Malin/LP-MSH-Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LP-MSH-Scanner/malware6.pl
Palma Solutions LTD e18ebfa29e new patterns
2018-05-28 07:44:18 +02:00

234 lines
16 KiB
Prolog
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
BEGIN {
$SIG{__DIE__} = sub {
my $msg = shift;
print "status: 500\n";
print "content-type: text/html\n\n";
$msg =~ s/\n/\0/g;
print "error: $msg\n";
CORE::die $msg;
}
}
$| = 1;
our $q = CGI->new;
print "Content-type: text/html\n\n";
my @regexen = (
qr/;tixe.+?;\)0\(emitnur_setouq_cigam_tes\@.+?\" = ssap_htua\$/is,
qr/<span style=\"font-size:5px; font-style:italic; font-family:Arial; width:\d\dpx; display:none; color:violet;\">\s+<a href=http:\/\/.+?(viagra|cialis|levitra).+?<\/a>\s+<\/span>/is,
qr/<?php if \(isset\(\$_GET\[\"CONFIG\"\]\)\) if \(.+?md5\(\$_GET\[\"CONFIG\"\]\)\)\{.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\]\)\)\{move_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\);return null;\} \?>/is,
qr/<\?php extract\(\$_REQUEST\) \&\& \@assert\(stripslashes\(\$([A-z0-9]{1,20})\)\) \&\& exit;/is,
qr/<\?php.+?if\(\!function_exists\(\"scandir\"\)\) \{.+?\$currentCMD = str_replace\(.+?Command completed.+?exit;\s+\?>/is,
qr/<\?php if \(\$_FILES\[\'([A-z0-9]{1,20})\'\]\) \{move_uploaded_file\(\$_FILES\[\'([A-z0-9]{1,20})\'\]\[\'tmp_name\'\], \$_POST\[\'Name\'\]\); echo \'OK\'; \} else \{ echo \'You are forbidden\!\'; \} \?>/is,
qr/<\?php if\( isset\( \$_REQUEST\[\"\w\"\] \) \) \{ system\( \$_REQUEST\[\"\w\"\] \. \" 2>\&1\" \); \}/is,
qr/<\?php.+?Hacked by Ammar The-InJx.+?return \$info;\s+\}\s+\?>/is,
qr/<\?php\s+if\(\!class_exists\(\'.+?\{\$is_bot=1;\}\$bad_file=array\(\"png.+?AND\@preg_match\(\'\/bing\|msn.+?urldecode\(.+?\\x\w\w\"\]\(\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\); \$([A-z0-9]{1,20})=\"([A-z0-9]{20,}).+?\$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"q\", \"\", \"qbaqsqeq6q4q_qdqecoqde\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9]{1,20}) = \$([A-z0-9]{1,20})\(\"\", \$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\"([A-z0-9]{1,20})\", \"\", \$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\.\$([A-z0-9]{1,20})\)\)\); \$([A-z0-9]{1,20})\(\); \?>/is,
qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/\s+if\(md5\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\s+\=\=\=\s+\"([A-z0-9]{32})\"\)\s+\{\s+eval\(base64_decode\(\$\_POST\[\"([A-z0-9_]{1,20})\"\]\)\)\;\s+\}\s+\/\*([A-z0-9]{1,20})\*\/\s+\?>/is,
qr/<\?php.+?if \(stristr\(php_sapi_name\(\).+?404\);\} exit\(\); \?>/is,
qr/<\?php\s+if \(!isset\(\$sRetry\)\).+?\$stCurlLink = base64_decode\(.+?curl_close\(\$stCurlHandle\);.+?\?>/is,
qr/eval\(\"\?\>\" \. base64_decode\(.+?\)\); \?>/is,
qr/<\?php.+?\$alphabet =.+?exit\(\);.+?\$([A-z0-9]{1,20}) =.+?\"\"\.chr\(.+?\)\.\"\"\.chr\(.+?\)\.\"\\x.+?\]\.\$([A-z0-9]{1,20})\[\d\d\], \$([A-z0-9]{1,20}) ,\"([A-z0-9]{1,20})\"\);/is,
