From 291a8137b0743395842808f17461fce215a8b00b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= <bserie@evolix.fr>
Date: Wed, 21 Jan 2015 10:16:41 +0100
Subject: [PATCH] First commit in GIT.

---
 evomalware.filenames     |  9 ++++
 evomalware.filenames.md5 |  1 +
 evomalware.patterns      | 57 +++++++++++++++++++++++
 evomalware.patterns.md5  |  1 +
 evomalware.sh            | 99 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 167 insertions(+)
 create mode 100644 evomalware.filenames
 create mode 100644 evomalware.filenames.md5
 create mode 100644 evomalware.patterns
 create mode 100644 evomalware.patterns.md5
 create mode 100644 evomalware.sh

diff --git a/evomalware.filenames b/evomalware.filenames
new file mode 100644
index 0000000..5f1a0e3
--- /dev/null
+++ b/evomalware.filenames
@@ -0,0 +1,9 @@
+9dh1ke.php|
+logoffKa9.php|
+abookH2w.php|
+sslksZ.php|
+rzy2r4.php|
+70ggd_shellscript.php|
+EWwJgDeNl|
+seo_hack_antipidersia.php|
+shellscript_pass_dezmond.php
\ No newline at end of file
diff --git a/evomalware.filenames.md5 b/evomalware.filenames.md5
new file mode 100644
index 0000000..c3337b3
--- /dev/null
+++ b/evomalware.filenames.md5
@@ -0,0 +1 @@
+3d686ed2825040f28b37b8ffe86b302b  evomalware.filenames
diff --git a/evomalware.patterns b/evomalware.patterns
new file mode 100644
index 0000000..7246867
--- /dev/null
+++ b/evomalware.patterns
@@ -0,0 +1,57 @@
+91.239.15.61|
+_YM82iAN|
+XXRANDOMXX|
+_POST..n13e558|
+envir0nn@yahoo.com|
+\$bogel|
+r0nin|
+m0rtix|
+upl0ad|
+r57shell|
+c99shell|shellbot|
+void\.ru|
+phpremoteview|
+directmail|
+bash_history|
+multiviews|
+cwings|
+vandal|
+bitchx|
+eggdrop|
+guardservices|
+psybnc|
+dalnet|
+undernet|
+vulnscan|
+spymeta|
+raslan58|
+Webshell|
+FilesMan|
+FilesTools|
+Web Shell|
+ifrm|
+bckdrprm|
+hackmeplz|
+wrgggthhd|
+WSOsetcookie|
+Hmei7|
+Inbox Mass Mailer|
+HackTeam|
+Hackeado|
+Janissaries|
+Miyachung|
+ccteam|
+Adminer|
+OOO000000|
+\$GLOBALS|
+findsysfolder|
+makeret\.ru|
+c999*sh_surl|
+xVebaPURjEzLc|
+AQSP|
+ANTIPIDERSIA|
+uzanc|
+xadpritox|
+blackboy007|
+nacomb13|
+Devilzc0de
\ No newline at end of file
diff --git a/evomalware.patterns.md5 b/evomalware.patterns.md5
new file mode 100644
index 0000000..4d93f52
--- /dev/null
+++ b/evomalware.patterns.md5
@@ -0,0 +1 @@
+2c3d6b95cad8b3a9f0c432dfcd504760  evomalware.patterns
diff --git a/evomalware.sh b/evomalware.sh
new file mode 100644
index 0000000..f58b6a5
--- /dev/null
+++ b/evomalware.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+# EvoMalware, script to detect infected websites.
+
+# You can set aggressive to true to search for suspicions scripts.
+aggressive=false
+# Path to search for.
+wwwpath=/home
+# URL to download patterns and filenames.
+databaseURL="http://antispam00.evolix.org/evomalware"
+databasePATH=/var/lib/evomalware
+# Tools.
+find="ionice -c3 find"
+grep="nice -n 19 grep"
+wc="nice -n 19 wc"
+wget="wget -q -t 3"
+# Various.
+fileslist=$(mktemp)
+tmpPATH=/tmp/evomalware.tmp
+
+trap "rm -f $fileslist" EXIT
+
+usage() {
+    cat<<EOT
+    $0 to search for known malwares.
+    $0 --aggressive to include suspicions scripts.
+EOT
+exit 1
+}
+
+if [[ "$1" == "--aggressive" ]]; then
+    aggressive=true
+fi
+if [[ -n "$1" && "$1" != "--aggressive" ]]; then
+    usage
+fi
+
+# Download last patterns and filenames.
+mkdir -p $databasePATH
+mkdir -p $tmpPATH
+cd $tmpPATH
+$wget ${databaseURL}/evomalware.filenames
+$wget ${databaseURL}/evomalware.filenames.md5
+$wget ${databaseURL}/evomalware.patterns
+$wget ${databaseURL}/evomalware.patterns.md5
+
+filenames=$(cat ${databasePATH}/evomalware.filenames | tr -s '\n' '')
+patterns=$(cat ${databasePATH}/evomalware.patterns | tr -s '\n' '')
+
+cd $wwwpath
+
+# Search for .php files (less than 1M).
+find $wwwpath -type f ! -size +1M -name "*.php" > $fileslist 2>/dev/null
+while read file; do
+    # Search known filenames.
+    if [[ "$file" =~ $filenames ]]; then
+        echo "Known malware: $file"
+    # Search .php files in WP's wp-content/uploads/
+    elif [[ "$file" =~ "wp-content/uploads/" ]]; then
+        echo "PHP file in a non-PHP folder detected: $file"
+    # Count the length of the longest line and search if suspect php functions are used.
+    elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
+        grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr(rand(' $file
+        if [[ $? -eq 0 ]]; then
+            echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
+        fi
+    else
+        # Search for patterns.
+        $grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
+        if [[ $? -eq 0 ]]; then
+            echo "Contains a known malware pattern: $file"
+        fi
+    fi
+done < $fileslist
+
+# Search for suspicious scripts... Only when in aggressive mode.
+if ( $aggressive ); then
+    $find . -name javascript.php
+    $find . -name bp.pl
+    $find . -name tn.php
+    $find . -name tn.php3
+    $find . -name tn.phtml
+    $find . -name tn.txt
+    $find . -name xm.php
+    $find . -name logs.php
+    $find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
+    $find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
+    $grep -r 'ini_set(chr' .
+    $grep -r 'eval(base64_decode($_POST' .
+    $grep -r 'eval(gzinflate(' .
+    $grep -r 'ini_set(.mail.add_x_header' .
+    $grep -r '@require' .
+    $grep -r '@ini_set' .
+    $grep -ri 'error_reporting(0' .
+    $grep -r base64_decode .
+    $grep -r codeeclipse .
+    $grep -r 'eval(' .
+    $grep -r '\x..\x..' .
+    $grep -r 'chr(rand(' .
+fi
\ No newline at end of file