2016-05-05 07:35:23 +02:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2016 Gabor Gyorvari
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
class MalwareScanner
|
|
|
|
|
{
|
|
|
|
|
const ANSI_GREEN = "\033[32m";
|
|
|
|
|
const ANSI_RED = "\033[31m";
|
|
|
|
|
const ANSI_YELLOW = "\033[33m";
|
|
|
|
|
const ANSI_OFF = "\033[0m";
|
|
|
|
|
|
|
|
|
|
private $extension = '.php';
|
|
|
|
|
private $flagHideOk = false;
|
|
|
|
|
private $flagHideWhitelist = false;
|
2016-12-27 17:51:39 +01:00
|
|
|
private $extraCheck = false;
|
2016-05-05 07:35:23 +02:00
|
|
|
private $whitelist = array();
|
|
|
|
|
private $stat = array(
|
|
|
|
|
'directories' => 0,
|
|
|
|
|
'files_scanned' => 0,
|
|
|
|
|
'files_infected' => 0,
|
|
|
|
|
);
|
2016-12-27 17:51:39 +01:00
|
|
|
private $followSymlink = false;
|
2016-05-05 07:35:23 +02:00
|
|
|
|
|
|
|
|
public function __construct()
|
|
|
|
|
{
|
2016-12-27 17:51:39 +01:00
|
|
|
$options = getopt('hd:e::', array('hide-ok', 'hide-whitelist', 'extra-check', 'follow-symlink'));
|
2016-05-05 07:35:23 +02:00
|
|
|
if (isset($options['h'])) {
|
|
|
|
|
$this->showHelp();
|
|
|
|
|
} else {
|
|
|
|
|
if (isset($options['e'])) {
|
|
|
|
|
$ext = $options['e'];
|
|
|
|
|
if ($ext[0] != '.') {
|
|
|
|
|
$ext = '.' . $ext;
|
|
|
|
|
}
|
2016-12-29 08:31:27 +01:00
|
|
|
$this->extension = strtolower($ext);
|
2016-05-05 07:35:23 +02:00
|
|
|
}
|
|
|
|
|
if (isset($options['hide-ok'])) {
|
|
|
|
|
$this->flagHideOk = true;
|
|
|
|
|
}
|
|
|
|
|
if (isset($options['hide-whitelist'])) {
|
|
|
|
|
$this->flagHideWhitelist = true;
|
|
|
|
|
}
|
2016-12-10 22:20:57 +11:00
|
|
|
if (isset($options['extra-check'])) {
|
2016-12-27 17:51:39 +01:00
|
|
|
$this->extraCheck = true;
|
|
|
|
|
}
|
|
|
|
|
if (isset($options['follow-symlink'])) {
|
|
|
|
|
$this->followSymlink = true;
|
2016-12-10 22:20:57 +11:00
|
|
|
}
|
2016-05-05 07:35:23 +02:00
|
|
|
if (isset($options['d'])) {
|
|
|
|
|
$this->run($options['d']);
|
|
|
|
|
} else {
|
|
|
|
|
$this->out(MalwareScanner::ANSI_RED, 'ER', 'No directory specified');
|
|
|
|
|
$this->showHelp();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function run($dir)
|
|
|
|
|
{
|
|
|
|
|
$dir = rtrim($dir, '/');
|
|
|
|
|
if (!is_dir($dir)) {
|
|
|
|
|
$this->out(self::ANSI_RED, 'ER', 'Specified path is not a directory: ' . $dir);
|
|
|
|
|
exit(-1);
|
|
|
|
|
}
|
|
|
|
|
$start = time();
|
|
|
|
|
$this->loadWhitelist();
|
|
|
|
|
$this->process($dir . '/');
|
|
|
|
|
$this->report($start, $dir . '/');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function loadWhitelist()
|
|
|
|
|
{
|
|
|
|
|
if (!is_file(__DIR__ . '/whitelist.txt')) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
$fp = fopen(__DIR__ . '/whitelist.txt', 'r');
|
|
|
|
|
while (!feof($fp)) {
|
|
|
|
|
$line = fgets($fp);
|
|
|
|
|
$this->whitelist[] = substr($line, 0, 32);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function inWhitelist($hash)
|
|
|
|
|
{
|
|
|
|
|
return in_array($hash, $this->whitelist);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function process($dir)
|
|
|
