Browse Source

First commit in GIT.

remotes/forge/master
Benoît S. 6 years ago
commit
291a8137b0
5 changed files with 167 additions and 0 deletions
  1. +9
    -0
      evomalware.filenames
  2. +1
    -0
      evomalware.filenames.md5
  3. +57
    -0
      evomalware.patterns
  4. +1
    -0
      evomalware.patterns.md5
  5. +99
    -0
      evomalware.sh

+ 9
- 0
evomalware.filenames View File

@ -0,0 +1,9 @@
9dh1ke.php|
logoffKa9.php|
abookH2w.php|
sslksZ.php|
rzy2r4.php|
70ggd_shellscript.php|
EWwJgDeNl|
seo_hack_antipidersia.php|
shellscript_pass_dezmond.php

+ 1
- 0
evomalware.filenames.md5 View File

@ -0,0 +1 @@
3d686ed2825040f28b37b8ffe86b302b evomalware.filenames

+ 57
- 0
evomalware.patterns View File

@ -0,0 +1,57 @@
91.239.15.61|
_YM82iAN|
XXRANDOMXX|
_POST..n13e558|
envir0nn@yahoo.com|
\$bogel|
r0nin|
m0rtix|
upl0ad|
r57shell|
c99shell|shellbot|
void\.ru|
phpremoteview|
directmail|
bash_history|
multiviews|
cwings|
vandal|
bitchx|
eggdrop|
guardservices|
psybnc|
dalnet|
undernet|
vulnscan|
spymeta|
raslan58|
Webshell|
FilesMan|
FilesTools|
Web Shell|
ifrm|
bckdrprm|
hackmeplz|
wrgggthhd|
WSOsetcookie|
Hmei7|
Inbox Mass Mailer|
HackTeam|
Hackeado|
Janissaries|
Miyachung|
ccteam|
Adminer|
OOO000000|
\$GLOBALS|
findsysfolder|
makeret\.ru|
c999*sh_surl|
xVebaPURjEzLc|
AQSP|
ANTIPIDERSIA|
uzanc|
xadpritox|
blackboy007|
nacomb13|
Devilzc0de

+ 1
- 0
evomalware.patterns.md5 View File

@ -0,0 +1 @@
2c3d6b95cad8b3a9f0c432dfcd504760 evomalware.patterns

+ 99
- 0
evomalware.sh View File

@ -0,0 +1,99 @@
#!/bin/bash
# EvoMalware, script to detect infected websites.
# You can set aggressive to true to search for suspicions scripts.
aggressive=false
# Path to search for.
wwwpath=/home
# URL to download patterns and filenames.
databaseURL="http://antispam00.evolix.org/evomalware"
databasePATH=/var/lib/evomalware
# Tools.
find="ionice -c3 find"
grep="nice -n 19 grep"
wc="nice -n 19 wc"
wget="wget -q -t 3"
# Various.
fileslist=$(mktemp)
tmpPATH=/tmp/evomalware.tmp
trap "rm -f $fileslist" EXIT
usage() {
cat<<EOT
$0 to search for known malwares.
$0 --aggressive to include suspicions scripts.
EOT
exit 1
}
if [[ "$1" == "--aggressive" ]]; then
aggressive=true
fi
if [[ -n "$1" && "$1" != "--aggressive" ]]; then
usage
fi
# Download last patterns and filenames.
mkdir -p $databasePATH
mkdir -p $tmpPATH
cd $tmpPATH
$wget ${databaseURL}/evomalware.filenames
$wget ${databaseURL}/evomalware.filenames.md5
$wget ${databaseURL}/evomalware.patterns
$wget ${databaseURL}/evomalware.patterns.md5
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -s '\n' '')
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -s '\n' '')
cd $wwwpath
# Search for .php files (less than 1M).
find $wwwpath -type f ! -size +1M -name "*.php" > $fileslist 2>/dev/null
while read file; do
# Search known filenames.
if [[ "$file" =~ $filenames ]]; then
echo "Known malware: $file"
# Search .php files in WP's wp-content/uploads/
elif [[ "$file" =~ "wp-content/uploads/" ]]; then
echo "PHP file in a non-PHP folder detected: $file"
# Count the length of the longest line and search if suspect php functions are used.
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr(rand(' $file
if [[ $? -eq 0 ]]; then
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
fi
else
# Search for patterns.
$grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
if [[ $? -eq 0 ]]; then
echo "Contains a known malware pattern: $file"
fi
fi
done < $fileslist
# Search for suspicious scripts... Only when in aggressive mode.
if ( $aggressive ); then
$find . -name javascript.php
$find . -name bp.pl
$find . -name tn.php
$find . -name tn.php3
$find . -name tn.phtml
$find . -name tn.txt
$find . -name xm.php
$find . -name logs.php
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
$grep -r 'ini_set(chr' .
$grep -r 'eval(base64_decode($_POST' .
$grep -r 'eval(gzinflate(' .
$grep -r 'ini_set(.mail.add_x_header' .
$grep -r '@require' .
$grep -r '@ini_set' .
$grep -ri 'error_reporting(0' .
$grep -r base64_decode .
$grep -r codeeclipse .
$grep -r 'eval(' .
$grep -r '\x..\x..' .
$grep -r 'chr(rand(' .
fi

Loading…
Cancel
Save