LP-MSH-Scanner/mscan.php

<?php
/*
Forked from WP Protect plugin
Added tons of new malware patterns
Disabled cleanup functionality for the time being in order to identify false positives
Done code cleanup

*/


class malScanner{
	
	var $mtstart;
	var $mtend;
	var $exectime;
	var $dater;
	var $timer;

	var $basedir;
	var $directories = array();
	var $files_found = array();
	var $no_files_scanned;
	var $no_files_cleaned;
	var $patterns;
	
	var $webmaster_email = "office@palma.solutions";
	var $website_name = "palma.solutions";

	var $malPatterns = array(

	"^<\?php\s*\\\$md5\s*=\s*.*create_function\s*\(.*?\);\s*\\\$.*?\)\s*;\s*\?>\s*",
	" echo \"<script type=\\\\\"text\/javascript\\\\\" src=\\\\\"http:\/\/.*\.js\\\\\"><\/script>\"; echo \"\";",
	"<\?php\s*\@error_reporting\(0\);\s*if\s*\(\!isset\(([\$\w]+)\)\)\s*{[\$]+[^}]+}\s*\?>",
	"<\?php\s*\/\*\w+_on\*\/.*\/\*\w+_off\*\/\s*\?>",
	"<\?php\s*\/\*god_mode_on\*\/eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);\s*\/\*god_mode_off\*\/\s*\?>",
	"<\?php\s*\?>",
	"<IfModule\s*mod_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*%\{HTTP_REFERER\}\s*\^\.\*\([^\)]{255,}[google|yahoo|bing|ask|wikipedia|youtube][^\)]{255,}[^<]*<\/IfModule>",
	"ErrorDocument\s*(?:400|401|403|404|500)+\s*http:\/\/.*\.\w+",
	"^<script>(.*)<\/script>",
	"^<\?php\s*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*",
	"\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);",
	"if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}\s*",
	"d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
	"^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n",
	"eval(\s*)\((.*)base64_decode(\s*)\(",
    "\$_COOKIE\[[\'\|\"\]access\-admin\[\'\|\"\]\]",
    "this.form.upload_file.disabled=false",
    "function(\s*)jspw3\(d\,m\,f\)",
    "a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager",
    "php\_uname(\s*)\(preg_replace(\s*)\(",
    "function(\s*)rewrioutclbkxxx1\(",
    "eval\(\(base64_decode\(",
    "preg_replace\(strrev\(",
    "s=base64_decode\(str_replace\(chr\(32\)",
    "_GET\[base64_decode\(",
    "@error_reporting\(0\)",
    "eval\(base64_decode\(<(.*)POST(.*)>php",
    "==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================",
    "X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v",
    "WordPress(\s*)Inserter(\s*)Links",
    "The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script",
    "@kr(\s*)=(\s*)<d0mains>;",
    "copyto(\s*)=(\s*)explode\(",
    "eval\(gzinflate\(base64_decode\(",
    "eval\(gzinflate\(str_rot13\(base64_decode\(",
    "Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal",
    "Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
    "Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you",
    "Wells(\s*)Fargo(\s*)Home(\s*)Page",
    "Chase(\s*)Online(\s*)-(\s*)Logon",
    "Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal",
    "Login(\s*)-(\s*)PayPal",
    "Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started",
    "My(\s*)Account(\s*)-(\s*)Telstra",
    "RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
    "RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking",
    "Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank",
    
      
);

	var $filetypes = array("php", "shtml", "html", "htm", "js", "css", "txt", "pl", "cgi", "sh", "py");

	function __construct($basedir,$displayOnly = TRUE ,$wname = "" ,$wemail = "") {		

		$this->mtstart = $this->microtime_float();
		$this->website_name = $wname;
		$this->webmaster_email = $wemail;
		$this->no_files_scanned = 0;
		$this->no_files_cleaned = 0;
		$this->dater = date('d-m-Y');
		$this->timer = date('H:i:n:s');
		$this->basedir = $basedir;

		
		$this->patterns = '('.implode('|', $this->malPatterns).')';		
		$this->directories[] = $basedir;
		$directories = $this->get_Directories($this->basedir);
		$this->get_subs($directories);
		$this->startscan();
		$this->exectime = $this->getexectime();		

		if($displayOnly == TRUE){
			$this->DisplayNotice();
		}else{
			$this->sendReport();
		}#if displayonly
		