|
|
{
|
|
|
|
|
$dh = opendir($dir);
|
|
|
|
|
if (!$dh) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
$this->stat['directories']++;
|
|
|
|
|
while (($file = readdir($dh)) !== false) {
|
|
|
|
|
if ($file == '.' || $file == '..') {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2016-12-27 17:51:39 +01:00
|
|
|
if (!$this->followSymlink && is_link($dir . $file)) {
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2016-05-05 07:35:23 +02:00
|
|
|
if (is_dir($dir . $file)) {
|
|
|
|
|
$this->process($dir . $file . '/');
|
|
|
|
|
} elseif (is_file($dir . $file)) {
|
2016-12-29 08:31:27 +01:00
|
|
|
$ext = strtolower(substr($file, strrpos($file, '.')));
|
2016-05-05 07:35:23 +02:00
|
|
|
if ($ext == $this->extension) {
|
|
|
|
|
$this->scan($dir . $file);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
closedir($dh);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function report($start, $dir)
|
|
|
|
|
{
|
|
|
|
|
$end = time();
|
|
|
|
|
echo 'Start time: ' . strftime('%Y-%m-%d %H:%M:%S', $start) . PHP_EOL;
|
|
|
|
|
echo 'End time: ' . strftime('%Y-%m-%d %H:%M:%S', $end) . PHP_EOL;
|
|
|
|
|
echo 'Total execution time: ' . ($end - $start) . PHP_EOL;
|
|
|
|
|
echo 'Base directory: ' . $dir . PHP_EOL;
|
|
|
|
|
echo 'Total directories scanned: ' . $this->stat['directories'] . PHP_EOL;
|
|
|
|
|
echo 'Total files scanned: ' . $this->stat['files_scanned'] . PHP_EOL;
|
|
|
|
|
echo 'Total malware identified: ' . $this->stat['files_infected'] . PHP_EOL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function scan($path)
|
|
|
|
|
{
|
|
|
|
|
$this->stat['files_scanned']++;
|
|
|
|
|
|
|
|
|
|
$fileContent = file_get_contents($path);
|
|
|
|
|
$found = false;
|
|
|
|
|
// check against simple text matches
|
|
|
|
|
$patterns = array(
|
|
|
|
|
'uname -a',
|
|
|
|
|
'/etc/shadow',
|
|
|
|
|
'/etc/passwd',
|
|
|
|
|
'WSOstripslashes',
|
|
|
|
|
'PD9waHA', // <?php
|
|
|
|
|
'c3lzdGVt',
|
|
|
|
|
'\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
|
|
|
|
|
'cHJlZ19yZXBsYWNl',
|
|
|
|
|
'\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
|
|
|
|
|
'ZXhlYyg',
|
|
|
|
|
'\x65\x78\x65\x63' /* dec/hex issue? */, // exec
|
|
|
|
|
'=\'base\'.(32*2).\'_de\'.\'code\'',
|
|
|
|
|
'"base64_decode"',
|
|
|
|
|
'YmFzZTY0X2RlY29kZ', // base64_decode
|
2016-08-15 15:07:23 +02:00
|
|
|
'"p"."r"."e"."g"."_"', // preg_
|
2016-05-05 07:42:39 +02:00
|
|
|
|
2016-05-05 07:35:23 +02:00
|
|
|
/* 'eval', 'eval(', */
|
2016-05-05 07:42:39 +02:00
|
|
|
'eval("?>',
|
2016-05-05 07:35:23 +02:00
|
|
|
'ev\x61l',
|
|
|
|
|
'\x65\166\x61\154\x28' /* dec/hex issue? */,
|
|
|
|
|
'\x65\x76\x61\x6C' /* case, dec/hex issue? */,
|
|
|
|
|
'ZXZhbCg', // eval
|
2016-08-12 21:39:10 +02:00
|
|
|
"'ev'.'al'.'",
|
2016-12-27 15:48:48 +01:00
|
|
|
'/eval\s*\(/i',
|
2016-05-05 07:42:39 +02:00
|
|
|
|
2016-05-05 07:35:23 +02:00
|
|
|
'eval(base64_decode(',
|
|
|
|
|
'\x47\x4c\x4f\x42\x41LS', // GLOBALS
|
|
|
|
|
'SFRUUF9VU0VSX0FHRU5U', // HTTP_USER_AGENT
|
|
|
|
|
'YWxsb3dfdXJsX2ZvcGVu', // allow_url_fopen
|
|
|
|
|
'${${', // ${${"\x47\x4c\x4f\x42...
