Verificar sitios web con algunos códigos maliciosos en PHP

From Wiki de Caballero
Jump to navigation Jump to search 
<?

// Original file obtained from: https://aw-snap.info/articles/base64-decode.php
// This version is meant to be run from the CLI
// Some modifications made to find all occurences of a string

system('clear && printf "\e[3J"'); // Deletes everything on the screen
error_reporting(E_ALL);
// CLI colors
define('RED', "\x1B[31m");
define('GRN', "\x1B[32m");
define('YEL', "\x1B[33m");
define('BLU', "\x1B[34m");
define('MAG', "\x1B[35m");
define('CYN', "\x1B[36m");
define('WHT', "\x1B[37m");
define('RESET', "\x1B[0m");

// Most hosting services will have a time limit on how long a php script can run, typically 30 seconds.
// On large sites with a lot of files this script may not be able to find and check all files within the time limit.
// If you get a time out error you can try over riding the default time limits by removing the // in the front of these two lines.
// ini_set('max_execution_time', '0');
// ini_set('set_time_limit', '0');

$dirToCheck = '.'; // . is the current directory
echo "**********************\n";
echo "Checking {$dirToCheck}\n";
echo "**********************\n";
find_files($dirToCheck);

function find_files($seed) {
	if (!is_dir($seed))
		return false;
	$files	 = array();
	$dirs	 = array($seed);
	while (NULL !== ($dir	 = array_pop($dirs))) {
		if ($dh = opendir($dir)) {
			while (false !== ($file = readdir($dh))) {
				if ($file == '.' || $file == '..')
					continue;
				$path = $dir . '/' . $file;
				if (is_dir($path)) {
					$dirs[] = $path;
				}
				// the line below tells the script to only check the content of files with a .php extension.
				// the if{} statement says if you "match" php[\d]? at the end of the file name then check the contents
				// of the file. The [\d]? part means also match if there is a digit \d such as .php4 in the file extension
				// else { if(preg_match('/\/*\.php[\d]?$/i', $path)) { check_files($path); }}
				// 07/26/2011 Based on some recent Pharma hacks I have changed the default to check php, js and txt files
				else {
					unset($fileTypeRegexArr);
					$fileTypeRegexArr[] = 'php[\d]?';
					// Uncomment file extensions to be used or add your own
					// $fileTypeRegexArr[] = 'js';
					// $fileTypeRegexArr[] = 'txt';
					if (preg_match('/^.*\.('.implode('|', $fileTypeRegexArr).')$/i', $path)) {
						check_files($path);
					}
				}

				// if you would like to check other (all) file types you can comment out/un-comment and or modify
				// the following lines as needed. You can only have one of the else{} statements un-commented.
				// The first example contains a lengthy OR (the | means OR) statement, the part inside the (),
				// (php[\d]?|htm|html|shtml|js|asp|aspx) You can add/remove filetypes by modifying this part
				// (php[\d]?|htm|html|shtml) will only check .php, .htm, .html, .shtml files.
				// else { if(preg_match('/^.*\.(php[\d]?|htm|html|shtml|js|asp|aspx)$/i', $path)) { check_files($path); }}
				// In the next else{} statement there is no if{}, no checking of the file extension every file will be checked
				// else { check_files($path); } // will check all file types for the code
			}
			closedir($dh);
		}
	}
}

function check_files($this_file) {
	global $dirToCheck;
	$this_file_noBaseDir = str_replace($dirToCheck, '', $this_file);
	// the variable $str_to_find is an array that contains the strings to search for inside the single quotes.
	// if you want to search for other strings replace base64_decode with the string you want to search for.

	// Uncomment what you would like to detect
	// $str_to_find[]	 = 'base64_decode';
	$str_to_find[]	 = 'edoced_46esab'; // base64_decode reversed
	// $str_to_find[]	 = 'preg_replace';
	// $str_to_find[]	 = 'HTTP_REFERER'; // checks for referrer based conditions
	// $str_to_find[]	 = 'HTTP_USER_AGENT'; // checks for user agent based conditions
	// $str_to_find[]	 = 'assert(';
	// $str_to_find[]	 = 'create_function(';
	// $str_to_find[]	 = '$_REQUEST[';
	// $str_to_find[]	 = 'eval(';
	// $str_to_find[]	 = 'eval (';
	$str_to_find[]	 = '(lave';
	$str_to_find[]	 = '( lave';

	if (!($content		 = file_get_contents($this_file))) {
		echo("Error: $this_file check the contents manually\n");
	} else {
		while (list(, $value) = each($str_to_find)) {
			$pos = 0;
			while($pos = stripos($content, $value, $pos+strlen($value))) {
				printf(RED. "$this_file_noBaseDir" . RESET . "\n");
				$size = 20; // Chars before and after the found string
				$init = $pos-$size>0?$pos-$size:0;
				$len = ($pos - $init) + strlen($value) + $size;
				printf(substr($content, $init, $pos - $init) . GRN . substr($content, $pos, strlen($value)) . RESET . substr($content, $pos+strlen($value), $size) . "\n");
			}
		}
	}
	unset($content);
}
Retrieved from "http://wiki.caballero.co/index.php?title=Verificar_sitios_web_con_algunos_códigos_maliciosos_en_PHP&oldid=699"