	}#construct function		

	function startscan(){

		foreach($this->directories as $directory) {

			foreach($this->filetypes as $filetype){

				$files = glob($directory . '/*.'.$filetype , GLOB_NOSORT);		

				$this->scanner($files);

			}#for each filetype

			$files = glob($directory . '/.htaccess' , GLOB_NOSORT);		

			$this->scanner($files);

		}#for each directory

	}#function scan

	
	function scanner($files){
		if(is_array($files)) {
	      	foreach($files as $file) {
	       			$this->no_files_scanned++;
					$file_contents = file_get_contents($file);
					$numMatches = null;
					$numMatches = preg_match_all('/'.$this->patterns.'/is', $file_contents,$matches);
					if(!empty($numMatches)){
						$this->files_found[] = $file;
//						$this->cleanInfected($file);

					}#if found !empty

			}#foreach

		}#if isarray

	}#function scanner

	
	function cleanInfected($file){

		$handle = fopen($file, "r");
		if(filesize($file) > 0){
			$contents = fread($handle, filesize($file));
			fclose($handle);
			$handle = fopen($file, "w");
			$contents = preg_replace('/'.$this->patterns.'/is', "", $contents);	
			fwrite($handle, $contents);
			$this->no_files_cleaned++;
		}
		fclose($handle);
	}

	
	function get_Directories($basedir){
		$directories = glob($basedir . '/*' , GLOB_ONLYDIR);
		return $directories;
	}#get_Directories

	
	function get_subs($directories){

		foreach($directories as $directory){

			#echo $directory."<BR>";

			$this->directories[] = $directory; 

			$subs = $this->get_Directories($directory);

			$this->get_subs($subs);

		}#foreach

	}#function get_subs

	
	function microtime_float() {
    	list($usec, $sec) = explode(" ", microtime());
    	return ((float)$usec + (float)$sec);

	}

	
	function getexectime(){
		$this->mtend = $this->microtime_float();
		return round($this->mtend - $this->mtstart, 4);

	}#getexectime

  	
  	function scan_summary_report(){
  		$num_infected_files = count($this->files_found);
  		$sdstr = $this->website_name.'
  		maintenance Report - Malware code scanner ver 1.0 (10-2)<BR><BR>
  		Date of Execution : '.$this->dater.'<BR>
		time of Exectuion : '.$this->timer.'<BR>
		Start time stamp : '.$this->mtstart.'<BR>
		End time stamp : '.$this->mtend.'<BR>
  		Total Execution time : '.$this->exectime.'<BR>

  		<BR>

  		Website : '.$this->website_name.'<BR>
  		Base Directory : '.$this->basedir.'<BR>
  		Total Directories scanned : '.count($this->directories).'<BR>
		Total files scanned : '.$this->no_files_scanned.'<BR>
		Total files with Malware inserted code : '.$num_infected_files.'<BR>
		Total files with Malware inserted code Cleaned : '.$this->no_files_cleaned.'<BR>

		<BR>

  		';

		if($num_infected_files > 0){

			$sdstr .= '*NOTE: Change all access codes: FTP passwords, website admin passwords, Authentication salts<BR><BR>';

			$sdstr .= 'Files infected:<BR>';

			foreach($this->files_found as $file){

				$sdstr .= $file.'<BR>';			

			}#foreach

		}#if $numinfected files > 0

		return $sdstr;

  	}#scan summary report
  	

  	function DisplayNotice(){

  		$Notice = "";

  		$num_infected_files = count($this->files_found);

		if($num_infected_files > 0){

			$Notice .= "MALICIOUS CODE FOUND - ".$this->website_name;

		}else{

			$Notice .= "Scan results - ".$this->website_name;

		}

		$Notice .= "<BR>".$this->scan_summary_report();

		echo $Notice;

  	}#DisplayNotice
  	

  	function sendReport(){

        $to  = $this->webmaster_email;

		$num_infected_files = count($this->files_found);

		if($num_infected_files > 0){

			$subject = "MALICIOUS CODE FOUND - ".$this->website_name;