|
|
|
|
|
'file_get_contents(\'http://codepad.org',
|
|
|
|
|
'PHPJiaMi',
|
2016-05-05 07:42:39 +02:00
|
|
|
'@include($_GET[',
|
|
|
|
|
'system($_GET[',
|
2016-05-05 07:35:23 +02:00
|
|
|
|
|
|
|
|
/* too open? */
|
2016-05-05 07:42:39 +02:00
|
|
|
// 'gzinflate(base64_decode(',
|
2016-05-05 07:35:23 +02:00
|
|
|
'md5($_GET[', // md5($_GET["ms-load"])
|
2016-12-27 17:45:47 +01:00
|
|
|
'ShellBOT',
|
2016-12-27 15:48:48 +01:00
|
|
|
'bgeteam',
|
|
|
|
|
'DisablePHP=',
|
|
|
|
|
'moban.html',
|
|
|
|
|
'<?php eval',
|
|
|
|
|
'$data = base64_decode("',
|
|
|
|
|
'a,b,c,d,e,f,g',
|
2016-12-10 22:20:57 +11:00
|
|
|
' freetellafriend.com',
|
|
|
|
|
'SHELL_PASSWORD',
|
2016-12-27 15:48:48 +01:00
|
|
|
'curl_get_from_webpage',
|
|
|
|
|
'base=base64_encode',
|
|
|
|
|
'@x0powo',
|
|
|
|
|
'@preg_replace',
|
|
|
|
|
'1@1.com',
|
|
|
|
|
'META http-equiv="refresh" content="0;',
|
2016-12-27 17:45:47 +01:00
|
|
|
'="create_";global',
|
|
|
|
|
'YW55cmVzdWx0cy5uZXQ=',
|
|
|
|
|
|
|
|
|
|
// imported manul samples
|
|
|
|
|
'ZOBUGTEL',
|
|
|
|
|
'MagelangCyber',
|
|
|
|
|
'//rasta//',
|
|
|
|
|
'Baby_Drakon',
|
|
|
|
|
'Net@ddress Mail',
|
|
|
|
|
'Created By EMMA',
|
|
|
|
|
'3xp1r3',
|
|
|
|
|
'NinjaVirus Here',
|
|
|
|
|
'<dot>IrIsT',
|
|
|
|
|
'Hacked By EnDLeSs',
|
|
|
|
|
'Punker2Bot',
|
|
|
|
|
'Zed0x',
|
|
|
|
|
'darkminz',
|
|
|
|
|
'ReaL_PuNiShEr',
|
|
|
|
|
'OoN_Boy',
|
|
|
|
|
'__VIEWSTATEENCRYPTED',
|
|
|
|
|
'M4ll3r',
|
|
|
|
|
'createFilesForInputOutput',
|
|
|
|
|
'Pashkela',
|
|
|
|
|
'== "bindshell"',
|
|
|
|
|
'Webcommander at',
|
|
|
|
|
'YENI3ERI',
|
|
|
|
|
'd3lete',
|
|
|
|
|
'Made by Delorean',
|
|
|
|
|
'R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA',
|
|
|
|
|
'Cybester90',
|
|
|
|
|
'ayu pr1 pr2 pr3 pr4 pr5 pr6',
|
|
|
|
|
'f0VMRgEBAQA',
|
|
|
|
|
'0d0a0d0a676c6f62616c20246d795f736d7',
|
|
|
|
|
'etalfnizg',
|
|
|
|
|
'JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVfV',
|
|
|
|
|
'edoced_46esab',
|
|
|
|
|
'VOBRA GANGO',
|
|
|
|
|
'itsoknoproblembro',
|
|
|
|
|
'HTTP flood complete after',
|
|
|
|
|
'exploitcookie',
|
|
|
|
|
'az88pix00q98',
|
|
|
|
|
'The Dark Raver',
|
|
|
|
|
'Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP',
|
|
|
|
|
'463839610c000b00800100ffffffffffff21f90401000001002c000',
|
|
|
|
|
'AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA',
|
|
|
|
|
'HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra',
|
|
|
|
|
'Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N',
|
|
|
|
|
'DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ',
|
|
|
|
|
'Asmodeus',
|
|
|
|
|
'Cautam fisierele de configurare',
|
|
|
|
|
'BRUTEFORCING',
|
|
|
|
|
'FaTaLisTiCz_Fx Fx29Sh',
|
|
|
|
|
'w4ck1ng shell',
|
|
|
|
|
'private Shell by m4rco',
|
|
|
|
|
'Shell by Mawar_Hitam',
|
|
|
|
|
'LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=',
|
|
|
|
|
