1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval$base64\_decode\(.+?<\/Script>/is, qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+$\.$\[a\-z\-\@\]\+$\.$\[a\-z\]\+$\/.+?\$2$\$3\(urldecode\(\'\$1\'$\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_REQUEST\[\"q\"\]$\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if$isset\(\$\_POST\[\"key\"\]$\s+\&\&\s+isset$\$\_POST\[\"chk\"\]$\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval$gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]$\)\)\;\s+\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\)\;\s+\}/is, qr/<\?php\s+eval$gzuncompress\(.+?\"$\)\;/is, qr/<\?php.+?class\s+JApplication.+?new\s+JApplication$array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'$\)\;/is, qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval$base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]$\)\;\?>/is, qr/<\?php\s+\if\s+$\!defined\(\'ALREADY\_RUN\_.+?$\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array$.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom$\-1\)\]\.\'\/file\.php\'\;.+?header$\'Location\:\s+\'\.\$url$\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_GET\[\"id\"\]$\)\s+header$.+?\.\$\_GET\[\"id\"\]$\;\s+\?>/is, qr/<\?php\s+eval$base64\_decode\(.+?$\)\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?functions+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\{return\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\;\}\;.+?\}$\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?$\}\;\s+\}/is, qr/<\?php\s+eval$base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?\)\;\s+\?>/is, qr/\*\/\s+eval$base64\_decode\(\"aWY.+?\=\"$\)\;\s+\/\*/is, qr/\*\/include\s+\/\*/is, qr/\*\/\".+?\.co.+?php\"\;\/\*/is, qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents$\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]$\)\)\;\}\s+unlink$\$scr\.\"\.php\"$\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?exit$\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"$\}\)\;\s+\}/is, qr/eval$base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is, qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\($\;([A-z0-9]{250,})/is, qr/<\?\s+eval$gzuncompress\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})$\'\#\#e\'\,.+?\'\'$\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\Z/is, qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function.+?getCookie$\"ytm\_hit1\"$\&\&$setCookie\(\"ytm\_hit1\"\,1\,1$\,1\=\=getCookie$\"ytm\_hit1\"$.+?\/script>\'\)\)\)\;<\/script>/is, qr/<\?php\s+if$isset\(\$\_POST\[chr\(100$.+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr$97$\.chr$117$\.\"t\"\.chr$104$\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr$115$\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is, qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return.+?round\(.+?$\;\}/is, qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*$google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\)\s+\{\s+\header$\s+\'Content\-Type\:\s+image\/jpeg\'\s+$\;\s+readfile$\'http\:\/\/.+?\.jpg\'$\;\s+\exit\;\s+\}\s+header$\'Location\:\s+http\:\/\/.+?\'$\;\s+exit\;/is, qr/function\s+l\_\_1$\$.+?function\s+l\_\_3\(\$\_2$\{if$\$GLOBALS\[\Z/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\).+?\)\;\s+exit\;/is, qr/<\?php\s+define$\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"$\;\s+define$\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"$\;.