins\woocommerce\packages\woocommerce-admin\src\ReportCSVExporter.php",nano,122 -"wp-content\plugins\wordfence\crypto\vendor\paragonie\random_compat\lib\random_bytes_dev_urandom.php",system,65 -"wp-content\plugins\wordfence\lib\wordfenceClass.php",execution,7418 -"wp-content\plugins\wordfence\lib\wordfenceClass.php",file_prepend,8953 -"wp-content\plugins\wordfence\lib\wordfenceScanner.php",eval,462 -"wp-content\plugins\wordfence\vendor\composer\ca-bundle\src\CaBundle.php",base64_long,263 -"wp-content\plugins\wordfence\vendor\wordfence\wf-waf\src\lib\json.php",eval,23 -"wp-content\plugins\wordfence\waf\bootstrap.php",file_prepend,4 -"wp-content\plugins\wordpress-seo-premium\config\composer\actions.php",system,135 -"wp-content\plugins\wordpress-seo-premium\config\composer\actions.php",exec,122 -"wp-content\plugins\wordpress-seo-premium\premium\classes\redirect\redirect-validator.php",nano,140 -"wp-content\plugins\wordpress-seo-premium\src\orm\yoast-orm-wrapper.php",nano,97 -"wp-content\plugins\wordpress-seo-premium\vendor_prefixed\guzzlehttp\guzzle\src\Handler\MockHandler.php",nano,69 -"wp-content\plugins\wordpress-seo-premium\vendor_prefixed\guzzlehttp\guzzle\src\Handler\StreamHandler.php",nano,83 -"wp-content\plugins\wordpress-seo-premium\vendor_prefixed\guzzlehttp\guzzle\src\HandlerStack.php",nano,176 -"wp-content\plugins\wordpress-seo-premium\vendor_prefixed\guzzlehttp\promises\src\Promise.php",nano,164 -"wp-content\plugins\wordpress-seo-premium\vendor_prefixed\ruckusing\lib\Ruckusing\Adapter\PgSQL\Base.php",system,273 -"wp-content\plugins\wordpress-seo-premium\vendor_prefixed\ruckusing\lib\Ruckusing\Adapter\Sqlite3\Base.php",system,249 -"wp-content\plugins\wp-mail-smtp\vendor_prefixed\guzzlehttp\guzzle\src\Handler\MockHandler.php",nano,69 -"wp-content\plugins\wp-mail-smtp\vendor_prefixed\guzzlehttp\guzzle\src\Handler\StreamHandler.php",nano,84 -"wp-content\plugins\wp-mail-smtp\vendor_prefixed\guzzlehttp\guzzle\src\HandlerStack.php",nano,180 -"wp-content\plugins\wp-mail-smtp\vendor_prefixed\guzzlehttp\promises\src\Promise.php",nano,164 -"wp-content\plugins\wp-mail-smtp\vendor_prefixed\monolog\monolog\src\Monolog\Handler\SyslogHandler.php",syslog,59 -"wp-content\plugins\wp-mail-smtp\vendor_prefixed\monolog\monolog\src\Monolog\SignalHandler.php",posix_kill,87 -"wp-content\plugins\wp-smush-pro\core\modules\class-lazy.php",system,249 -"wp-content\wflogs\config-transient.php",base64_long,0