Where Anti-Malware save the definitions ?

The definitions are stored in the wp_options table of your WordPress database where the option_name is GOTMLS_definitions_array.

Oh thank you , i wonder if we can use this definitions with clamscan antivirus !

can we ?

I don’t know anything about clamscan antivirus but I can’t imagine how my definitions would be compatible with another program.

Easy .
and i test one of your rules and BOOM it worked .

Let me show you how ,
first of all , clamscan is a Linux anti Virus , Very FAST more than your plug in.
If you dont know about ” clamscan ” please google it.

Now , clamscan support Regex definitions , as yours
lamscan use
Yara-Rules

eg :

rule iframe_ru

{

strings:
<code>$re1 = /(document\.write\(|echo )['&quot;]<iframe .+\.ru\/.+<\/iframe></code>['"][ \);]+/

condition:

$re1
`}

and we save the file in clamscan folder :
/var/lib/clamav
as sing.yar

and test , the report will be some thing like :

./test.html: YARA.iframe_ru.UNOFFICIAL FOUND

———– SCAN SUMMARY ———–
Known viruses: 4130714
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 16.424 sec (0 m 16 s)

if you like i can work with you on this so you can offer your user an easy / FAST way to scan the server if thy have SSH .

yes it support please read here : https://goo.gl/4PjXim

if you like we can work together to make a set of your rules to be add to clamscan anti virus so user can scan there files via SSH which is more vast than any thing , more over thay can prevent UPLOAD if file is infected

Please Read my post here https://goo.gl/4PjXim to get general idea how to make clamscan rules !

PTW how can i convert your GOTMLS_definitions_array to php array !

Thank you for your help.

As i can see in your definitions there is a “known” , “Backdoor” & “htaccess” categories .

I am working on convert them to YARA format.
So please just gide me , what is the correct definitions category to prevent ?
dos “known” mean potential but not a backdoor ?

Please Advice

“known” , “Backdoor” , and “htaccess” are all good categories to scan for but don’t scan for “potential”.

you have an error with this REGEX . please review it @

/((\$[_a-z0-9]+\s*=[^;]+;\s*)*if[\s\(]+isset[\(\s]+\$_(REQUES|GE|POS)T\[[^\]]+\][\)\s]+\{\s*(\$[_\.a-z0-9]+[=\s]+\$_(REQUES|GE|POS)T\[[^\]]+\][;\s]+)+((\$[_a-z0-9]+[=\s]+)?/((\$[_a-z0-9]+\s*=[^;]+;\s*)*if[\s\(]+isset[\(\s]+\$_(REQUES|GE|POS)T\[[^\]]+\][\)\s]+\{\s*(\$[_\.a-z0-9]+[=\s]+\$_(REQUES|GE|POS)T\[[^\]]+\][;\s]+)+((\$[_a-z0-9]+[=\s]+)?(eval|file_put_contents|fopen|fwrite|fclose)\([^\)]+\);\s*)+((echo|exit)[^\;]*;\s*)*\}\s*(else)?)+/i|fopen|fwrite|fclose)\([^\)]+\);\s*)+((echo|exit)[^\;]*;\s*)*\}\s*(else)?)+/

Thanks for catching that! Somehow the right definition got doubled inside an older version of itself. I have just updated the definition with an update that fixes this. Here is the corrected REGEX if you want to use it in place of that bad one:

/((\$[_a-z0-9]+\s*=[^;]+;\s*)*if[\s\(]+isset[\(\s]+\$_(REQUES|GE|POS)T\[[^\]]+\][\)\s]+\{\s*(\$[_\.a-z0-9]+[=\s]+\$_(REQUES|GE|POS)T\[[^\]]+\][;\s]+)+((\$[_a-z0-9]+[=\s]+)?(eval|file_put_contents|fopen|fwrite|fclose)\([^\)]+\);\s*)+((echo|exit)[^\;]*;\s*)*\}\s*(else)?)+/i

Thank you but you need to review all of your Regex , here is a new one

[if defined define function global eval Variable Function] => Array

/if[\(\s]+\!defined\([^\)]+[\)\s\{]+define\([^\)]+[\)\s;]+function[^\(]*\([^\)]*[\)\s\{]+global (\$[^;]+);.+?eval\(\1(\[[^\]]+\])?\s*\([^\)]*[\)\s]+;(\s*return[^;]*;/i

BTW may i have a direct URL to your definitions on your website ??
my email is beshoo [at] gmail dot com