Verificar sitios web con algunos códigos maliciosos en PHP
Jump to navigation
Jump to search
<?
// Original file obtained from: https://aw-snap.info/articles/base64-decode.php
// This version is meant to be run from the CLI
// Some modifications made to find all occurences of a string
system('clear && printf "\e[3J"'); // Deletes everything on the screen
error_reporting(E_ALL);
// CLI colors
define('RED', "\x1B[31m");
define('GRN', "\x1B[32m");
define('YEL', "\x1B[33m");
define('BLU', "\x1B[34m");
define('MAG', "\x1B[35m");
define('CYN', "\x1B[36m");
define('WHT', "\x1B[37m");
define('RESET', "\x1B[0m");
// Most hosting services will have a time limit on how long a php script can run, typically 30 seconds.
// On large sites with a lot of files this script may not be able to find and check all files within the time limit.
// If you get a time out error you can try over riding the default time limits by removing the // in the front of these two lines.
// ini_set('max_execution_time', '0');
// ini_set('set_time_limit', '0');
$dirToCheck = '.'; // . is the current directory
echo "**********************\n";
echo "Checking {$dirToCheck}\n";
echo "**********************\n";
find_files($dirToCheck);
function find_files($seed) {
if (!is_dir($seed))
return false;
$files = array();
$dirs = array($seed);
while (NULL !== ($dir = array_pop($dirs))) {
if ($dh = opendir($dir)) {
while (false !== ($file = readdir($dh))) {
if ($file == '.' || $file == '..')
continue;
$path = $dir . '/' . $file;
if (is_dir($path)) {
$dirs[] = $path;
}
// the line below tells the script to only check the content of files with a .php extension.
// the if{} statement says if you "match" php[\d]? at the end of the file name then check the contents
// of the file. The [\d]? part means also match if there is a digit \d such as .php4 in the file extension
// else { if(preg_match('/\/*\.php[\d]?$/i', $path)) { check_files($path); }}
// 07/26/2011 Based on some recent Pharma hacks I have changed the default to check php, js and txt files
else {
unset($fileTypeRegexArr);
$fileTypeRegexArr[] = 'php[\d]?';
// Uncomment file extensions to be used or add your own
// $fileTypeRegexArr[] = 'js';
// $fileTypeRegexArr[] = 'txt';
if (preg_match('/^.*\.('.implode('|', $fileTypeRegexArr).')$/i', $path)) {
check_files($path);
}
}
// if you would like to check other (all) file types you can comment out/un-comment and or modify
// the following lines as needed. You can only have one of the else{} statements un-commented.
// The first example contains a lengthy OR (the | means OR) statement, the part inside the (),
// (php[\d]?|htm|html|shtml|js|asp|aspx) You can add/remove filetypes by modifying this part
// (php[\d]?|htm|html|shtml) will only check .php, .htm, .html, .shtml files.
// else { if(preg_match('/^.*\.(php[\d]?|htm|html|shtml|js|asp|aspx)$/i', $path)) { check_files($path); }}
// In the next else{} statement there is no if{}, no checking of the file extension every file will be checked
// else { check_files($path); } // will check all file types for the code
}
closedir($dh);
}
}
}
function check_files($this_file) {
global $dirToCheck;
$this_file_noBaseDir = str_replace($dirToCheck, '', $this_file);
// the variable $str_to_find is an array that contains the strings to search for inside the single quotes.
// if you want to search for other strings replace base64_decode with the string you want to search for.
// Uncomment what you would like to detect
// $str_to_find[] = 'base64_decode';
$str_to_find[] = 'edoced_46esab'; // base64_decode reversed
// $str_to_find[] = 'preg_replace';
// $str_to_find[] = 'HTTP_REFERER'; // checks for referrer based conditions
// $str_to_find[] = 'HTTP_USER_AGENT'; // checks for user agent based conditions
// $str_to_find[] = 'assert(';
// $str_to_find[] = 'create_function(';
// $str_to_find[] = '$_REQUEST[';
// $str_to_find[] = 'eval(';
// $str_to_find[] = 'eval (';
$str_to_find[] = '(lave';
$str_to_find[] = '( lave';
if (!($content = file_get_contents($this_file))) {
echo("Error: $this_file check the contents manually\n");
} else {
while (list(, $value) = each($str_to_find)) {
$pos = 0;
while($pos = stripos($content, $value, $pos+strlen($value))) {
printf(RED. "$this_file_noBaseDir" . RESET . "\n");
$size = 20; // Chars before and after the found string
$init = $pos-$size>0?$pos-$size:0;
$len = ($pos - $init) + strlen($value) + $size;
printf(substr($content, $init, $pos - $init) . GRN . substr($content, $pos, strlen($value)) . RESET . substr($content, $pos+strlen($value), $size) . "\n");
}
}
}
unset($content);
}