Added md5sums and Makefile to generate md5 files.
This commit is contained in:
parent
291a8137b0
commit
f1e6f7afc8
9
Makefile
Normal file
9
Makefile
Normal file
|
@ -0,0 +1,9 @@
|
|||
TARGET = md5
|
||||
|
||||
all: $(TARGET)
|
||||
|
||||
md5:
|
||||
md5sum evomalware.filenames > evomalware.filenames.md5
|
||||
md5sum evomalware.patterns > evomalware.patterns.md5
|
||||
clean:
|
||||
rm *.md5 || exit 0
|
|
@ -43,7 +43,6 @@ Miyachung|
|
|||
ccteam|
|
||||
Adminer|
|
||||
OOO000000|
|
||||
\$GLOBALS|
|
||||
findsysfolder|
|
||||
makeret\.ru|
|
||||
c999*sh_surl|
|
||||
|
|
|
@ -1 +1 @@
|
|||
2c3d6b95cad8b3a9f0c432dfcd504760 evomalware.patterns
|
||||
0ed10460b6e8178f244063877aeb030d evomalware.patterns
|
||||
|
|
|
@ -4,10 +4,10 @@
|
|||
# You can set aggressive to true to search for suspicions scripts.
|
||||
aggressive=false
|
||||
# Path to search for.
|
||||
wwwpath=/home
|
||||
wwwpath=/localhome/bserie/CVS/scripts/scripts
|
||||
# URL to download patterns and filenames.
|
||||
databaseURL="http://antispam00.evolix.org/evomalware"
|
||||
databasePATH=/var/lib/evomalware
|
||||
databasePATH=/tmp/lib/evomalware
|
||||
# Tools.
|
||||
find="ionice -c3 find"
|
||||
grep="nice -n 19 grep"
|
||||
|
@ -17,7 +17,7 @@ wget="wget -q -t 3"
|
|||
fileslist=$(mktemp)
|
||||
tmpPATH=/tmp/evomalware.tmp
|
||||
|
||||
trap "rm -f $fileslist" EXIT
|
||||
trap "rm -rf $fileslist $tmpPATH" EXIT
|
||||
|
||||
usage() {
|
||||
cat<<EOT
|
||||
|
@ -40,13 +40,22 @@ mkdir -p $tmpPATH
|
|||
cd $tmpPATH
|
||||
$wget ${databaseURL}/evomalware.filenames
|
||||
$wget ${databaseURL}/evomalware.filenames.md5
|
||||
if md5sum --quiet -c evomalware.filenames.md5; then
|
||||
cp evomalware.filenames ${databasePATH}/
|
||||
else
|
||||
echo "Error with ${databaseURL}/evomalware.filenames, wrong md5sum!"
|
||||
exit 1
|
||||
fi
|
||||
$wget ${databaseURL}/evomalware.patterns
|
||||
$wget ${databaseURL}/evomalware.patterns.md5
|
||||
|
||||
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -s '\n' '')
|
||||
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -s '\n' '')
|
||||
|
||||
cd $wwwpath
|
||||
if md5sum --quiet -c evomalware.patterns.md5; then
|
||||
cp evomalware.patterns ${databasePATH}/
|
||||
else
|
||||
echo "Error with ${databaseURL}/evomalware.patterns, wrong md5sum!"
|
||||
exit 1
|
||||
fi
|
||||
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
|
||||
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
|
||||
|
||||
# Search for .php files (less than 1M).
|
||||
find $wwwpath -type f ! -size +1M -name "*.php" > $fileslist 2>/dev/null
|
||||
|
@ -58,10 +67,10 @@ while read file; do
|
|||
elif [[ "$file" =~ "wp-content/uploads/" ]]; then
|
||||
echo "PHP file in a non-PHP folder detected: $file"
|
||||
# Count the length of the longest line and search if suspect php functions are used.
|
||||
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 10000 ]]; then
|
||||
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr(rand(' $file
|
||||
elif [[ $($wc -L "$file" | cut -d' ' -f1) -gt 1000 ]]; then
|
||||
grep -q -E -e base64 -e gzinflate -e eval -e '\\x..\\x..' -e 'chr\(rand\(' $file
|
||||
if [[ $? -eq 0 ]]; then
|
||||
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
|
||||
echo "Suspect file! More than 1000 characters in one line (and suspect PHP functions): $file."
|
||||
fi
|
||||
else
|
||||
# Search for patterns.
|
||||
|
@ -74,6 +83,7 @@ done < $fileslist
|
|||
|
||||
# Search for suspicious scripts... Only when in aggressive mode.
|
||||
if ( $aggressive ); then
|
||||
cd $wwwpath
|
||||
$find . -name javascript.php
|
||||
$find . -name bp.pl
|
||||
$find . -name tn.php
|
||||
|
|
Loading…
Reference in a new issue