evolix/evomalware
21
1
Fork 0
Code Issues 11 Pull requests Releases Wiki Activity
evomalware/evomalware.sh
Romain Dessort 888d644b6a Add support for local whitelist 
Since the whitelist file is redownloaded on each script execution, we
can not define our own paths to exclude from scan.
This commit introduces a evomalware.whitelist.local file to fix this
issue.
2018-01-29 10:36:15 -05:00

110 lines
3.6 KiB
Bash
Raw Blame History

#!/bin/bash
# EvoMalware, script to detect infected websites.
# You can set aggressive to true to search for suspicions scripts.
aggressive=false
# Path to search for.
wwwpath=/home
# URL to download patterns and filenames.
databaseURL="http://antispam00.evolix.org/evomalware"
databasePATH=/var/lib/evomalware
whitelistLocal="${databasePATH}/evomalware.whitelist.local"
# Tools.
find="ionice -c3 find -O3"
grep="nice -n 19 grep"
wc="nice -n 19 wc"
wget="wget -q -t 3"
md5sum="md5sum --status -c"
# Various.
fileslist=$(mktemp)
tmpPATH=/tmp/evomalware.tmp
trap "rm -rf $fileslist $tmpPATH" EXIT
usage() {
cat<<EOT
$0 to search for known malwares.
$0 --aggressive to include suspicions scripts.
EOT
exit 1
}
if [[ "$1" == "--aggressive" ]]; then
aggressive=true
fi
if [[ -n "$1" && "$1" != "--aggressive" ]]; then
usage
fi
# Download last patterns and filenames.
mkdir -p $databasePATH
mkdir -p $tmpPATH
cd $tmpPATH
[ -f $whitelistLocal ] || touch $whitelistLocal
for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
$wget ${databaseURL}/${file}
$wget ${databaseURL}/${file}.md5
if $md5sum ${file}.md5; then
cp $file ${databasePATH}/
else
echo "Error with ${databaseURL}/${file}, wrong md5sum!"
exit 1
fi
done
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
whitelist=$(cat ${databasePATH}/evomalware.whitelist $whitelistLocal | tr -d '\n')
suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')
# Search for .php files (less than 1M).
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
| grep -E -v "$whitelist" > $fileslist 2>/dev/null
while read file; do
# Search known filenames.
if [[ "$file" =~ $filenames ]]; then
echo "Known malware: $file"
# Search .php files in WP's wp-content/uploads/
elif [[ "$file" =~ "wp-content/uploads/" ]]; then
echo "PHP file in a non-PHP folder detected: $file"
# Count the length of the longest line and search if suspect php functions are used.
elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then
grep -q -E "$suspect" "$file"
if [[ $? -eq 0 ]]; then
echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
fi
else
# Search for patterns.
$grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
if [[ $? -eq 0 ]]; then
echo "Contains a known malware pattern: $file"
fi
fi
done < $fileslist
# Search for suspicious scripts... Only when in aggressive mode.
if ( $aggressive ); then
cd $wwwpath
$find . -name javascript.php
$find . -name bp.pl
$find . -name tn.php
$find . -name tn.php3
$find . -name tn.phtml
$find . -name tn.txt
$find . -name xm.php
$find . -name logs.php
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
$find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
$grep -r 'ini_set(chr' .
$grep -r 'eval(base64_decode($_POST' .
$grep -r 'eval(gzinflate(' .
$grep -r 'ini_set(.mail.add_x_header' .
$grep -r '@require' .
$grep -r '@ini_set' .
$grep -ri 'error_reporting(0' .
$grep -r base64_decode .
$grep -r codeeclipse .
$grep -r 'eval(' .
$grep -r '\x..\x..' .
$grep -r 'chr(rand(' .
fi
Reference in a new issue View git blame Copy permalink