Verificar sitios web con algunos códigos maliciosos en PHP

From Wiki de Caballero
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
<?

// Original file obtained from: https://aw-snap.info/articles/base64-decode.php
// This version is meant to be run from the CLI
// Some modifications made to find all occurences of a string

system('clear && printf "\e[3J"'); // Deletes everything on the screen
error_reporting(E_ALL);
// CLI colors
define('RED', "\x1B[31m");
define('GRN', "\x1B[32m");
define('YEL', "\x1B[33m");
define('BLU', "\x1B[34m");
define('MAG', "\x1B[35m");
define('CYN', "\x1B[36m");
define('WHT', "\x1B[37m");
define('RESET', "\x1B[0m");

// Most hosting services will have a time limit on how long a php script can run, typically 30 seconds.
// On large sites with a lot of files this script may not be able to find and check all files within the time limit.
// If you get a time out error you can try over riding the default time limits by removing the // in the front of these two lines.
// ini_set('max_execution_time', '0');
// ini_set('set_time_limit', '0');

$dirToCheck = '.'; // . is the current directory
echo "**********************\n";
echo "Checking {$dirToCheck}\n";
echo "**********************\n";
find_files($dirToCheck);

function find_files($seed) {
	if (!is_dir($seed))
		return false;
	$files	 = array();
	$dirs	 = array($seed);
	while (NULL !== ($dir	 = array_pop($dirs))) {
		if ($dh = opendir($dir)) {
			while (false !== ($file = readdir($dh))) {
				if ($file == '.' || $file == '..')
					continue;
				$path = $dir . '/' . $file;
				if (is_dir($path)) {
					$dirs[] = $path;
				}
				// the line below tells the script to only check the content of files with a .php extension.
				// the if{} statement says if you "match" php[\d]? at the end of the file name then check the contents
				// of the file. The [\d]? part means also match if there is a digit \d such as .php4 in the file extension
				// else { if(preg_match('/\/*\.php[\d]?$/i', $path)) { check_files($path); }}
				// 07/26/2011 Based on some recent Pharma hacks I have changed the default to check php, js and txt files
				else {
					unset($fileTypeRegexArr);
					$fileTypeRegexArr[] = 'php[\d]?';
					// Uncomment file extensions to be used or add your own
					// $fileTypeRegexArr[] = 'js';
					// $fileTypeRegexArr[] = 'txt';
					if (preg_match('/^.*\.('.implode('|', $fileTypeRegexArr).')$/i', $path)) {
						check_files($path);
					}
				}

				// if you would like to check other (all) file types you can comment out/un-comment and or modify
				// the following lines as needed. You can only have one of the else{} statements un-commented.
				// The first example contains a lengthy OR (the | means OR) statement, the part inside the (),
				// (php[\d]?|htm|html|shtml|js|asp|aspx) You can add/remove filetypes by modifying this part
				// (php[\d]?|htm|html|shtml) will only check .php, .htm, .html, .shtml files.
				// else { if(preg_match('/^.*\.(php[\d]?|htm|html|shtml|js|asp|aspx)$/i', $path)) { check_files($path); }}
				// In the next else{} statement there is no if{}, no checking of the file extension every file will be checked
				// else { check_files($path); } // will check all file types for the code
			}
			closedir($dh);
		}
	}
}

function check_files($this_file) {
	global $dirToCheck;
	$this_file_noBaseDir = str_replace($dirToCheck, '', $this_file);
	// the variable $str_to_find is an array that contains the strings to search for inside the single quotes.
	// if you want to search for other strings replace base64_decode with the string you want to search for.

	// Uncomment what you would like to detect
	// $str_to_find[]	 = 'base64_decode';
	$str_to_find[]	 = 'edoced_46esab'; // base64_decode reversed
	// $str_to_find[]	 = 'preg_replace';
	// $str_to_find[]	 = 'HTTP_REFERER'; // checks for referrer based conditions
	// $str_to_find[]	 = 'HTTP_USER_AGENT'; // checks for user agent based conditions
	// $str_to_find[]	 = 'assert(';
	// $str_to_find[]	 = 'create_function(';
	// $str_to_find[]	 = '$_REQUEST[';
	// $str_to_find[]	 = 'eval(';
	// $str_to_find[]	 = 'eval (';
	$str_to_find[]	 = '(lave';
	$str_to_find[]	 = '( lave';

	if (!($content		 = file_get_contents($this_file))) {
		echo("Error: $this_file check the contents manually\n");
	} else {
		while (list(, $value) = each($str_to_find)) {
			$pos = 0;
			while($pos = stripos($content, $value, $pos+strlen($value))) {
				printf(RED. "$this_file_noBaseDir" . RESET . "\n");
				$size = 20; // Chars before and after the found string
				$init = $pos-$size>0?$pos-$size:0;
				$len = ($pos - $init) + strlen($value) + $size;
				printf(substr($content, $init, $pos - $init) . GRN . substr($content, $pos, strlen($value)) . RESET . substr($content, $pos+strlen($value), $size) . "\n");
			}
		}
	}
	unset($content);
}
Retrieved from "http://wiki.caballero.co/index.php?title=Verificar_sitios_web_con_algunos_códigos_maliciosos_en_PHP&oldid=699"