+?else\s+if$strcasecmp\(\$h\,\s+\$key$\s+\=\=\s+0\)\s+unset$\$headers\[\$h\]$\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]$\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\;\Z/is, qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+$preg\_match\(\'\/facebook\/si\'\,\$ua$\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, qr/<\?php\s+session\_start\;.+?\.php\_uname\..+?<\/form>/is, qr/\'\;if$\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$.+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+$isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\($\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+$\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"$\)\s+or\s+$strstr\(([A-z0-9]{1,20})\}\[.+?$rtolower$\$\_SERVER\[.+?$\s+\&\&\s+$\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?$\)\s+or\s+$strstr\(\$.+?\(0$\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode$array\_.+?$\{return\s+chr$ord\(\$n$\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower$.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'$\;/is, # qr/<\?php\s+if$\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$\s+\&\&\s+$md5\(\$\_POST\[\'name\'\]$.+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is, # qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, ); my @base64_decodes = ( ); my @file_list; my %possible_list; my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../'; $start_dir =~ s/\/cgi-bin//; $start_dir =~ s/\/lp-msh-scanner//; $start_dir = substr($start_dir, 0, rindex($start_dir, '/')); dir ($start_dir); print " \n \n"; print 'Infected Files (' . scalar(@file_list) . "): \n"; foreach my $file (@file_list) { print "$file \n"; } print " \n \n"; print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "): \n"; foreach my $key (keys(%possible_list)) { print "$key => $possible_list{$key} \n"; } sub dir { my ($start_dir) = @_; unless (opendir(DIR, $start_dir)) { print "Skipping directory $start_dir: $! "; return; } opendir(DIR, $start_dir) || die "$start_dir: $!"; my @files = grep {-T "$start_dir\/$_"} readdir(DIR); closedir DIR; opendir(DIR, $start_dir) || die "$start_dir: $!"; my @folders = grep {-d "$start_dir\/$_"} readdir(DIR); closedir DIR; foreach my $file (sort @files) { next if $file eq 'error_log'; next if $file eq 'tcpdf.php'; next if $file eq '*.xls'; next if $file eq '*.doc'; next if $file eq '*.pdf'; next if $file eq '*.sql'; next if $file eq '*.docx'; next if $file eq '*.eml'; next if $file eq '*.csv'; next if $file eq '*.zip'; next if $file eq '*.tar.gz'; next if $file eq '*.jpa'; next if $file eq '*.rar'; next if $file eq '*.tar'; next if $file eq '*.gz'; next if $file eq '*.mov'; next if $file eq '*.avi'; next if $file eq '*.mp3'; next if $file eq '*.mp4'; next if $file eq '*.webm'; next if $file eq '*.flv'; next if $file eq '*.fla'; next if $file eq '*.swf'; next if $file eq '*.ini'; next if $file eq '*.txt'; next if $file eq '*.po'; next if $file eq '*.mo'; print "Scanning $start_dir/$file... "; unless (-r "$start_dir/$file") { print " Skipping file, unable to read file "; next } if ((-s "$start_dir/$file") > 1024000) { print " Skipping file, over 1MB "; next } my $fh; unless (open ($fh, '<', "$start_dir/$file")) { print " Unable to read file, $! "; next } my $contents = do { local $/; <$fh> }; close $fh; my ($infected, $cleaned, $possible, $known, $sig); foreach my $pattern (@regexen) { my $t; if ($contents =~ /$pattern/) { my ($d, $t) = ($1, $2); $infected = 1; ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern); push (@file_list, "$start_dir/$file"); } $t = undef; } print $infected ? ($cleaned ? "Infected, Cleaned \n" : "Infected, Cleaning failed \n") : ($possible ? "Possibly Infected \nSignature Unknown: $sig \n" : "Not infected \n"); } foreach my $folder (sort @folders) { if ($folder !