Update 'findbot.pl'
This commit is contained in:
Malin
64
findbot.pl
64
findbot.pl
@@ -1,69 +1,7 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
# Version 0.08 Wed Apr 15 01:55:56 UTC 2015
|
||||
# cool scanner, strings produce too manu false positives so it needs a little tweaking
|
||||
|
||||
# The above line may need to be changed to point at your version of Perl
|
||||
#
|
||||
# This script attempts to find malicious files/scripts on your machine.
|
||||
# It specifically looks for spambots that we're aware of, as well
|
||||
# as "suspicious" constructs in various scripting languages.
|
||||
#
|
||||
# To use it, you should put this in a file on your computer called
|
||||
# "findbot.pl" and make it executable by "chmod 755 findbot.pl".
|
||||
#
|
||||
# By default, findbot.pl scans the directories /tmp, /usr/tmp, /home and
|
||||
# /var/www. This script isn't fast. So if you know where to look you can
|
||||
# speed things up by giving just the directories that you suspect has the
|
||||
# malware.
|
||||
#
|
||||
# You can often find out what user is infected by using:
|
||||
# lsof -i | grep smtp
|
||||
# and looking for processes that are NOT your mail server.
|
||||
#
|
||||
# If you're successful finding the user, you need to look everywhere the user
|
||||
# has write permissions - and you can run findbot.pl faster, by something like:
|
||||
#
|
||||
# findbot.pl /tmp /usr/tmp /home/<user> <user's web directory>
|
||||
#
|
||||
# There are two types of "detections" - "suspicious files" are files that contain
|
||||
# things that -may- be malicious.
|
||||
# "malware" is definitely malicious software.
|
||||
#
|
||||
# This script needs the following command line utilities. It will not run
|
||||
# if it can't find them, you will have to install them yourself:
|
||||
# - "md5sum" (Linux) or "md5" (FreeBSD etc) this appears to be standard
|
||||
# core utilities.
|
||||
# - "strings" - on Linux this is in the "binutils" package
|
||||
# - "file" - on Linux this is in the "file" package.
|
||||
#
|
||||
# Usage:
|
||||
# findbot.pl [-c] [directories...]
|
||||
#
|
||||
# If a list of directories is supplied, it's used, otherwise,
|
||||
# /tmp, /usr/tmp, /home and /var/www are use by default.
|
||||
#
|
||||
# The -c option is a shortcut to make finding cryptophp faster and
|
||||
# easier, but this may not work in all situations
|
||||
#
|
||||
# Very simple web malware detection module.
|
||||
# .01 -> .02:
|
||||
# - more strings of bad software
|
||||
# - search for encoded perl scripts
|
||||
# .02 -> .03: 2013/01/10 Ray
|
||||
# - speed up
|
||||
# - MD5 stuff
|
||||
# .03 -> .04: 2013/01/13 Ray
|
||||
# - improved docs
|
||||
# .04 -> .05: 2013/01/20 Ray
|
||||
# - more patterns
|
||||
# - MAXLINES way too small
|
||||
# .05 -> .06: 2014/10/31 Havriliuc Andrei, Hostvision srl, Romania
|
||||
# - many more patterns/heuristics from hoster's experience
|
||||
# - Thanks for the contribution!
|
||||
# .06 -> 07: 2014/11/22 Ray
|
||||
# - Speed up specifically for current version of cryptophp
|
||||
# .07 -> 08: 2015/04/14 Ray
|
||||
# - Stealrat patterns
|
||||
|
||||
my $access = '(\.htaccess)';
|
||||
my $accesspat = '(RewriteRule)';
|
||||
|
||||
Reference in New Issue
Block a user