qr/<\? echo\(base64_decode\(.+?\)\); \?>/is,
qr/<\?php.+?\$auth_pass.+?FilesMan.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3B\",\"\.\"\);\?>/is,
qr/<\?php\s+\@preg_replace\(\"\\x.+?\);\?>/is,
qr/<\?php \$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\);\$([A-z0-9]{1,20}) = \"([A-z0-9]{20,})\";\$([A-z0-9]{1,20}) = true;\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20}) = \"\"; \?>/is,
qr/<\?php if \(\$_SERVER\[\'QUERY_STRING\'\] != \"passw0rd\"\) \{.+?\$uploadfile = \$uploaddir \. basename\(\$_FILES\[.+?\$numemails mail\(s\) was sent successfully\'\); <\/script>\";.+?\?>\s+<\/body>\s+<\/html>/is,
qr/\@ini_set\(\'display_errors\', \'0\'\);.+?if \(!\$npDcheckClassBgp\) \{.+?str_replace\(\'([A-z0-9_]{1,20})\', \'bas\'.+?str_replace\(\'([A-z0-9]{1,20})\', \'64\'.+?function wp\_cd\(\$fd, \$fa=\"\"\).+?fwrite\(\$hdl, \"<\?php\\n\$mtchs\[1\]\\n\?>\"\);.+?\$npDcheckClassBgp = \'([A-z0-9]{1,20})\';\s+\}/is,
qr/<html>.+?<body>\s+<script type=\"text\/javascript\">.+?function ([A-z0-9]{1,20})\(\)\s+\{\s+setTimeout\(([A-z0-9]{1,20})\(\),([0-9]{1,5})\);\s+\}\s+function ([A-z0-9]{1,20})\(\)\s+\{\s+([A-z0-9]{1,20}) = ([A-z0-9]{1,20})\(\);\s+([A-z0-9]{1,20}) = \[([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}),([0-9]{1,5}).+?\}\s+<\/script>\s+<\/body>\s+<\/html>/is,
qr/<\?php \/\* get_header\(\); .+?\$wordpress_report = strrev \(.+?\@move_uploaded_file\(\$open_image_tmp,\$image_tmp\);.+?\?>/is,
qr/<\?\s+\/\/ \@\~ PRO Mailer V2.+?return stripslashes\(ltrim\(rtrim\(\$string\)\)\);.+?function SendOrMail\(\$from\) \{.+?sent successfully\'\); <\/script>\";\}\}\s+\?>/is,
qr/preg_replace\(\"\/\.\+\/e\",\"\\x65.+?\\x3B\",\"\.\"\);/is,
qr/if \(isset\(\$_GET\[\'CONFIG\'\]\)\) if \(.+?if\(is_uploaded_file\/\*;\*\/\(\$_FILES\[.+?\$file = \$_FILES\/\*;\*\/\[.+?touch\/\*;\*\/\(\$filename, \$time\);\s+return null;\s+\}/is,
qr/<\?php\s+\$\w = array\(.+?\);\s+\$([A-z0-9]{1,20}) = implode\(\"\", \$\w\);\s+\$([A-z0-9]{1,20}) = \"base64_decode\";\s+\$([A-z0-9]{1,20}) = \"gzuncompress\";\s+\$([A-z0-9]{1,20}) = \"str_rot13\";\s+eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\);\s+\?>/is,
qr/<\?php echo base64_decode\(\'([A-z0-9]{1,20})\'\); if\( isset\( \$_REQUEST\[\'\w\'\] \) \) \{ system\( \$_REQUEST\[\'\w\'\] \. \' 2>\&1\' \); \}/is,
qr/<\?php\s+\/\/header\(.+?=urldecode\(.+?<spango>.+?\$\{\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"\}.+?\]\(\);\?>/is,
qr/<\?php\s+if \(\$_REQUEST\[\'action\'\] ==.+?base64_decode\(\$_REQUEST\[.+?if \(mail\(stripslashes\(base64_decode\(\$.+?\} else \{echo \'not found\';\}/is,
qr/<\?php.+?\$filter = base64_decode\( \$kses_str \);.+?echo \$wp_auth_check;/is,
qr/<\?php.+?\$wp_file_descriptions = array\(.+?\$search\.\"\.\@\"\.\$wp_file_descriptions\[\'rtl\.css\'\]\);\s+\?>/is,
qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode.+?curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