~ /^\.\.?$/) { dir("$start_dir/$folder"); } } } sub clean_file { my ($file, $contents, $pattern) = @_; my $cleaned; if ($contents =~ /\n{4}/) { $contents =~ s/\n\n/\n/g; } $contents =~ s/$pattern//g; if ($contents =~ /$pattern/) { $cleaned = 0; } else { open (my $fh, '>', $file); print $fh $contents; close $fh; $cleaned = 1; } return ($contents, $cleaned); } 1;

#!/usr/bin/perl use strict; use warnings; use CGI; BEGIN { $SIG{__DIE__} = sub { my $msg = shift; print "status: 500\n"; print "content-type: text/html\n\n"; $msg =~ s/\n/\0/g; print "error: $msg\n"; CORE::die $msg; } } $| = 1; our $q = CGI->new; print "Content-type: text/html\n\n"; my @regexen = ( qr/<\?php\s+function\s+([A-z0-9]{1,10})$\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\{\$([A-z0-9]{1,10})\s+\=\s+\'\'\;\s+for$\$([A-z]{1,2})\=0\;\s+\$([A-z]{1,2})\s+\<\s+strlen\(\$([A-z0-9]{1,10})$\;\s+\$([A-z]{1,2})\+\+\)\{\$([A-z0-9]{1,10})\s+\.\=\s+isset$\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]$\s+\?\s+\$([A-z0-9]{1,10})\[\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\]\s+\:\s+\$([A-z0-9]{1,10})\[\$([A-z]{1,2})\]\;\}\s+\$([A-z0-9]{1,10})\=\"base64\_decode\"\;return\s+\$([A-z0-9]{1,10})$\$([A-z0-9]{1,10})$\;\}.+?\$([A-z]{1,2})\s+\=\s+\Array$.+?eval\(([A-z0-9]{1,10})\(\$([A-z]{1,2})\,\s+\$([A-z]{1,2})$\)\;\?>/is, qr/<\?php\s+\$([A-z0-9]{1,10})\=\'aWYoaXNzZXQoJF9SRVFVRVNUWydjb2NvJ10pICYmICRfUkVRVUVTVFsnY29jbyddIT0nJyl7ZXZhbCgkX1JFUVVFU1RbJ2NvY28nXSk7ZXhpdCgpO30\=\'\;eval$base64\_decode\(\$([A-z0-9]{1,10})$\)\;exit\;\s+\?>/is, qr/<\?php\s+chmod$get\_root\_path\($\,\s+0755\)\;.+?function\s+get\_root\_path.+?die$\$reason$\;\s+\}/is, qr/\s+1962Cracker\s+\|\s+cPanel\s+Cracker\s+\&\s+Root\s+Server\.\.\.\|<\/title>.+?<\?php\s+eval$base64\_decode\(.+?<\/Script>/is, qr/<\?php.+?\$wp\_file\_descriptions\s+\=\s+array\(.+?\$wp\_template\s+\=\s+\@preg\_replace\(\"\/\(\[a\-z0\-9\-\%\]\+$\.$\[a\-z\-\@\]\+$\.$\[a\-z\]\+$\/.+?\$2$\$3\(urldecode\(\'\$1\'$\)\)\"\,\s+\$search\.\"\.\@\"\.\$wp\_file\_descriptions\[\'rtl\.css\'\]\)\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_REQUEST\[\"q\"\]$\s+AND\s+\$\_REQUEST\[\"q\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if$isset\(\$\_POST\[\"key\"\]$\s+\&\&\s+isset$\$\_POST\[\"chk\"\]$\s+\&\&\s+\$\_POST\[\"key\"\]\=\=\".+?\"\)eval$gzuncompress\(base64\_decode\(\$\_POST\[\"chk\"\]$\)\)\;\s+\?>/is, qr/<\?php\s+if\s+$\!defined\(\'ALREADY\_RUN\_.+?define\(\'ALREADY\_RUN\_.+?eval\/\*i\*\/\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})$\)\;\s+\}/is, qr/<\?php\s+eval$gzuncompress\(.+?\"$\)\;/is, qr/<\?php.+?class\s+JApplication.+?new\s+JApplication$array\s+\(\'UID\'\s+\=>\s+\'([A-z0-9]{1,20})\'$\)\;/is, qr/<\?php\s+\/\*\s+\@package\s+WordPress\s+\*\/\s+eval$base64\_decode\(\@\$\_POST\[\"([A-z0-9]{1,20})\"\]$\)\;\?>/is, qr/<\?php\s+\if\s+$\!defined\(\'ALREADY\_RUN\_.+?$\)\;\s+\}/is, qr/<\?php\s+\$dom\s+\=\s+array$.+?\$url\s+\=\s+\'http\:\/\/\'\.\$dom\[mt\_rand\(0\,sizeof\(\$dom$\-1\)\]\.\'\/file\.php\'\;.+?header$\'Location\:\s+\'\.\$url$\;\s+\}\s+exit\;\s+\?>/is, qr/<\?php\s+if\s+$isset\(\$\_GET\[\"id\"\]$\)\s+header$.+?\.\$\_GET\[\"id\"\]$\;\s+\?>/is, qr/<\?php\s+eval$base64\_decode\(.+?$\)\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?functions+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\{return\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$\;\}\;.+?