Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/mscan.php
Malin 4a1e566e30 Update 'mscan.php'
2016-10-24 09:16:43 +02:00

312 lines
8.3 KiB
PHP
Raw Blame History

<?php
/*
Forked from WP Protect plugin
Added tons of new malware patterns
Disabled cleanup functionality for the time being in order to identify false positives
Done code cleanup
*/
class malScanner{
var $mtstart;
var $mtend;
var $exectime;
var $dater;
var $timer;
var $basedir;
var $directories = array();
var $files_found = array();
var $no_files_scanned;
var $no_files_cleaned;
var $patterns;
var $webmaster_email = "office@palma.solutions";
var $website_name = "palma.solutions";
var $malPatterns = array(
"^<\?php\s*\\\$md5\s*=\s*.*create_function\s*\(.*?\);\s*\\\$.*?\)\s*;\s*\?>\s*",
" echo \"<script type=\\\\\"text\/javascript\\\\\" src=\\\\\"http:\/\/.*\.js\\\\\"><\/script>\"; echo \"\";",
"<\?php\s*\@error_reporting\(0\);\s*if\s*\(\!isset\(([\$\w]+)\)\)\s*{[\$]+[^}]+}\s*\?>",
"<\?php\s*\/\*\w+_on\*\/.*\/\*\w+_off\*\/\s*\?>",
"<\?php\s*\/\*god_mode_on\*\/eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);\s*\/\*god_mode_off\*\/\s*\?>",
"<\?php\s*\?>",
"<IfModule\s*mod_rewrite\.c>\s*RewriteEngine\s*On\s*RewriteCond\s*%\{HTTP_REFERER\}\s*\^\.\*\([^\)]{255,}[google|yahoo|bing|ask|wikipedia|youtube][^\)]{255,}[^<]*<\/IfModule>",
"ErrorDocument\s*(?:400|401|403|404|500)+\s*http:\/\/.*\.\w+",
"^<script>(.*)<\/script>",
"^<\?php\s*\\\$md5\s*=\s*[\"|']\w+[\"|'];\s*\\\$wp_salt\s*=\s*[\w\(\),\"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function\(.*\);\s*\\\$wp_add_filter\(.*\);\s*\?>\s*",
"\s*eval\(base64_decode\([\"'][^\"']{255,}[\"']\)\);",
"if\(!function_exists\([^{]+\s*{\s*function[^}]+\s*}\s*[^\"']+\s*[\"'][^\"']+[\"'];\s*eval\s*\(.*\)\s*;\s*}\s*",
"d.=sprintf\(\(substr\(urlencode\(print_r\(array\(",
"^(.*)<\?php(.*)eval(\s*)\((\s*)base64_decode(\s*)\((\s*)(.*)(\?><\?php)*\n",
"eval(\s*)\((.*)base64_decode(\s*)\(",
"\$_COOKIE\[[\'\|\"\]access\-admin\[\'\|\"\]\]",
"this.form.upload_file.disabled=false",
"function(\s*)jspw3\(d\,m\,f\)",
"a(\s*)simple(\s*)Web-based(\s*)file(\s*)manager",
"php\_uname(\s*)\(preg_replace(\s*)\(",
"function(\s*)rewrioutclbkxxx1\(",
"eval\(\(base64_decode\(",
"preg_replace\(strrev\(",
"s=base64_decode\(str_replace\(chr\(32\)",
"_GET\[base64_decode\(",
"@error_reporting\(0\)",
"eval\(base64_decode\(<(.*)POST(.*)>php",
"==========================+(\s*)Credit.Mutuel.ReZult(\s*)+==================",
"X-Mailer:(\s*)The(\s*)Bat\!(\s*)\(v",
"WordPress(\s*)Inserter(\s*)Links",
"The(\s*)Sword(\s*)Config(\s*)Fuck(\s*)Script",
"@kr(\s*)=(\s*)<d0mains>;",
"copyto(\s*)=(\s*)explode\(",
"eval\(gzinflate\(base64_decode\(",
"eval\(gzinflate\(str_rot13\(base64_decode\(",
"Bank(\s*)of(\s*)America(\s*)\|(\s*)Home(\s*)\|(\s*)Personal",
"Bank(\s*)of(\s*)America(\s*)\|(\s*)Online(\s*)Banking(\s*)\|(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
"Bank(\s*)of(\s*)America(\s*)\|(\s*)Thank(\s*)you",
"Wells(\s*)Fargo(\s*)Home(\s*)Page",
"Chase(\s*)Online(\s*)-(\s*)Logon",
"Send(\s*)Money,(\s*)Pay(\s*)Online(\s*)or(\s*)Set(\s*)Up(\s*)a(\s*)Merchant(\s*)Account(\s*)with(\s*)PayPal",
"Login(\s*)-(\s*)PayPal",
"Sign(\s*)Up(\s*)for(\s*)PayPal(\s*)-(\s*)It\'s(\s*)Free(\s*)and(\s*)Easy(\s*)to(\s*)Get(\s*)Started",
"My(\s*)Account(\s*)-(\s*)Telstra",
"RBC(\s*)Royal(\s*)Bank(\s*)-(\s*)Sign(\s*)In(\s*)to(\s*)Online(\s*)Banking",
"RBC(\s*)Financial(\s*)Group(\s*)-(\s*)Online(\s*)Banking",
"Online(\s*)Banking(\s*)Security(\s*)and(\s*)Privacy(\s*)Guide(\s*)-(\s*)RBC(\s*)Royal(\s*)Bank",
);
var $filetypes = array("php", "shtml", "html", "htm", "js", "css", "txt", "pl", "cgi", "sh", "py");
function __construct($basedir,$displayOnly = TRUE ,$wname = "" ,$wemail = "") {
$this->mtstart = $this->microtime_float();
$this->website_name = $wname;
$this->webmaster_email = $wemail;
$this->no_files_scanned = 0;
$this->no_files_cleaned = 0;
$this->dater = date('d-m-Y');
$this->timer = date('H:i:n:s');
$this->basedir = $basedir;