		}else{

			$subject = "Scan results - ".$this->website_name;

		}

		$message = $this->scan_summary_report();		

		$headers  = 'MIME-Version: 1.0' . "\r\n";
        $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
        $headers .= 'To: '.$this->website_name.' Webmaster <'.$this->webmaster_email.'>' . "\r\n";
        $headers .= 'From: '.$this->website_name.' <'.$this->webmaster_email.'>' . "\r\n";
		     

	    mail($to, $subject, $message, $headers);

    }#function mail

}#class malScanner

?>
Add 'mscan.php' 2016-10-24 09:13:02 +02:00			`<?php`
			`/*`
			`Forked from WP Protect plugin`
			`Added tons of new malware patterns`
			`Disabled cleanup functionality for the time being in order to identify false positives`
			`Done code cleanup`

			`*/`



			`class malScanner{`

			`var $mtstart;`
			`var $mtend;`
			`var $exectime;`
			`var $dater;`
			`var $timer;`

			`var $basedir;`
			`var $directories = array();`
			`var $files_found = array();`
			`var $no_files_scanned;`
			`var $no_files_cleaned;`
			`var $patterns;`

			`var $webmaster_email = "office@palma.solutions";`
			`var $website_name = "palma.solutions";`

			`var $malPatterns = array(`

			`"^<\?php\s\\\$md5\s=\s.create_function\s\(.?\);\s\\\$.?\)\s;\s\?>\s*",`
			`" echo \"<script type=\\\\\"text\/javascript\\\\\" src=\\\\\"http:\/\/.*\.js\\\\\"><\/script>\"; echo \"\";",`
			`"<\?php\s\@error_reporting\(0\);\sif\s\(\!isset\(([\$\w]+)\)\)\s{[\$]+[^}]+}\s*\?>",`
			`"<\?php\s\/\\w+_on\\/.\/\\w+_off\\/\s*\?>",`
			`"<\?php\s\/\god_mode_on\\/eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);\s\/\god_mode_off\\/\s*\?>",`
			`"<\?php\s*\?>",`
			`"<IfModule\smod_rewrite\.c>\sRewriteEngine\sOn\sRewriteCond\s%\{HTTP_REFERER\}\s\^\.\\([^\)]{255,}[google\|yahoo\|bing\|ask\|wikipedia\|youtube][^\)]{255,}[^<]<\/IfModule>",`
			`"ErrorDocument\s(?:400\|401\|403\|404\|500)+\shttp:\/\/.*\.\w+",`
			`"^<script>(.*)<\/script>",`
			`"^<\?php\s\\\$md5\s=\s[\"\|']\w+[\"\|'];\s\\\$wp_salt\s=\s[\w\(\),\"\'\;\$]+\s\\\$wp_add_filter\s=\screate_function\(.\);\s\\\$wp_add_filter\(.\);\s\?>\s",`
			`"\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);",`
			`"if\(!function_exists\([^{]+\s{\sfunction[^}]+\s}\s[^\"']+\s[\"'][^\"']+[\"'];\seval\s\(.\)\s;\s}\s*",`
			`"d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",`
			`"^(.)<\?php(.)eval(\s)\((\s)base64_decode(\s)\((\s)(.)(\?><\?php)\n",`
			`"eval(\s)\((.)base64_decode(\s*)\(",`
Update 'mscan.php' 2016-10-24 09:16:43 +02:00			`"\$_COOKIE\[[\'\\|\"\]access\-admin\[\'\\|\"\]\]",`
Add 'mscan.php' 2016-10-24 09:13:02 +02:00			`"this.form.upload_file.disabled=false",`
			`"function(\s*)jspw3\(d\,m\,f\)",`
			`"a(\s)simple(\s)Web-based(\s)file(\s)manager",`
			`"php\_uname(\s)\(preg_replace(\s)\(",`
			`"function(\s*)rewrioutclbkxxx1\(",`
			`"eval\(\(base64_decode\(",`
			`"preg_replace\(strrev\(",`
			`"s=base64_decode\(str_replace\(chr\(32\)",`
			`"_GET\[base64_decode\(",`
			`"@error_reporting\(0\)",`
			`"eval\(base64_decode\(<(.)POST(.)>php",`
			`"==========================+(\s)Credit.Mutuel.ReZult(\s)+==================",`
			`"X-Mailer:(\s)The(\s)Bat\!(\s*)\(v",`
			`"WordPress(\s)Inserter(\s)Links",`
			`"The(\s)Sword(\s)Config(\s)Fuck(\s)Script",`
			`"@kr(\s)=(\s)<d0mains>;",`
			`"copyto(\s)=(\s)explode\(",`
			`"eval\(gzinflate\(base64_decode\(",`
			`"eval\(gzinflate\(str_rot13\(base64_decode\(",`
			`"Bank(\s)of(\s)America(\s)\\|(\s)Home(\s)\\|(\s)Personal",`
			`"Bank(\s)of(\s)America(\s)\\|(\s)Online(\s)Banking(\s)\\|(\s)Sign(\s)In(\s)to(\s)Online(\s*)Banking",`
			`"Bank(\s)of(\s)America(\s)\\|(\s)Thank(\s*)you",`
			`"Wells(\s)Fargo(\s)Home(\s*)Page",`
			`"Chase(\s)Online(\s)-(\s*)Logon",`
			`"Send(\s)Money,(\s)Pay(\s)Online(\s)or(\s)Set(\s)Up(\s)a(\s)Merchant(\s)Account(\s)with(\s*)PayPal",`
			`"Login(\s)-(\s)PayPal",`
			`"Sign(\s)Up(\s)for(\s)PayPal(\s)-(\s)It\'s(\s)Free(\s)and(\s)Easy(\s)to(\s)Get(\s*)Started",`
			`"My(\s)Account(\s)-(\s*)Telstra",`
			`"RBC(\s)Royal(\s)Bank(\s)-(\s)Sign(\s)In(\s)to(\s)Online(\s)Banking",`
Update 'mscan.php' 2016-10-24 09:16:43 +02:00			`"RBC(\s)Financial(\s)Group(\s)-(\s)Online(\s*)Banking",`
Add 'mscan.php' 2016-10-24 09:13:02 +02:00			`"Online(\s)Banking(\s)Security(\s)and(\s)Privacy(\s)Guide(\s)-(\s)RBC(\s)Royal(\s*)Bank",`