\}$\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?$\}\;\s+\}/is, qr/<\?php\s+eval$base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?chr$([0-9]{1,4})$.+?\)\;\s+\?>/is, qr/\*\/\s+eval$base64\_decode\(\"aWY.+?\=\"$\)\;\s+\/\*/is, qr/\*\/include\s+\/\*/is, qr/\*\/\".+?\.co.+?php\"\;\/\*/is, qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents$\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]$\)\)\;\}\s+unlink$\$scr\.\"\.php\"$\;\s+\?>/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?exit$\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"$\}\)\;\s+\}/is, qr/eval$base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is, qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global.+?eval\(base64\_decode\(.+?\_\_halt\_compiler\($\;([A-z0-9]{250,})/is, qr/<\?\s+eval$gzuncompress\(base64\_decode\(.+?$\)\)\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$([A-z0-9]{1,20})\s+\=\s+\'pr\'\.\'eg\'\.\'\_r\'\.\'epl\'\.\'ace\'\;.+?\@\$([A-z0-9]{1,20})$\'\#\#e\'\,.+?\'\'$\;/is, qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})$\$([A-z0-9]{1,20})$.+?\Z/is, qr/<script\s+type\=\"application\/javascript\">var\s+toggleMenu\s+\=\s+function.+?getCookie$\"ytm\_hit1\"$\&\&$setCookie\(\"ytm\_hit1\"\,1\,1$\,1\=\=getCookie$\"ytm\_hit1\"$.+?\/script>\'\)\)\)\;<\/script>/is, qr/<\?php\s+if$isset\(\$\_POST\[chr\(100$.+?<h1>Object\s+not\s+found\!<\/h1>.+?<h2>Error\s+404<\/h2>\s+<\/body>\s+<\/html>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\=chr$97$\.chr$117$\.\"t\"\.chr$104$\.\"\_\"\.\"p\"\.\".+?\"\.\"s\"\.chr$115$\;.+?\)\)\;\s+\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#/is, qr/<\?\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return.+?round\(.+?$\;\}/is, qr/<IfModule\s+mod\_rewrite\.c>\s+\RewriteEngine\s+On\s+RewriteCond\s+\%\{HTTP\_REFERER\}\s+\^\.\*$google\|ask\|yahoo.+?\/index\_backup\.php\?query\=\$1\s+\[QSA\,L\]\s+<\/IfModule>/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\)\s+\{\s+\header$\s+\'Content\-Type\:\s+image\/jpeg\'\s+$\;\s+readfile$\'http\:\/\/.+?\.jpg\'$\;\s+\exit\;\s+\}\s+header$\'Location\:\s+http\:\/\/.+?\'$\;\s+exit\;/is, qr/function\s+l\_\_1$\$.+?function\s+l\_\_3\(\$\_2$\{if$\$GLOBALS\[\Z/is, qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]$\).+?\)\;\s+exit\;/is, qr/<\?php\s+define$\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"$\;\s+define$\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"$\;.+?else\s+if$strcasecmp\(\$h\,\s+\$key$\s+\=\=\s+0\)\s+unset$\$headers\[\$h\]$\;\s+\}\s+\}/is, qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array$base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]$\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\;\Z/is, qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+$preg\_match\(\'\/facebook\/si\'\,\$ua$\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, qr/<\?php\s+session\_start\;.+?\.php\_uname\..+?<\/form>/is, qr/\'\;if$\s+\$\_POST\[\'\_upl\'\].+?<\/form>/is, qr/<\?php\s+if\(\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$.+?<\/body>\s+<\/html>\'\;\/\/([0-9]{1,20})/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\"\_\"\.\'G\'\.\'E\'\.\'T\'\;\s+if\s+$isset\(.+?preg\_replace\(.+?header\(\'Location\:\s+http\:\/\/.+?exit\($\;/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?if\s+$\(strstr\(\$([A-z0-9]{1,20})\,\".+?\"$\)\s+or\s+$strstr\(([A-z0-9]{1,20})\}\[.+?$rtolower$\$\_SERVER\[.+?$\s+\&\&\s+$\!isset\(\$GLOBALS\[.+?if\(\(function\_exists\(.+?$\)\s+or\s+$strstr\(\$.+?\(0$\;\s+\$([A-z0-9]{1,20})\s+\=\s+implode$array\_.