From 1982fb0e617667dffee838a69db010031c785152 Mon Sep 17 00:00:00 2001 From: Malin Date: Sat, 1 Oct 2016 08:49:48 +0200 Subject: [PATCH] Update 'findbot.pl' --- findbot.pl | 64 +----------------------------------------------------- 1 file changed, 1 insertion(+), 63 deletions(-) diff --git a/findbot.pl b/findbot.pl index 6738547..03ad22e 100644 --- a/findbot.pl +++ b/findbot.pl @@ -1,69 +1,7 @@ #!/usr/bin/perl -# Version 0.08 Wed Apr 15 01:55:56 UTC 2015 +# cool scanner, strings produce too manu false positives so it needs a little tweaking -# The above line may need to be changed to point at your version of Perl -# -# This script attempts to find malicious files/scripts on your machine. -# It specifically looks for spambots that we're aware of, as well -# as "suspicious" constructs in various scripting languages. -# -# To use it, you should put this in a file on your computer called -# "findbot.pl" and make it executable by "chmod 755 findbot.pl". -# -# By default, findbot.pl scans the directories /tmp, /usr/tmp, /home and -# /var/www. This script isn't fast. So if you know where to look you can -# speed things up by giving just the directories that you suspect has the -# malware. -# -# You can often find out what user is infected by using: -# lsof -i | grep smtp -# and looking for processes that are NOT your mail server. -# -# If you're successful finding the user, you need to look everywhere the user -# has write permissions - and you can run findbot.pl faster, by something like: -# -# findbot.pl /tmp /usr/tmp /home/ -# -# There are two types of "detections" - "suspicious files" are files that contain -# things that -may- be malicious. -# "malware" is definitely malicious software. -# -# This script needs the following command line utilities. It will not run -# if it can't find them, you will have to install them yourself: -# - "md5sum" (Linux) or "md5" (FreeBSD etc) this appears to be standard -# core utilities. -# - "strings" - on Linux this is in the "binutils" package -# - "file" - on Linux this is in the "file" package. -# -# Usage: -# findbot.pl [-c] [directories...] -# -# If a list of directories is supplied, it's used, otherwise, -# /tmp, /usr/tmp, /home and /var/www are use by default. -# -# The -c option is a shortcut to make finding cryptophp faster and -# easier, but this may not work in all situations -# -# Very simple web malware detection module. -# .01 -> .02: -# - more strings of bad software -# - search for encoded perl scripts -# .02 -> .03: 2013/01/10 Ray -# - speed up -# - MD5 stuff -# .03 -> .04: 2013/01/13 Ray -# - improved docs -# .04 -> .05: 2013/01/20 Ray -# - more patterns -# - MAXLINES way too small -# .05 -> .06: 2014/10/31 Havriliuc Andrei, Hostvision srl, Romania -# - many more patterns/heuristics from hoster's experience -# - Thanks for the contribution! -# .06 -> 07: 2014/11/22 Ray -# - Speed up specifically for current version of cryptophp -# .07 -> 08: 2015/04/14 Ray -# - Stealrat patterns my $access = '(\.htaccess)'; my $accesspat = '(RewriteRule)';