EvoMalware, shell script to detect infected websites.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

evomalware.sh 3.8KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114
  1. #!/bin/bash
  2. # EvoMalware, script to detect infected websites.
  3. # You can set aggressive to true to search for suspicions scripts.
  4. aggressive=false
  5. # Path to search for.
  6. wwwpath=/home
  7. # URL to download patterns and filenames.
  8. databaseURL="http://antispam00.evolix.org/evomalware"
  9. databasePATH=/var/lib/evomalware
  10. whitelistLocal="${databasePATH}/evomalware.whitelist.local"
  11. # Tools.
  12. find="ionice -c3 find -O3"
  13. grep="nice -n 19 grep"
  14. wc="nice -n 19 wc"
  15. wget="wget -q -t 3"
  16. md5sum="md5sum --status -c"
  17. # Various.
  18. fileslist=$(mktemp)
  19. tmpPATH=/tmp/evomalware.tmp
  20. trap "rm -rf $fileslist $tmpPATH" EXIT
  21. usage() {
  22. cat<<EOT
  23. $0 to search for known malwares.
  24. $0 --aggressive to include suspicions scripts.
  25. EOT
  26. exit 1
  27. }
  28. if [[ "$1" == "--aggressive" ]]; then
  29. aggressive=true
  30. fi
  31. if [[ -n "$1" && "$1" != "--aggressive" ]]; then
  32. usage
  33. fi
  34. # Download last patterns and filenames.
  35. mkdir -p $databasePATH
  36. mkdir -p $tmpPATH
  37. cd $tmpPATH
  38. [ -f $whitelistLocal ] || touch $whitelistLocal
  39. for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
  40. $wget ${databaseURL}/${file}
  41. $wget ${databaseURL}/${file}.md5
  42. if $md5sum ${file}.md5; then
  43. cp $file ${databasePATH}/
  44. else
  45. echo "Error with ${databaseURL}/${file}, wrong md5sum!"
  46. exit 1
  47. fi
  48. done
  49. filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
  50. patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
  51. whitelist=$(cat ${databasePATH}/evomalware.whitelist $whitelistLocal | tr -d '\n')
  52. suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')
  53. # Search for .php and .js files (less than 1M).
  54. find $wwwpath -name evobackup -prune \
  55. -o \( -type f ! -size +1M -name "*.php" \) \
  56. -o \( -type f ! -size +1M -name "*.js" \) \
  57. | grep -E -v "$whitelist" > $fileslist 2>/dev/null
  58. while read file; do
  59. # Search known filenames.
  60. if [[ "$file" =~ $filenames ]]; then
  61. echo "Known malware: $file"
  62. # Search .php files in WP's wp-content/uploads/
  63. elif [[ "$file" =~ "wp-content/uploads/" ]]; then
  64. echo "PHP file in a non-PHP folder detected: $file"
  65. # Count the length of the longest line and search if suspect php functions are used.
  66. elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then
  67. grep -q -E "$suspect" "$file"
  68. if [[ $? -eq 0 ]]; then
  69. # Don't suspect "one line" .js file due to common minification.
  70. if [[ ! "$file" =~ .js$ ]]; then
  71. echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
  72. fi
  73. fi
  74. else
  75. # Search for patterns.
  76. $grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
  77. if [[ $? -eq 0 ]]; then
  78. echo "Contains a known malware pattern: $file"
  79. fi
  80. fi
  81. done < $fileslist
  82. # Search for suspicious scripts... Only when in aggressive mode.
  83. if ( $aggressive ); then
  84. cd $wwwpath
  85. $find . -name javascript.php
  86. $find . -name bp.pl
  87. $find . -name tn.php
  88. $find . -name tn.php3
  89. $find . -name tn.phtml
  90. $find . -name tn.txt
  91. $find . -name xm.php
  92. $find . -name logs.php
  93. $find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
  94. $find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
  95. $grep -r 'ini_set(chr' .
  96. $grep -r 'eval(base64_decode($_POST' .
  97. $grep -r 'eval(gzinflate(' .
  98. $grep -r 'ini_set(.mail.add_x_header' .
  99. $grep -r '@require' .
  100. $grep -r '@ini_set' .
  101. $grep -ri 'error_reporting(0' .
  102. $grep -r base64_decode .
  103. $grep -r codeeclipse .
  104. $grep -r 'eval(' .
  105. $grep -r '\x..\x..' .
  106. $grep -r 'chr(rand(' .
  107. fi