+?$\{return\s+chr$ord\(\$n$\-1\)\;\}\s+\@error\_reportin.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+=.+?\$uas\=strtolower$.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is, qr/<\?php\s+\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\".+?\/\*([A-z0-9]{1,10})\*\/\s+echo\s+file\_get\_contents\(\'.+?\'$\;/is, # qr/<\?php\s+if$\!empty\(\$\_FILES\[\'message\'\]\[\'name\'\]$\s+\&\&\s+$md5\(\$\_POST\[\'name\'\]$.+?Message\s+sent\!<\/body>\s+<\/html>\'\;/is, # qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s=\$\_POST\[\'list\'\]\;.+?if\s+$\@stripos\(\$hello\,\'\+OK\'$\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is, ); my @base64_decodes = ( ); my @file_list; my %possible_list; my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../'; $start_dir =~ s/\/cgi-bin//; $start_dir =~ s/\/lp-msh-scanner//; $start_dir = substr($start_dir, 0, rindex($start_dir, '/')); dir ($start_dir); print " \n \n"; print 'Infected Files (' . scalar(@file_list) . "): \n"; foreach my $file (@file_list) { print "$file \n"; } print " \n \n"; print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "): \n"; foreach my $key (keys(%possible_list)) { print "$key => $possible_list{$key} \n"; } sub dir { my ($start_dir) = @_; unless (opendir(DIR, $start_dir)) { print "Skipping directory $start_dir: $! "; return; } opendir(DIR, $start_dir) || die "$start_dir: $!"; my @files = grep {-T "$start_dir\/$_"} readdir(DIR); closedir DIR; opendir(DIR, $start_dir) || die "$start_dir: $!"; my @folders = grep {-d "$start_dir\/$_"} readdir(DIR); closedir DIR; foreach my $file (sort @files) { next if $file eq 'error_log'; next if $file eq 'tcpdf.php'; next if $file eq '*.xls'; next if $file eq '*.doc'; next if $file eq '*.pdf'; next if $file eq '*.sql'; next if $file eq '*.docx'; next if $file eq '*.eml'; next if $file eq '*.csv'; next if $file eq '*.zip'; next if $file eq '*.tar.gz'; next if $file eq '*.jpa'; next if $file eq '*.rar'; next if $file eq '*.tar'; next if $file eq '*.gz'; next if $file eq '*.mov'; next if $file eq '*.avi'; next if $file eq '*.mp3'; next if $file eq '*.mp4'; next if $file eq '*.webm'; next if $file eq '*.flv'; next if $file eq '*.fla'; next if $file eq '*.swf'; next if $file eq '*.ini'; next if $file eq '*.txt'; next if $file eq '*.po'; next if $file eq '*.mo'; print "Scanning $start_dir/$file... "; unless (-r "$start_dir/$file") { print " Skipping file, unable to read file "; next } if ((-s "$start_dir/$file") > 1024000) { print " Skipping file, over 1MB "; next } my $fh; unless (open ($fh, '<', "$start_dir/$file")) { print " Unable to read file, $! "; next } my $contents = do { local $/; <$fh> }; close $fh; my ($infected, $cleaned, $possible, $known, $sig); foreach my $pattern (@regexen) { my $t; if ($contents =~ /$pattern/) { my ($d, $t) = ($1, $2); $infected = 1; ($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern); push (@file_list, "$start_dir/$file"); } $t = undef; } print $infected ? ($cleaned ? "Infected, Cleaned \n" : "Infected, Cleaning failed \n") : ($possible ? "Possibly Infected \nSignature Unknown: $sig \n" : "Not infected \n"); } foreach my $folder (sort @folders) { if ($folder !~ /^\.\.?$/) { dir("$start_dir/$folder"); } } } sub clean_file { my ($file, $contents, $pattern) = @_; my $cleaned; if ($contents =~ /\n{4}/) { $contents =~ s/\n\n/\n/g; } $contents =~ s/$pattern//g; if ($contents =~ /$pattern/) { $cleaned = 0; } else { open (my $fh, '>', $file); print $fh $contents; close $fh; $cleaned = 1; } return ($contents, $cleaned); } 1;