'5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk',
|
|
|
|
|
'X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW',
|
|
|
|
|
'zehirhacker',
|
|
|
|
|
'R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA',
|
|
|
|
|
'm91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX',
|
|
|
|
|
'CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp',
|
|
|
|
|
'DX_Header_drawn',
|
|
|
|
|
'BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA',
|
|
|
|
|
'casus15',
|
|
|
|
|
'temp_r57_table',
|
|
|
|
|
'By Psych0',
|
|
|
|
|
'c99ftpbrutecheck',
|
|
|
|
|
'K!LL3r',
|
|
|
|
|
'MrHazem',
|
|
|
|
|
'BY MMNBOBZ',
|
|
|
|
|
'ConnectBackShell',
|
|
|
|
|
'Hackeado',
|
|
|
|
|
'd3b~X',
|
|
|
|
|
'REREFER_PTTH',
|
|
|
|
|
'Joomla_brute_Force',
|
|
|
|
|
'/usr/sbin/httpd',
|
|
|
|
|
'tmhapbzcerff',
|
|
|
|
|
'IrSecTeam',
|
|
|
|
|
'Spammer',
|
|
|
|
|
'FLoodeR',
|
|
|
|
|
'eriuqer',
|
|
|
|
|
'sshkeys',
|
|
|
|
|
'<kuku>',
|
|
|
|
|
'Backdoor',
|
|
|
|
|
'eggdrop',
|
|
|
|
|
'rwxrwxrwx',
|
|
|
|
|
'profexor.hell',
|
|
|
|
|
'GIF89A;<?php',
|
|
|
|
|
'$sh3llColor',
|
|
|
|
|
'fwrite($fpsetv, getenv("HTTP_COOKIE")',
|
|
|
|
|
'putbot $bot',
|
|
|
|
|
'bind join - *',
|
|
|
|
|
'privmsg $chan',
|
|
|
|
|
'fopen\'(/etc/passwd',
|
|
|
|
|
'\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f',
|
|
|
|
|
'\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd',
|
|
|
|
|
'find / \-type f \-name \.htpasswd',
|
|
|
|
|
'find / \-type f \-perm \-02000 \-ls',
|
|
|
|
|
'find / \-type f \-perm \-04000 \-ls',
|
|
|
|
|
'if(\'\'==($df=@ini_get(\'disable_functions',
|
|
|
|
|
'system\"$cmd 1> /tmp/',
|
|
|
|
|
'ncftpput -u ',
|
|
|
|
|
'wsoEx(',
|
|
|
|
|
'WSOsetcookie(',
|
|
|
|
|
'Dr.abolalh',
|
|
|
|
|
'C0derz.com',
|
|
|
|
|
'Mr.HiTman',
|
2016-05-05 07:35:23 +02:00
|
|
|
);
|
2016-12-27 17:51:39 +01:00
|
|
|
if ($this->extraCheck) {
|
2016-12-27 17:45:47 +01:00
|
|
|
array_push($patterns, "googleBot", "htaccess");
|
|
|
|
|
}
|
2016-05-05 07:35:23 +02:00
|
|
|
foreach ($patterns as $toSearch) {
|
|
|
|
|
$substrCount = substr_count($fileContent, $toSearch);
|
|
|
|
|
if ($substrCount > 0) {
|
|
|
|
|
$found = true;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// check against regexp patterns
|
|
|
|
|
if (!$found) {
|
|
|
|
|
$patterns = array(
|
|
|
|
|
'eval\/\*[a-z0-9]+\*\/',
|
|
|
|
|
// eval/*aw3*/
|
|
|
|
|
'eval\([a-z0-9]{4,}\(\$[a-z0-9]{4,}, \$[0-9a-z]{4,}\)\);',
|
|
|
|
|
// eval(v5JONDD($v5EKGVD, $vX3Z3DE));
|
|
|
|
|
'(chr\(\d+\)\.){4,}',
|
|
|
|
|
// chr(22).chr(33).chr(22).chr(22)
|
2016-08-15 15:07:23 +02:00
|
|
|
'(chr\(\d+\^\d+\)\.){4,}',
|
|
|
|
|
// chr(95^57).chr(95^54).chr(95^51).chr(95^58)
|
2016-05-05 07:35:23 +02:00
|
|
|
'(\$[a-z0-9]{3,}\[\d+\]\.){4,}',
|
|
|
|
|
// $saz98[5].$saz98[2].$saz98[1].$saz98[3].$saz98[5]
|
|
|
|
|
'chr\(\d+\)\.""\.""\.""\.""\.""',
|
|
|
|
|
// chr(88)."".""."".""."".