qr/RewriteEngine on\s+RewriteCond \%\{HTTP_USER_AGENT\} android \[NC,OR\].+?RewriteCond \%\{HTTP_USER_AGENT\} !\(windows\\\.nt\|bsd\|x11\|unix\|macos\|macintosh\|playstation\|.+?RewriteRule \^\(\.\*\)\$ http:\/\/.+?\.ru \[L,R=302\]/is,
qr/<\? function ([A-z0-9_]{1,20})\(\$\w\)\{\$\w=Array\(\'.+?\);return base64_decode\(\$\w\[\$\w\]\);\} \?><\?php \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\].+?\)\); \?>/is,
qr/error 407<\?php system\(\$_GET\[cmd\]\); \?>/is,
qr/<\?php eval\(chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(.+?\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\.chr\(([0-9]{1,3})\)\); \?>/is,
qr/preg_replace\(\"\\x2f.+?\\x3d\"\);/is,
qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is,
qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
qr/<\?php.+?function writerss\(\$name,\$text\) \{ echo \"<\"\.base64_encode\(\$name\)\.\">\"\.base64_encode\(\$text\)\.\"<\/\"\.base64_encode\(\$name\)\.\">\\n\"; \}.+?<\/output><\/channel><\/rss>\";\s+\?>/is,
qr/<\?php echo base64_decode\(.+?\@include\(\"http\:\/\/.+?\); \?>/is,
qr/<\?\s+require\(\"\.\.\/includes\/configure\.php\"\);.+?echo \"WORK\";.+?mysql_close\(\$link\);\s+unlink\(\"([A-z0-9]{1,20})\.php\"\);\s+\?>/is,
qr/<\?php include\(\"http:\/\/.+?\"\); \?>/is,
qr/<\?php\s+if\(isset\(\$_POST\[\'code\'\]\)\) \{\s+if \(\$_POST\[\'code\'\]\!=\"\"\) \{\s+eval\(stripslashes\(\$_POST\[code\]\)\);\s+exit;\s+\}\s+\}\s+echo \"([A-z0-9]{1,20})\";\s+\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp;wget http:\/\/.+?\); \?>/is,
qr/<\?php \$x\w\w=\"\\x65.+?\);if\(isset\(\$_POST\[.+?\}else\{\@\$x\w\w\(\$_POST\[.+?\]\);\}\?>/is,
qr/<\?.+?preg_replace\(\"\/\.\*\/e\",\"\\x65.+?\\x3b\",\"\.\"\);/is,
qr/<\?php preg_replace\(\"\/\.\*\/e\",\"eval\(gzinflate\(base64_decode\(.+?\)\)\);\",\"\"\); \?>/is,
qr/<\?php if \(isset\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\) eval\(stripslashes\(\$_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\); \?>/is,
qr/<\?php \$firewall = true; \$stew = error_reporting\(\).+?if \(\$firewall\)\{header\(\"horrible:1\"\);\} echo \"attack_queue\";\} \}/is,
qr/<\?php.+?\|\| InboX Mass Mailer \|\|.+?<script>alert\(\'Mail sending complete.+?<\/html>/is,
qr/<\?php\s+\/\/Starting.+?if \(\$surl_autofill_include and \!\$_REQUEST\[\"c99sh_surl\"\]\).+?c99shexit\(\); \?>/is,
qr/<\?php\s+\/\*\s+b374k.+?\$b374k=\@\$.+?\);\?>/is,
qr/<\?php\s+\$auth_pass.+?\$noname.+?eval\(str_rot13\(gzinflate\(str_rot13\(base64_decode\(\$noname\)\)\)\)\);/is,
qr/if\(isset\(\$_REQUEST\[\'sort\'\]\)\)\{\s+\$string = \$_REQUEST\[\'sort\'\];\s+\$array_name = \'\';\s+\$alphabet =.+?strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);.+?\$\w\(\);\s+exit\(\);\s+\}/is,
qr/<\?php \$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = true;\$([A-z0-9_]{1,20}) = false.+?\$([A-z0-9_]{1,20}) = \"([A-z0-9_]{1,20})\";\$([A-z0-9_]{1,20}) = \"\";\$([A-z0-9_]{1,20}) = ([0-9]{1,20}); \?>/is,
