-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck-hack.sh
120 lines (112 loc) · 4.04 KB
/
check-hack.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/bin/bash
#
# Script to check for website malware
# author: lepe
# https://security.stackexchange.com/questions/177116/
# Ver. 2018-01-12
#
if [[ $1 == "--help" ]]; then
echo "Usage: $0 [DIRECTORY]"
echo "If DIRECTORY is not specified, will scan from current dir."
echo
echo "Note: This code won't alter any file in any way"
echo
echo "'DANGER' means that there is a high probability your site is infected."
echo "'WARNING' means could be a false-positive as file names are common."
echo
echo "To be sure, check those files with a text editor (be sure to check files with wordwrap on)"
echo " --- Do not use your browser if they are php files --- "
echo "If you confirm your website is infected, restore from a clean backup in a container."
echo "It will return (exit) 0 if nothing found, 1 if warnings found and 2 if danger was found"
exit
fi
if [[ -d $1 ]]; then
directory=$1
fi
declare -a red=("*.suspected" "favicon_*.ico" "p.txt" "evas.php" "vlomaw.zip" "tondjr.zip" "lerbim.php" "sotpie" "wtuds" "inl.php" "zrxd" "polwxpyh.php" "admit.php" "ini_ui-elements.php" "sql.php")
declare -a yellow=("ui-elements.php" "uploader.php" "wp-update.php" "wp-app.php" "db_connector.php" "admin-menu.php" "wp-theme.php" "wp-category.php" "wp-search.php" "article.php" "stats.php")
ret_code=0 # 0: clean, 1: warn, 2: danger
echo "Searching for strange files..."
for i in "${red[@]}"
do
test=$(find "$directory" -name "$i")
if [[ $test != "" ]]; then
echo
echo "#####################[ DANGER ]###########################"
echo "$test"
echo "##########################################################"
echo
ret_code=2
fi
done
echo "Searching for obfuscated includes..."
test=$(find "$directory" -name "*.php" -exec egrep -l "@include.*\\\x[0-9]" {} \;)
if [[ $test != "" ]]; then
echo
echo "#####################[ DANGER ]###########################"
echo "$test"
echo "##########################################################"
echo
ret_code=2
fi
echo "Searching for obfuscated code..."
for f in $(find "$directory" -name "*.php" -exec grep -l "GLOBALS" {} \;); do
test=$(egrep -l "(\\\x[0-9]+){5}" "$f")
if [[ $test != "" ]]; then
echo
echo "#####################[ DANGER ]###########################"
echo "$test"
echo "##########################################################"
echo
ret_code=2
fi
done
# Be sure there are no php in /upload/
echo "Searching for PHP files inside upload directory..."
for d in $(find "$directory" -type d -name "upload*"); do
test=$(find "$d" -name "*.php")
if [[ $test != "" ]]; then
echo
echo "#####################[ DANGER ]###########################"
echo "$test"
echo "##########################################################"
echo
ret_code=2
fi
done
echo "Searching for inline zip files ..."
test=$(find "$directory" -name "*.php" -exec egrep -l "gzinflate\(base64_decode" {} \;)
if [[ $test != "" ]]; then
echo
echo "#####################[ DANGER ]###########################"
echo "$test"
echo "##########################################################"
echo
ret_code=2
fi
echo "Searching for Injected code ..."
test=$(find "$directory" -name "*.php" -exec egrep -l "user_agent_to_filter|#TurtleScanner#|liveupdates.host|\"file test okay\"" {} \;)
if [[ $test != "" ]]; then
echo
echo "#####################[ DANGER ]###########################"
echo "$test"
echo "##########################################################"
echo
ret_code=2
fi
echo "Searching for possibly malicious files..."
for i in "${yellow[@]}"
do
test=$(find "$directory" -name "$i")
if [[ $test != "" ]]; then
echo
echo "#####################[ WARNING ]##########################"
echo "$test"
echo "##########################################################"
echo
if [[ $ret_code == 0 ]]; then
ret_code=1
fi
fi
done
exit $ret_code