115 lines
3.8 KiB
Bash
115 lines
3.8 KiB
Bash
#!/bin/bash
|
|
# EvoMalware, script to detect infected websites.
|
|
|
|
# You can set aggressive to true to search for suspicions scripts.
|
|
aggressive=false
|
|
# Path to search for.
|
|
wwwpath=/home
|
|
# URL to download patterns and filenames.
|
|
databaseURL="http://antispam00.evolix.org/evomalware"
|
|
databasePATH=/var/lib/evomalware
|
|
whitelistLocal="${databasePATH}/evomalware.whitelist.local"
|
|
# Tools.
|
|
find="ionice -c3 find -O3"
|
|
grep="nice -n 19 grep"
|
|
wc="nice -n 19 wc"
|
|
wget="wget -q -t 3"
|
|
md5sum="md5sum --status -c"
|
|
# Various.
|
|
fileslist=$(mktemp)
|
|
tmpPATH=/tmp/evomalware.tmp
|
|
|
|
trap "rm -rf $fileslist $tmpPATH" EXIT
|
|
|
|
usage() {
|
|
cat<<EOT
|
|
$0 to search for known malwares.
|
|
$0 --aggressive to include suspicions scripts.
|
|
EOT
|
|
exit 1
|
|
}
|
|
|
|
if [[ "$1" == "--aggressive" ]]; then
|
|
aggressive=true
|
|
fi
|
|
if [[ -n "$1" && "$1" != "--aggressive" ]]; then
|
|
usage
|
|
fi
|
|
|
|
# Download last patterns and filenames.
|
|
mkdir -p $databasePATH
|
|
mkdir -p $tmpPATH
|
|
cd $tmpPATH
|
|
[ -f $whitelistLocal ] || touch $whitelistLocal
|
|
for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
|
|
$wget ${databaseURL}/${file}
|
|
$wget ${databaseURL}/${file}.md5
|
|
if $md5sum ${file}.md5; then
|
|
cp $file ${databasePATH}/
|
|
else
|
|
echo "Error with ${databaseURL}/${file}, wrong md5sum!"
|
|
exit 1
|
|
fi
|
|
done
|
|
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
|
|
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
|
|
whitelist=$(cat ${databasePATH}/evomalware.whitelist $whitelistLocal | tr -d '\n')
|
|
suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')
|
|
|
|
# Search for .php and .js files (less than 1M).
|
|
find $wwwpath -name evobackup -prune \
|
|
-o \( -type f ! -size +1M -name "*.php" \) \
|
|
-o \( -type f ! -size +1M -name "*.js" \) \
|
|
| grep -E -v "$whitelist" > $fileslist 2>/dev/null
|
|
while read file; do
|
|
# Search known filenames.
|
|
if [[ "$file" =~ $filenames ]]; then
|
|
echo "Known malware: $file"
|
|
# Search .php files in WP's wp-content/uploads/
|
|
elif [[ "$file" =~ "wp-content/uploads/" ]]; then
|
|
echo "PHP file in a non-PHP folder detected: $file"
|
|
# Count the length of the longest line and search if suspect php functions are used.
|
|
elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then
|
|
grep -q -E "$suspect" "$file"
|
|
if [[ $? -eq 0 ]]; then
|
|
# Don't suspect "one line" .js file due to common minification.
|
|
if [[ ! "$file" =~ .js$ ]]; then
|
|
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
|
|
fi
|
|
fi
|
|
else
|
|
# Search for patterns.
|
|
$grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
|
|
if [[ $? -eq 0 ]]; then
|
|
echo "Contains a known malware pattern: $file"
|
|
fi
|
|
fi
|
|
done < $fileslist
|
|
|
|
# Search for suspicious scripts... Only when in aggressive mode.
|
|
if ( $aggressive ); then
|
|
cd $wwwpath
|
|
$find . -name javascript.php
|
|
$find . -name bp.pl
|
|
$find . -name tn.php
|
|
$find . -name tn.php3
|
|
$find . -name tn.phtml
|
|
$find . -name tn.txt
|
|
$find . -name xm.php
|
|
$find . -name logs.php
|
|
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
|
|
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
|
|
$grep -r 'ini_set(chr' .
|
|
$grep -r 'eval(base64_decode($_POST' .
|
|
$grep -r 'eval(gzinflate(' .
|
|
$grep -r 'ini_set(.mail.add_x_header' .
|
|
$grep -r '@require' .
|
|
$grep -r '@ini_set' .
|
|
$grep -ri 'error_reporting(0' .
|
|
$grep -r base64_decode .
|
|
$grep -r codeeclipse .
|
|
$grep -r 'eval(' .
|
|
$grep -r '\x..\x..' .
|
|
$grep -r 'chr(rand(' .
|
|
fi
|