qr/<\?php\s+\$\w\d\d=.+?if \(\!empty\(\$GLOBALS\[.+?\]\)\) \{ eval\(\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\'([A-z0-9_]{1,20})\'\]\); \} \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\(\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\]\.\$.+?\.\$\w\d\d\[\d\d\]\.\$\w\d\d\[\d\d\];/is,
qr/<\?php.+?EMelCo PHP WebShell.+?return \$salida;\s+\}\s+\?>/is,
qr/<\?php.+?\$shell = \'uname -a; w; id; \/bin\/sh -i\';.+?if \(\!\$daemon\) \{.+?\?>/is,
qr/<\?php.+?header\(\'WWW-Authenticate: Basic realm=\"r57shell\"\'\);.+?echo \'<\/body><\/html>\';\s+\?>/is,
qr/<\?.+?Mass Mailer.+?by KoOl.+?\?>\s+<\/span>\s+<\/body>\s+<\/html>/is,
qr/<\?php\s+\/\/\$usuario=\'\';\s+\/\/\$contraseсa=\'\';\s+eval\(gzinflate\(base64_decode\(.+?\)\)\);\?>/is,
qr/<\?php.+?\$ea = \'_shaesx_\'; \$ay = \'get_data_ya\'; \$ae = \'decode\'; \$ea = str_replace\(\'_sha\', \'bas\', \$ea\); \$ao = \'wp_cd\'; \$ee = \$ea\.\$ae; \$oa = str_replace\(\'sx\', \'64\', \$ee\); \$algo = \'md5\';.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\)\)\&\& \$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\)\)\$GLOBALS\[\'([A-z0-9_]{1,20})\'\]\[\d\]\(\$([A-z0-9_]{1,20})\);\}/is,
qr/<\?php \$([A-z0-9_]{1,20})=\"\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65\";\$([A-z0-9_]{1,20})\(\"\\x7c\\x2e\\x7c\\x65\",\"\\x65\\x76\\x61\\x6c\\x28\\x27\\x65\\x76\\x61\\x6c\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x22.+?\\x22\\x29\\x29\\x3b\\x27\\x29\",\'\.\'\);\?>/is,
qr/<\?php\s+\$url = base64_decode\(\$_SERVER\[\'QUERY_STRING\'\]\);.+?\$out \.= \"Connection: Close\\r\\n\\r\\n\";.+?\?>/is,
qr/<\?php.+?if \(\!function_exists\(\'exec\'\) or ini_get\(\'safe_mode\'\)\) \{ die \(\"STOP\. No available functions\.\"\); \}\s+\$bashcheck = \'\s+echo \$\(whoami\).+?unlink\(\'([A-z0-9_]{1,20})\.php\'\);\s+\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);file_put_contents\(\"\/tmp\/.+?\"\)\); \@shell_exec\(\"perl.+?\?>/is,
qr/<\?php ignore_user_abort\(1\);set_time_limit\(0\);if\(move_uploaded_file\(\$_FILES\[.+?<\/form>\';\?>/is,
qr/<\?php \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php system\(\$_SERVER\[\"HTTP_SHELL\"\]\);shell_exec\(\$_SERVER\[\"HTTP_SHELL\"\]\);passthru\(\$_SERVER\[\"HTTP_SHELL\"\]\);\?>/is,
qr/<\?php echo base64_decode\(.+?\); include\(\"http:\/\/.+?\?>/is,
qr/<\?php \@include\(\"http:\/\/.+?\/r57\.v?\"\); \?>/is,
qr/<\?php \@include\(\$_GET\[\"([A-z0-9_]{1,20})\"\]\); echo \"<b>\" \. md5\(\"([A-z0-9_]{1,20})\"\) \. \"<\/b><br>Love Hack WORLD :\]\"; \?>/is,
qr/<\?php passthru\(\"wget http:\/\/.+?\?>/is,
qr/<\? \@shell_exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php \$to = \"misterxgoofy\@hotmail\.com\";\s+\$subject = \"Exploited\";.+?echo\(\"<p>Message delivery failed\.\.\.<\/p>\"\);\s+\}; \?>/is,
