Signature detection does not work

[ghost]

Hi! I've been looking at your code for the past few days and sorry to tell you this but your fingerprint detection method is most definitely broken. I would fix it but it seems like your database is not properly encoded or something. Look at these lines for proof:

Lines 193 and 194 in particular:

for _regex, shellname in self._get_precomputed_fingerprints():
            _match = _regex.findall(_content)

Your _regex here is a base64 string, which would be okay if your signatures were actually all base64 strings found in webshells. But thats not the case. You are never actually decoding these base64 strings. However when we try to do that, we get padding errors all over the place and get junk output, still we can see bits of the actual signatures in there:

Sample Garbage:

if (!empty($work_dir)) {
/* A workdir has bee
♠3ôù♠ç♠û7↕τ♠ç☻♥≥♠çGG♥ó≥÷67FV▬╥µτV╢╞V÷ΓτW0╨ó22222

   ↓→\ïêï╚ïë↓→\█ZLï        ↓Ü[↓\↓\¢JH☼Å↓¢█↑██←▄ÅI╚╠♀

X-o 6-o X-o O-o L-o e-o x-o R-o 4-o +-o 6-o T-o
╥╥╥╥╥╥╥╥╥╥╨áó☻♦Fû╥♠⌡67&ù@ó☻♦Fû╥♠⌡67&ùDµW@ó☻♦Fû
]╒T═⌐ìÿ╒ß!%òY↔Öä╨σiT┼QIQ4╠╒╣U▒◄ÑÖ╒ß↓ì(╤

How did you generate the database or where did you get it from? Anyway, it most definitely is broken.

[emposha]

Hi Alexander,
yes Im know that fingerprint mechanism have a problem. And when we talking about fingerprints by them self there one thing. The db file is packed with a base64 but the signatures by them self not its a entropy that based on base64 mechanism. Currently I work on new web version, after that I will take a close look to python version, and also I'm not so sure about python maybe I will rewrite it to bash that more native for nix systems.

[ghost]

Okay, im interested because I was thinking of utilizing the database for one of my projects but I am unable to do so. :( Can you give more information about how the signatures are encoded?