			`);`

			`var $filetypes = array("php", "shtml", "html", "htm", "js", "css", "txt", "pl", "cgi", "sh", "py");`

			`function __construct($basedir,$displayOnly = TRUE ,$wname = "" ,$wemail = "") {`

			`$this->mtstart = $this->microtime_float();`
			`$this->website_name = $wname;`
			`$this->webmaster_email = $wemail;`
			`$this->no_files_scanned = 0;`
			`$this->no_files_cleaned = 0;`
			`$this->dater = date('d-m-Y');`
			`$this->timer = date('H:i:n:s');`
			`$this->basedir = $basedir;`



			`$this->patterns = '('.implode('\|', $this->malPatterns).')';`
			`$this->directories[] = $basedir;`
			`$directories = $this->get_Directories($this->basedir);`
			`$this->get_subs($directories);`
			`$this->startscan();`
			`$this->exectime = $this->getexectime();`

			`if($displayOnly == TRUE){`
			`$this->DisplayNotice();`
			`}else{`
			`$this->sendReport();`
			`}#if displayonly`


			`}#construct function`

			`function startscan(){`

			`foreach($this->directories as $directory) {`

			`foreach($this->filetypes as $filetype){`

			`$files = glob($directory . '/*.'.$filetype , GLOB_NOSORT);`

			`$this->scanner($files);`

			`}#for each filetype`

			`$files = glob($directory . '/.htaccess' , GLOB_NOSORT);`

			`$this->scanner($files);`

			`}#for each directory`

			`}#function scan`



			`function scanner($files){`
			`if(is_array($files)) {`
			`foreach($files as $file) {`
			`$this->no_files_scanned++;`
			`$file_contents = file_get_contents($file);`
			`$numMatches = null;`
			`$numMatches = preg_match_all('/'.$this->patterns.'/is', $file_contents,$matches);`
			`if(!empty($numMatches)){`
			`$this->files_found[] = $file;`
			`// $this->cleanInfected($file);`