$this->patterns = '('.implode('|', $this->malPatterns).')';
$this->directories[] = $basedir;
$directories = $this->get_Directories($this->basedir);
$this->get_subs($directories);
$this->startscan();
$this->exectime = $this->getexectime();
if($displayOnly == TRUE){
$this->DisplayNotice();
}else{
$this->sendReport();
}#if displayonly
}#construct function
function startscan(){
foreach($this->directories as $directory) {
foreach($this->filetypes as $filetype){
$files = glob($directory . '/*.'.$filetype , GLOB_NOSORT);
$this->scanner($files);
}#for each filetype
$files = glob($directory . '/.htaccess' , GLOB_NOSORT);
$this->scanner($files);
}#for each directory
}#function scan
function scanner($files){
if(is_array($files)) {
foreach($files as $file) {
$this->no_files_scanned++;
$file_contents = file_get_contents($file);
$numMatches = null;
$numMatches = preg_match_all('/'.$this->patterns.'/is', $file_contents,$matches);
if(!empty($numMatches)){
$this->files_found[] = $file;
// $this->cleanInfected($file);
}#if found !empty
}#foreach
}#if isarray
}#function scanner
function cleanInfected($file){
$handle = fopen($file, "r");
if(filesize($file) > 0){
$contents = fread($handle, filesize($file));
fclose($handle);
$handle = fopen($file, "w");
$contents = preg_replace('/'.$this->patterns.'/is', "", $contents);
fwrite($handle, $contents);
$this->no_files_cleaned++;
}
fclose($handle);
}
function get_Directories($basedir){
$directories = glob($basedir . '/*' , GLOB_ONLYDIR);
return $directories;
}#get_Directories
function get_subs($directories){
foreach($directories as $directory){
#echo $directory."<BR>";
$this->directories[] = $directory;
$subs = $this->get_Directories($directory);
$this->get_subs($subs);
}#foreach
}#function get_subs
function microtime_float() {
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
function getexectime(){
$this->mtend = $this->microtime_float();
return round($this->mtend - $this->mtstart, 4);
}#getexectime
function scan_summary_report(){
$num_infected_files = count($this->files_found);
$sdstr = $this->website_name.'
maintenance Report - Malware code scanner ver 1.0 (10-2)<BR><BR>
Date of Execution : '.$this->dater.'<BR>
time of Exectuion : '.$this->timer.'<BR>
Start time stamp : '.$this->mtstart.'<BR>
End time stamp : '.$this->mtend.'<BR>
Total Execution time : '.$this->exectime.'<BR>
<BR>
Website : '.$this->website_name.'<BR>
Base Directory : '.$this->basedir.'<BR>
Total Directories scanned : '.count($this->directories).'<BR>
Total files scanned : '.$this->no_files_scanned.'<BR>
Total files with Malware inserted code : '.$num_infected_files.'<BR>
Total files with Malware inserted code Cleaned : '.$this->no_files_cleaned.'<BR>
<BR>
';
if($num_infected_files > 0){
$sdstr .= '*NOTE: Change all access codes: FTP passwords, website admin passwords, Authentication salts<BR><BR>';
$sdstr .= 'Files infected:<BR>';
foreach($this->files_found as $file){
$sdstr .= $file.'<BR>';
}#foreach
}#if $numinfected files > 0
return $sdstr;
}#scan summary report
function DisplayNotice(){
$Notice = "";
$num_infected_files = count($this->files_found);
if($num_infected_files > 0){
$Notice .= "MALICIOUS CODE FOUND - ".$this->website_name;
}else{
$Notice .= "Scan results - ".$this->website_name;
}
$Notice .= "<BR>".$this->scan_summary_report();
echo $Notice;
}#DisplayNotice
function sendReport(){
$to = $this->webmaster_email;
$num_infected_files = count($this->files_found);
if($num_infected_files > 0){
$subject = "MALICIOUS CODE FOUND - ".$this->website_name;
}else{
$subject = "Scan results - ".$this->website_name;
}
$message = $this->scan_summary_report();
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'To: '.$this->website_name.' Webmaster <'.$this->webmaster_email.'>' . "\r\n";
$headers .= 'From: '.$this->website_name.' <'.$this->webmaster_email.'>' . "\r\n";
mail($to, $subject, $message, $headers);
}#function mail
}#class malScanner
?>
Reference in New Issue View Git Blame Copy Permalink