Looking for bad guys.

This script looks for traces of malicious code including code injections, modified .htaccess that makes images executable, and so on.

' . htmlentities($text, ENT_QUOTES) . ''; } // -------------------------------------------------------------------------------- // THIS FUNCTION RECURSIVELY FINDS FILES AND PROCESSES THEM THROUGH THE SPECIFIED CALLBACK FUNCTION. // DIFFERENT TYPES OF FILES NEED TO BE HANDLED BY DIFFERENT CALLBACK FUNCTIONS. function find_files($path, $pattern, $callback) { // CHANGE BACKSLASHES TO FORWARD, WHICH IS OK IN PHP, EVEN IN WINDOWS. // REMOVE ANY TRAILING SLASHES, THEN ADD EXACTLY ONE. $path = rtrim(str_replace("\\", "/", $path), '/') . '/'; if(!is_readable($path)) { echo "Warning: Unable to open and enter directory " . CleanColorText($path, 'blue') . ". Check its owner/group permissions.
"; return; } $dir = dir($path); $entries = array(); while(($entry = $dir->read()) !== FALSE) $entries[] = $entry; $dir->close(); foreach($entries as $entry) { $fullname = $path . $entry; if(($entry !== '.') && ($entry !== '..') && is_dir($fullname)) find_files($fullname, $pattern, $callback); else if(is_file($fullname) && preg_match($pattern, $entry)) call_user_func($callback, $fullname); } } // -------------------------------------------------------------------------------- // CALLBACK FUNCTIONS. // CALLBACK FUNCTION TO LOOK FOR MALICIOUS CODE - YOU COULD ADD ANY OTHER MALICIOUS CODE SNIPPETS YOU KNOW OF. function maliciouscodesnippets($filename) { if(stripos($filename, "lookforbadguys.php")) // DON'T FLAG THIS FILE WHICH I CALLED lookforbadguys.php return; if(!is_readable($filename)) { echo "Warning: Unable to read " . CleanColorText($filename, 'blue') . ". Check it manually and check its access permissions.
"; return; } $file = file_get_contents($filename); //READ THE FILE // PRINTING EVERY FILENAME GENERATES A LOT OF OUTPUT. //echo CleanColorText($filename, 'green') . " is being examined.
"; // TEXT FILES WILL BE SEARCHED FOR THESE SNIPPETS OF SUSPICIOUS TEXT. // THESE ARE REGULAR EXPRESSIONS WITH THE REQUIRED /DELIMITERS/ AND WITH SPECIAL CHARACTERS ESCAPED. // /i AT THE END MEANS CASE INSENSITIVE. $SuspiciousSnippets = array ( // POTENTIALLY SUSPICIOUS PHP CODE '/edoced_46esab/i', '/passthru *\(/i', '/shell_exec *\(/i', '/document\.write *\(unescape *\(/i', // THESE CAN GIVE MANY FALSE POSITIVES WHEN CHECKING WORDPRESS AND OTHER CMS. // NONETHELESS, THEY CAN BE IMPORTANT TO FIND, ESPECIALLY BASE64_DECODE. '/base64_decode *\(/i', '/system *\(/i', '/`.+`/', // BACKTICK OPERATOR INVOKES SYSTEM FUNCTIONS, SAME AS system() // '/phpinfo *\(/i', // '/chmod *\(/i', // '/mkdir *\(/i', // '/fopen *\(/i', // '/fclose *\(/i', // '/readfile *\(/i', // SUSPICIOUS NAMES. SOME HACKERS SIGN THEIR SCRIPTS. MANY NAMES COULD GO HERE, // HERE IS A GENERIC EXAMPLE. YOU CAN FILL IN WHATEVER NAMES YOU WANT. '/hacked by /i', // OTHER SUSPICIOUS TEXT STRINGS '/web[\s-]*shell/i', // TO FIND BACKDOOR WEB SHELL SCRIPTS. '/c99/i', // THE NAMES OF TWO POPULAR WEB SHELLS. '/r57/i', // YOU COULD ADD IN THE SPACE BELOW SOME REGULAR EXPRESSIONS TO MATCH THE NAMES OF MALICIOUS DOMAINS // AND IP ADDRESSES MENTIONED IN YOUR GOOGLE SAFEBROWSING DIAGNOSTIC REPORT. SOME EXAMPLES: '/gumblar\.cn/i', '/martuz\.cn/i', '/beladen\.net/i', '/gooqle/i', // NOTE THIS HAS A Q IN IT. // THESE 2 ARE THE WORDPRESS CODE INJECTION IN FRONT OF EVERY INDEX.PHP AND SOME OTHERS '/_analist/i', '/anaiytics/i' // THE LAST ENTRY IN THE LIST MUST HAVE NO COMMA AFTER IT. ); foreach($SuspiciousSnippets as $i) { // STRPOS/STRIPOS WERE A LITTLE FASTER BUT LESS FLEXIBLE if(preg_match($i, $file)) echo CleanColorText($filename, 'blue') . ' MATCHES REGEX: ' . CleanColorText($i, 'red') . '
'; } if(!strpos($filename,"network.php") && !strpos($filename,"rewrite.php") && stripos($file,"RewriteRule")) echo CleanColorText($filename, 'blue') . " contains " . CleanColorText("RewriteRule", 'red') . " - check it manually for malicious redirects.
"; /* // THIS FINDS ALL JAVASCRIPT CODE. IF ENABLED, IT WILL GIVE *MANY* FALSE POSITIVES IN MOST WEBSITES. if($p = stripos($file, "