Looking for bad guys.
This script looks for traces of malicious code including code injections, modified .htaccess that makes images executable, and so on.
' . htmlentities($text, ENT_QUOTES) . '';
}
// --------------------------------------------------------------------------------
// THIS FUNCTION RECURSIVELY FINDS FILES AND PROCESSES THEM THROUGH THE SPECIFIED CALLBACK FUNCTION.
// DIFFERENT TYPES OF FILES NEED TO BE HANDLED BY DIFFERENT CALLBACK FUNCTIONS.
function find_files($path, $pattern, $callback)
{
// CHANGE BACKSLASHES TO FORWARD, WHICH IS OK IN PHP, EVEN IN WINDOWS.
// REMOVE ANY TRAILING SLASHES, THEN ADD EXACTLY ONE.
$path = rtrim(str_replace("\\", "/", $path), '/') . '/';
if(!is_readable($path))
{
echo "Warning: Unable to open and enter directory " . CleanColorText($path, 'blue') .
". Check its owner/group permissions.
";
return;
}
$dir = dir($path);
$entries = array();
while(($entry = $dir->read()) !== FALSE)
$entries[] = $entry;
$dir->close();
foreach($entries as $entry)
{
$fullname = $path . $entry;
if(($entry !== '.') && ($entry !== '..') && is_dir($fullname))
find_files($fullname, $pattern, $callback);
else
if(is_file($fullname) && preg_match($pattern, $entry))
call_user_func($callback, $fullname);
}
}
// --------------------------------------------------------------------------------
// CALLBACK FUNCTIONS.
// CALLBACK FUNCTION TO LOOK FOR MALICIOUS CODE - YOU COULD ADD ANY OTHER MALICIOUS CODE SNIPPETS YOU KNOW OF.
function maliciouscodesnippets($filename)
{
if(stripos($filename, "lookforbadguys.php")) // DON'T FLAG THIS FILE WHICH I CALLED lookforbadguys.php
return;
if(!is_readable($filename))
{
echo "Warning: Unable to read " . CleanColorText($filename, 'blue') .
". Check it manually and check its access permissions.
";
return;
}
$file = file_get_contents($filename); //READ THE FILE
// PRINTING EVERY FILENAME GENERATES A LOT OF OUTPUT.
//echo CleanColorText($filename, 'green') . " is being examined.
";
// TEXT FILES WILL BE SEARCHED FOR THESE SNIPPETS OF SUSPICIOUS TEXT.
// THESE ARE REGULAR EXPRESSIONS WITH THE REQUIRED /DELIMITERS/ AND WITH SPECIAL CHARACTERS ESCAPED.
// /i AT THE END MEANS CASE INSENSITIVE.
$SuspiciousSnippets = array
(
// POTENTIALLY SUSPICIOUS PHP CODE
'/edoced_46esab/i',
'/passthru *\(/i',
'/shell_exec *\(/i',
'/document\.write *\(unescape *\(/i',
// THESE CAN GIVE MANY FALSE POSITIVES WHEN CHECKING WORDPRESS AND OTHER CMS.
// NONETHELESS, THEY CAN BE IMPORTANT TO FIND, ESPECIALLY BASE64_DECODE.
'/base64_decode *\(/i',
'/system *\(/i',
'/`.+`/', // BACKTICK OPERATOR INVOKES SYSTEM FUNCTIONS, SAME AS system()
// '/phpinfo *\(/i',
// '/chmod *\(/i',
// '/mkdir *\(/i',
// '/fopen *\(/i',
// '/fclose *\(/i',
// '/readfile *\(/i',
// SUSPICIOUS NAMES. SOME HACKERS SIGN THEIR SCRIPTS. MANY NAMES COULD GO HERE,
// HERE IS A GENERIC EXAMPLE. YOU CAN FILL IN WHATEVER NAMES YOU WANT.
'/hacked by /i',
// OTHER SUSPICIOUS TEXT STRINGS
'/web[\s-]*shell/i', // TO FIND BACKDOOR WEB SHELL SCRIPTS.
'/c99/i', // THE NAMES OF TWO POPULAR WEB SHELLS.
'/r57/i',
// YOU COULD ADD IN THE SPACE BELOW SOME REGULAR EXPRESSIONS TO MATCH THE NAMES OF MALICIOUS DOMAINS
// AND IP ADDRESSES MENTIONED IN YOUR GOOGLE SAFEBROWSING DIAGNOSTIC REPORT. SOME EXAMPLES:
'/gumblar\.cn/i',
'/martuz\.cn/i',
'/beladen\.net/i',
'/gooqle/i', // NOTE THIS HAS A Q IN IT.
// THESE 2 ARE THE WORDPRESS CODE INJECTION IN FRONT OF EVERY INDEX.PHP AND SOME OTHERS
'/_analist/i',
'/anaiytics/i' // THE LAST ENTRY IN THE LIST MUST HAVE NO COMMA AFTER IT.
);
foreach($SuspiciousSnippets as $i)
{
// STRPOS/STRIPOS WERE A LITTLE FASTER BUT LESS FLEXIBLE
if(preg_match($i, $file))
echo CleanColorText($filename, 'blue') . ' MATCHES REGEX: ' . CleanColorText($i, 'red') . '
';
}
if(!strpos($filename,"network.php") && !strpos($filename,"rewrite.php") && stripos($file,"RewriteRule"))
echo CleanColorText($filename, 'blue') . " contains " . CleanColorText("RewriteRule", 'red') .
" - check it manually for malicious redirects.
";
/*
// THIS FINDS ALL JAVASCRIPT CODE. IF ENABLED, IT WILL GIVE *MANY* FALSE POSITIVES IN MOST WEBSITES.
if($p = stripos($file, "