			`}#if found !empty`

			`}#foreach`

			`}#if isarray`

			`}#function scanner`



			`function cleanInfected($file){`

			`$handle = fopen($file, "r");`
			`if(filesize($file) > 0){`
			`$contents = fread($handle, filesize($file));`
			`fclose($handle);`
			`$handle = fopen($file, "w");`
			`$contents = preg_replace('/'.$this->patterns.'/is', "", $contents);`
			`fwrite($handle, $contents);`
			`$this->no_files_cleaned++;`
			`}`
			`fclose($handle);`
			`}`



			`function get_Directories($basedir){`
			`$directories = glob($basedir . '/*' , GLOB_ONLYDIR);`
			`return $directories;`
			`}#get_Directories`



			`function get_subs($directories){`

			`foreach($directories as $directory){`

			`#echo $directory."<BR>";`

			`$this->directories[] = $directory;`

			`$subs = $this->get_Directories($directory);`

			`$this->get_subs($subs);`

			`}#foreach`

			`}#function get_subs`



			`function microtime_float() {`
			`list($usec, $sec) = explode(" ", microtime());`
			`return ((float)$usec + (float)$sec);`

			`}`





			`function getexectime(){`
			`$this->mtend = $this->microtime_float();`
			`return round($this->mtend - $this->mtstart, 4);`

			`}#getexectime`



			`function scan_summary_report(){`
			`$num_infected_files = count($this->files_found);`
			`$sdstr = $this->website_name.'`
			`maintenance Report - Malware code scanner ver 1.0 (10-2)<BR><BR>`
			`Date of Execution : '.$this->dater.'<BR>`
			`time of Exectuion : '.$this->timer.'<BR>`
			`Start time stamp : '.$this->mtstart.'<BR>`
			`End time stamp : '.$this->mtend.'<BR>`
			`Total Execution time : '.$this->exectime.'<BR>`

			`<BR>`

			`Website : '.$this->website_name.'<BR>`
			`Base Directory : '.$this->basedir.'<BR>`
			`Total Directories scanned : '.count($this->directories).'<BR>`
			`Total files scanned : '.$this->no_files_scanned.'<BR>`
			`Total files with Malware inserted code : '.$num_infected_files.'<BR>`
			`Total files with Malware inserted code Cleaned : '.$this->no_files_cleaned.'<BR>`

			`<BR>`

			`';`

			`if($num_infected_files > 0){`

			`$sdstr .= '*NOTE: Change all access codes: FTP passwords, website admin passwords, Authentication salts<BR><BR>';`

			`$sdstr .= 'Files infected:<BR>';`

			`foreach($this->files_found as $file){`

			`$sdstr .= $file.'<BR>';`

			`}#foreach`

			`}#if $numinfected files > 0`

			`return $sdstr;`

			`}#scan summary report`


			`function DisplayNotice(){`

			`$Notice = "";`

			`$num_infected_files = count($this->files_found);`

			`if($num_infected_files > 0){`

			`$Notice .= "MALICIOUS CODE FOUND - ".$this->website_name;`

			`}else{`

			`$Notice .= "Scan results - ".$this->website_name;`

			`}`

			`$Notice .= "<BR>".$this->scan_summary_report();`

			`echo $Notice;`

			`}#DisplayNotice`


			`function sendReport(){`

			`$to = $this->webmaster_email;`

			`$num_infected_files = count($this->files_found);`

			`if($num_infected_files > 0){`

			`$subject = "MALICIOUS CODE FOUND - ".$this->website_name;`

			`}else{`

			`$subject = "Scan results - ".$this->website_name;`

			`}`

			`$message = $this->scan_summary_report();`

			`$headers = 'MIME-Version: 1.0' . "\r\n";`
			`$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";`
			`$headers .= 'To: '.$this->website_name.' Webmaster <'.$this->webmaster_email.'>' . "\r\n";`
			`$headers .= 'From: '.$this->website_name.' <'.$this->webmaster_email.'>' . "\r\n";`


			`mail($to, $subject, $message, $headers);`

			`}#function mail`

			`}#class malScanner`

			`?>`