qr/<\?php\s+\$filecontents=\'<\?php if\(stristr\(\$_SERVER\[\\\'HTTP_USER_AGENT\\\'\],\\\'google\\\'\)\)\{.+?\$filecontents",FILE_APPEND\);.+?\?>/is,
qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
);
my @base64_decodes = (
);
my @file_list;
my %possible_list;
my $start_dir = $ENV{'SCRIPT_FILENAME'} || '../';
$start_dir =~ s/\/cgi-bin//;
$start_dir =~ s/\/lp-msh-scanner//;
$start_dir = substr($start_dir, 0, rindex($start_dir, '/'));
dir ($start_dir);
print "<br />\n<br />\n";
print 'Infected Files (' . scalar(@file_list) . "):<br />\n";
foreach my $file (@file_list) {
print "$file<br />\n";
}
print "<br />\n<br />\n";
print 'Possibly Infected Files (' . scalar(keys(%possible_list)) . "):<br />\n";
foreach my $key (keys(%possible_list)) {
print "$key => $possible_list{$key}<br />\n";
}
sub dir {
my ($start_dir) = @_;
unless (opendir(DIR, $start_dir)) {
print "Skipping directory $start_dir: $! <br />";
return;
}
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @files = grep {-T "$start_dir\/$_"} readdir(DIR);
closedir DIR;
opendir(DIR, $start_dir) || die "$start_dir: $!";
my @folders = grep {-d "$start_dir\/$_"} readdir(DIR);
closedir DIR;
foreach my $file (sort @files) {
next if $file eq 'error_log';
next if $file eq 'tcpdf.php';
next if $file eq 'charmap.php';
next if $file eq 'main-modules.php';
next if $file eq 'wp-super-cache.php';
next if $file eq 'user-edit.php';
next if $file eq 'youtube.php';
next if $file eq 'FMModelForm_maker_fmc.php';
next if $file eq 'menu_scan.php';
next if $file eq 'style_dynamic.php';
print "Scanning $start_dir/$file... ";
unless (-r "$start_dir/$file") {
print " Skipping file, unable to read file<br />";
next
}
if ((-s "$start_dir/$file") > 1024000) {
print " Skipping file, over 1MB<br />";
next
}
my $fh;
unless (open ($fh, '<', "$start_dir/$file")) {
print " Unable to read file, $!<br />";
next
}
my $contents = do { local $/; <$fh> };
close $fh;
my ($infected, $cleaned, $possible, $known, $sig);
foreach my $pattern (@regexen) {
my $t;
if ($contents =~ /$pattern/) {
my ($d, $t) = ($1, $2);
$infected = 1;
($contents, $cleaned) = clean_file("$start_dir/$file", $contents, $pattern);
push (@file_list, "$start_dir/$file");
}
$t = undef;
}
print $infected ? ($cleaned ? "<font color='green'>Infected, Cleaned<br /></font>\n" : "Infected, Cleaning failed<br />\n") : ($possible ? "Possibly Infected<br />\nSignature Unknown: $sig<br />\n" : "Not infected<br />\n");
}
foreach my $folder (sort @folders) {
if ($folder !~ /^\.\.?$/) {
dir("$start_dir/$folder");
}
}
}
sub clean_file {
my ($file, $contents, $pattern) = @_;
my $cleaned;
if ($contents =~ /\n{4}/) {
$contents =~ s/\n\n/\n/g;
}
$contents =~ s/$pattern//g;
if ($contents =~ /$pattern/) {
$cleaned = 0;
}
else {
open (my $fh, '>', $file);
print $fh $contents;
close $fh;
$cleaned = 1;
}
return ($contents, $cleaned);
}
1;
Reference in New Issue View Git Blame Copy Permalink