First commit in GIT.
This commit is contained in:
commit
291a8137b0
|
@ -0,0 +1,9 @@
|
|||
9dh1ke.php|
|
||||
logoffKa9.php|
|
||||
abookH2w.php|
|
||||
sslksZ.php|
|
||||
rzy2r4.php|
|
||||
70ggd_shellscript.php|
|
||||
EWwJgDeNl|
|
||||
seo_hack_antipidersia.php|
|
||||
shellscript_pass_dezmond.php
|
|
@ -0,0 +1 @@
|
|||
3d686ed2825040f28b37b8ffe86b302b evomalware.filenames
|
|
@ -0,0 +1,57 @@
|
|||
91.239.15.61|
|
||||
_YM82iAN|
|
||||
XXRANDOMXX|
|
||||
_POST..n13e558|
|
||||
envir0nn@yahoo.com|
|
||||
\$bogel|
|
||||
r0nin|
|
||||
m0rtix|
|
||||
upl0ad|
|
||||
r57shell|
|
||||
c99shell|shellbot|
|
||||
void\.ru|
|
||||
phpremoteview|
|
||||
directmail|
|
||||
bash_history|
|
||||
multiviews|
|
||||
cwings|
|
||||
vandal|
|
||||
bitchx|
|
||||
eggdrop|
|
||||
guardservices|
|
||||
psybnc|
|
||||
dalnet|
|
||||
undernet|
|
||||
vulnscan|
|
||||
spymeta|
|
||||
raslan58|
|
||||
Webshell|
|
||||
FilesMan|
|
||||
FilesTools|
|
||||
Web Shell|
|
||||
ifrm|
|
||||
bckdrprm|
|
||||
hackmeplz|
|
||||
wrgggthhd|
|
||||
WSOsetcookie|
|
||||
Hmei7|
|
||||
Inbox Mass Mailer|
|
||||
HackTeam|
|
||||
Hackeado|
|
||||
Janissaries|
|
||||
Miyachung|
|
||||
ccteam|
|
||||
Adminer|
|
||||
OOO000000|
|
||||
\$GLOBALS|
|
||||
findsysfolder|
|
||||
makeret\.ru|
|
||||
c999*sh_surl|
|
||||
xVebaPURjEzLc|
|
||||
AQSP|
|
||||
ANTIPIDERSIA|
|
||||
uzanc|
|
||||
xadpritox|
|
||||
blackboy007|
|
||||
nacomb13|
|
||||
Devilzc0de
|
|
@ -0,0 +1 @@
|
|||
2c3d6b95cad8b3a9f0c432dfcd504760 evomalware.patterns
|
|
@ -0,0 +1,99 @@
|
|||
#!/bin/bash
|
||||
# EvoMalware, script to detect infected websites.
|
||||
|
||||
# You can set aggressive to true to search for suspicions scripts.
|
||||
aggressive=false
|
||||
# Path to search for.
|
||||
wwwpath=/home
|
||||
# URL to download patterns and filenames.
|
||||
databaseURL="http://antispam00.evolix.org/evomalware"
|
||||
databasePATH=/var/lib/evomalware
|
||||
# Tools.
|
||||
find="ionice -c3 find"
|
||||
grep="nice -n 19 grep"
|
||||
wc="nice -n 19 wc"
|
||||
wget="wget -q -t 3"
|
||||
# Various.
|
||||
fileslist=$(mktemp)
|
||||
tmpPATH=/tmp/evomalware.tmp
|
||||
|
||||
trap "rm -f $fileslist" EXIT
|
||||
|
||||
usage() {
|
||||
cat<<EOT
|
||||
$0 to search for known malwares.
|
||||
$0 --aggressive to include suspicions scripts.
|
||||
EOT
|
||||
exit 1
|
||||
}
|
||||
|
||||
if [[ "$1" == "--aggressive" ]]; then
|
||||
aggressive=true
|
||||
fi
|
||||
if [[ -n "$1" && "$1" != "--aggressive" ]]; then
|
||||
usage
|
||||
fi
|
||||
|
||||
# Download last patterns and filenames.
|
||||
mkdir -p $databasePATH
|
||||
mkdir -p $tmpPATH
|
||||
cd $tmpPATH
|
||||
$wget ${databaseURL}/evomalware.filenames
|
||||
$wget ${databaseURL}/evomalware.filenames.md5
|
||||
$wget ${databaseURL}/evomalware.patterns
|
||||
$wget ${databaseURL}/evomalware.patterns.md5
|
||||
|
||||
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -s '\n' '')
|
||||
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -s '\n' '')
|
||||
|
||||
cd $wwwpath
|
||||
|
||||
# Search for .php files (less than 1M).
|
||||
find $wwwpath -type f ! -size +1M -name "*.php" > $fileslist 2>/dev/null
|
||||
while read file; do
|
||||
# Search known filenames.
|
||||
if [[ "$file" =~ $filenames ]]; then
|
||||
echo "Known malware: $file"
|
||||
# Search .php files in WP's wp-content/uploads/
|
||||
elif [[ "$file" =~ "wp-content/uploads/" ]]; then
|
||||
echo "PHP file in a non-PHP folder detected: $file"
|
||||
# Count the length of the longest line and search if suspect php functions are used.
|
||||
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
|
||||
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr(rand(' $file
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
|
||||
fi
|
||||
else
|
||||
# Search for patterns.
|
||||
$grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "Contains a known malware pattern: $file"
|
||||
fi
|
||||
fi
|
||||
done < $fileslist
|
||||
|
||||
# Search for suspicious scripts... Only when in aggressive mode.
|
||||
if ( $aggressive ); then
|
||||
$find . -name javascript.php
|
||||
$find . -name bp.pl
|
||||
$find . -name tn.php
|
||||
$find . -name tn.php3
|
||||
$find . -name tn.phtml
|
||||
$find . -name tn.txt
|
||||
$find . -name xm.php
|
||||
$find . -name logs.php
|
||||
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
|
||||
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
|
||||
$grep -r 'ini_set(chr' .
|
||||
$grep -r 'eval(base64_decode($_POST' .
|
||||
$grep -r 'eval(gzinflate(' .
|
||||
$grep -r 'ini_set(.mail.add_x_header' .
|
||||
$grep -r '@require' .
|
||||
$grep -r '@ini_set' .
|
||||
$grep -ri 'error_reporting(0' .
|
||||
$grep -r base64_decode .
|
||||
$grep -r codeeclipse .
|
||||
$grep -r 'eval(' .
|
||||
$grep -r '\x..\x..' .
|
||||
$grep -r 'chr(rand(' .
|
||||
fi
|
Loading…
Reference in New Issue