|
|
|
|
|
'\$GLOBALS\[\$GLOBALS[\'[a-z0-9]{4,}\'\]\[\d+\]\.\$GLOBALS\[\'[a-z-0-9]{4,}\'\]\[\d+\].',
|
|
|
|
|
// $GLOBALS[$GLOBALS['u101c7'][77].$GLOBALS['u101c7'][47].
|
|
|
|
|
'\$GLOBALS\[\'[a-z0-9]{5,}\'\] = \$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.\$[a-z]+\d+\[\d+\]\.',
|
|
|
|
|
// $GLOBALS['qjyxw29'] = $z26[1].$z26[30].$z26[2].
|
|
|
|
|
'eval\([a-z0-9_]+\(base64_decode\(',
|
|
|
|
|
// eval(xxtea_decrypt(base64_decode(
|
|
|
|
|
'\$[a-z]{3,}=\$[a-z]{3,}\("",\$[a-z]{3,}\);\$[a-z]{3,}\(\);',
|
|
|
|
|
// $ewn=$ner("",$iqkpi);$ewn();
|
|
|
|
|
'{\s*eval\s*\(\s*\$',
|
|
|
|
|
// {eval($
|
2016-12-27 17:45:47 +01:00
|
|
|
|
|
|
|
|
// imported manul samples
|
|
|
|
|
'Googlebot[\'"]{0,1}\s*\)\){echo\s+file_get_contents',
|
|
|
|
|
'eVaL\(\s*trim\(\s*baSe64_deCoDe\(',
|
|
|
|
|
'if\s*\(\s*mail\s*\(\s*\$mails\[\$i\]\s*,\s*\$tema\s*,\s*base64_encode\s*\(\s*\$text',
|
|
|
|
|
'fwrite\s*\(\s*\$fh\s*,\s*stripslashes\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)\[',
|
|
|
|
|
'echo\s+file_get_contents\s*\(\s*base64_url_decode\s*\(\s*@*\$_(GET|POST|SERVER|COOKIE|REQUEST)',
|
|
|
|
|
'chr\s*\(\s*101\s*\)\s*\.\s*chr\s*\(\s*118\s*\)\s*\.\s*chr\s*\(\s*97\s*\)\s*\.\s*chr\s*\(\s*108\s*\)',
|
2016-05-05 07:35:23 +02:00
|
|
|
);
|
|
|
|
|
foreach ($patterns as $toSearch) {
|
|
|
|
|
if (preg_match('/' . $toSearch . '/is', $fileContent)) {
|
|
|
|
|
$found = true;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!$found) {
|
|
|
|
|
if (!$this->flagHideOk) {
|
|
|
|
|
$this->out(self::ANSI_GREEN, 'OK', $path);
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// file hash is on whithelist hash then skip
|
|
|
|
|
$hash = md5($fileContent);
|
|
|
|
|
if ($found && $this->inWhitelist($hash)) {
|
|
|
|
|
if (!$this->flagHideWhitelist) {
|
|
|
|
|
$this->out(self::ANSI_YELLOW, 'WL', $path);
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($found) {
|
|
|
|
|
$this->stat['files_infected']++;
|
|
|
|
|
$this->out(self::ANSI_RED, 'ER', $path . ' -> ' . $toSearch . ' ' . $hash);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function out($color, $serv, $text)
|
|
|
|
|
{
|
|
|
|
|
echo $color . ' ' . $serv . ' ' . self::ANSI_OFF . $text . PHP_EOL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function showHelp()
|
|
|
|
|
{
|
|
|
|
|
echo 'Usage scan.php -d <directory> [-e=.php] [--hide-ok] [--hide-whitelist]' . PHP_EOL;
|
|
|
|
|
echo ' -d Directory for searching' . PHP_EOL;
|
|
|
|
|
echo ' -e=.php Extension' . PHP_EOL;
|
|
|
|
|
echo ' --hide-ok Hide OK aka not infected messages' . PHP_EOL;
|
|
|
|
|
echo ' --hide-whitelist Hide whitelisted messages' . PHP_EOL;
|
2016-12-27 17:51:39 +01:00
|
|
|
echo ' --extra-check Adds GoogleBot and htaccess to Scan List' . PHP_EOL;
|
|
|
|
|
echo ' --follow-symlink Follow symlinked directories' . PHP_EOL;
|
2016-05-05 07:35:23 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
new MalwareScanner();
|
