EvoMalware, shell script to detect infected websites.
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.

evomalware.sh 3.8KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
  1. #!/bin/bash
  2. # EvoMalware, script to detect infected websites.
  3. # You can set aggressive to true to search for suspicions scripts.
  4. aggressive=false
  5. # Path to search for.
  6. wwwpath=/home
  7. # URL to download patterns and filenames.
  8. databaseURL="http://antispam00.evolix.org/evomalware"
  9. databasePATH=/var/lib/evomalware
  10. whitelistLocal="${databasePATH}/evomalware.whitelist.local"
  11. # Tools.
  12. find="ionice -c3 find -O3"
  13. grep="nice -n 19 grep"
  14. wc="nice -n 19 wc"
  15. wget="wget -q -t 3"
  16. md5sum="md5sum --status -c"
  17. # Various.
  18. fileslist=$(mktemp)
  19. tmpPATH=/tmp/evomalware.tmp
  20. trap "rm -rf $fileslist $tmpPATH" EXIT
  21. usage() {
  22. cat<<EOT
  23. $0 to search for known malwares.
  24. $0 --aggressive to include suspicions scripts.
  25. EOT
  26. exit 1
  27. }
  28. if [[ "$1" == "--aggressive" ]]; then
  29. aggressive=true
  30. fi
  31. if [[ -n "$1" && "$1" != "--aggressive" ]]; then
  32. usage
  33. fi
  34. # Download last patterns and filenames.
  35. mkdir -p $databasePATH
  36. mkdir -p $tmpPATH
  37. cd $tmpPATH
  38. [ -f $whitelistLocal ] || touch $whitelistLocal
  39. for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
  40. $wget ${databaseURL}/${file}
  41. $wget ${databaseURL}/${file}.md5
  42. if $md5sum ${file}.md5; then
  43. cp $file ${databasePATH}/
  44. else
  45. echo "Error with ${databaseURL}/${file}, wrong md5sum!"
  46. exit 1
  47. fi
  48. done
  49. filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
  50. patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
  51. whitelist=$(cat ${databasePATH}/evomalware.whitelist $whitelistLocal | tr -d '\n')
  52. suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')
  53. # Search for .php and .js files (less than 1M).
  54. find $wwwpath -name evobackup -prune \
  55. -o \( -type f ! -size +1M -name "*.php" \) \
  56. -o \( -type f ! -size +1M -name "*.js" \) \
  57. | grep -E -v "$whitelist" > $fileslist 2>/dev/null
  58. while read file; do
  59. # Search known filenames.
  60. if [[ "$file" =~ $filenames ]]; then
  61. echo "Known malware: $file"
  62. # Search .php files in WP's wp-content/uploads/
  63. elif [[ "$file" =~ "wp-content/uploads/" ]]; then
  64. echo "PHP file in a non-PHP folder detected: $file"
  65. # Count the length of the longest line and search if suspect php functions are used.
  66. elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then
  67. grep -q -E "$suspect" "$file"
  68. if [[ $? -eq 0 ]]; then
  69. # Don't suspect "one line" .js file due to common minification.
  70. if [[ ! "$file" =~ .js$ ]]; then
  71. echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
  72. fi
  73. fi
  74. else
  75. # Search for patterns.
  76. $grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
  77. if [[ $? -eq 0 ]]; then
  78. echo "Contains a known malware pattern: $file"
  79. fi
  80. fi
  81. done < $fileslist
  82. # Search for suspicious scripts... Only when in aggressive mode.
  83. if ( $aggressive ); then
  84. cd $wwwpath
  85. $find . -name javascript.php
  86. $find . -name bp.pl
  87. $find . -name tn.php
  88. $find . -name tn.php3
  89. $find . -name tn.phtml
  90. $find . -name tn.txt
  91. $find . -name xm.php
  92. $find . -name logs.php
  93. $find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
  94. $find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
  95. $grep -r 'ini_set(chr' .
  96. $grep -r 'eval(base64_decode($_POST' .
  97. $grep -r 'eval(gzinflate(' .
  98. $grep -r 'ini_set(.mail.add_x_header' .
  99. $grep -r '@require' .
  100. $grep -r '@ini_set' .
  101. $grep -ri 'error_reporting(0' .
  102. $grep -r base64_decode .
  103. $grep -r codeeclipse .
  104. $grep -r 'eval(' .
  105. $grep -r '\x..\x..' .
  106. $grep -r 'chr(rand(' .
  107. fi