Code Scan Shell Auto qua KeyWord
Đây là 1 code scan shell qua keyword mình phát triển thêm từ code cũ của KID - Xgroup đã đc pub lên mạng.Về mặt code này. Bạn chỉ cần up file lên thư mục public_html để cho tools scan.
Chức năng:
Scan shell qua keyword đã được quy định sẵn.
Disable Shell không cho phép shell chạy.
Send mail cho mail đã cài đặt để báo cáo địa chỉ file nghi ngờ shell để cho admin có thể lên ktra.
Nếu bạn nào thix auto thì có thể tích hợp chung với corn để làm thành auto scan shell.
Hiện mình đang tiếp tục phát triển ver tiếp theo, nếu bạn nào muốn có thể tham gia thảo luận chung.
Code mình ko mã hóa nên nếu có share đề nghị giữ nguyên dòng bản quyền để tôn trọng tác giả.
PHP Code
<?php /*********************************************************
- Tool Scan shell vesion 2.0
- Developed by: VnDragon - vndragon1102.com
- Email : csvietteam@gmail.com
- Coppyright 06/2012
**********************************************************/ error_reporting (E_ALL); ini_set("memory_limit","2000M"); ini_set("safe_mode","off"); $safe_mode = @ini_get('safe_mode');
if (!$safe_mode)set_time_limit(0);
$folder = $_SERVER['DOCUMENT_ROOT'];
define('TAB'," ");
define('IGNORE_EXTENSIONS',"jpg pdf zip psd doc gif swf xls gz txt");
define("MAX_SIZE",1024*1024*1024);
define("IGNORE_BEFORE", strtotime('2009-08-01') );
$shell = $_SERVER["PHP_SELF"];
function findexts($filename)
{
$filename = strtolower($filename);
$exts = explode("[/\\.]", $filename);
$n = count($exts)-1;
$exts = $exts[$n];
return strtolower($exts);
}
function percent($num_amount, $num_total)
{
$count1 = $num_amount / $num_total;
$count2 = $count1 * 100;
$count = number_format($count2, 0);
return $count;
}
function report($messega)
{
$email = "csvietteam@gmail.com";
$subject = "Report Scan Shell";
$headers = array();
$headers[] = "MIME-Version: 1.0";
$headers[] = "Content-type: text/plain; charset=iso-8859-1";
$headers[] = "From: Report Scan Shell on ".gethostbyname($_SERVER['SERVER_NAME'])."<scan_shell@".gethostbyname($_SERVER['SERVER_NAME']).",>";
$headers[] = "Reply-To: Gmail Team <$email>";
$headers[] = "Subject: {$subject}";
$headers[] = "X-Mailer: PHP/".phpversion();
mail($email, $subject,$messega, implode("\r\n", $headers));
}
function check_dir($directory,$level)
{
global $virus_detected, $all, $detect_errors_only, $detected_Keyword_in_test_script, $listfile, $listWarning,$listDetect;
$indent='';
/*Key Word Shell*/
$Keyword = array();
$Keyword[]= "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC";
$Keyword[]= "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj";
$Keyword[]= "PEJPRFkgT25LZXlQcmVzcz0iR2V0S2V5Q29kZSgpOyIgdGV4dD0jZmZmZmZmIGJvdHRvbU1hcmdp";
$Keyword[] = "IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWFpbg0KIw0KIyBQZXJsS2l0LTAuMSAt";
$Keyword[] = "PD9waHAKJGNwYW5lbF9wb3J0PSIyMDgyIjsKJGNvbm5lY3RfdGltZW91dD01OwpzZXRfdGltZV9s";
$Keyword[] = "c3QgOiA8SU5QVVQgc2l6ZT1cIjE1XCIgdmFsdWU9XCJsb2NhbGhvc3RcIiBuYW1lPVwibG9jYWxo";
$Keyword[] = "ZGUgPSAkQVJHVlswXTsKICAgICAgICAkYWFhYSA9ICRBUkdWWzFdOwogICAgICAgICAgaWYgKCEk";
$Keyword[] = "aGF0IHUgV2FudCB0byBTeW1saW5rIEl0PC9mb250PjwvYnI+PC9jZW50ZXI+PC9iPjwvaDQ+IAo8";
$Keyword[] = "bnQgZmFjZT0iV2luZ2RpbmdzIj48aW1nIGJvcmRlcj0iMCIgc3JjPSJodHRwOi8vcHJpdjguaWJs";
$Keyword[] = "PHRpdGxlPkxpdGVTcGVlZCBXZWIgQnlwYXNzIC0gaXpvY2luIHByaXY5PC90aXRsZT4KICAgICAg";
$Keyword[] = "IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCgojICMgIyAjICMgIyAjICMgIyAjICMgIyAjICMgIyAjICMg";
$Keyword[] = "ZSA9fiB0ci8rLyAvOw0KICAkbmFtZSA9fiBzLyUoW2EtZkEtRjAtOV1bYS1mQS1GMC05XSkvcGFj";
$Keyword[] = "JyBzdHlsZT0nY29sb3I6ICNmZmZmZmY7IGJvcmRlcjogMXB4IGRvdHRlZCByZWQ7IGJhY2tncm91";
$Keyword[] = "PSdodHRwOi8vdXBsb2FkLnRyYWlkbnQubmV0L3VwZmlsZXMvbzhJOTk4MTAucG5nJyB3aWR0aD0n";
$Keyword[] = "ICAgIGRpZSgibm90IHdyaXRhYmxlIGRpcmVjdG9yeSIpOw0KDQokbGV2ZWw9MDsNCg0KZm9yKCRh";
$Keyword[] = "PicKICAgICAgICBwcmludCAnUmVzdWx0IDogPEJSPjxCUj4nCiAgICAgICAgdHJ5OgogICAgICAg";
$Keyword[] = "MHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQogICAgICBpZiAoISRBUkdWWzBdKSB7DQog";
$Keyword[] = "ZmVyRmlsZSBlcSAiIikNCgl7DQoJCSZQcmludFBhZ2VIZWFkZXIoImYiKTsNCgkJJlByaW50Rmls";
$Keyword[] = "ZDUKaW1wb3J0IHN5cwoKIyMjIyMjIyMjIyNfRGVmYXVsdF8jIyMjIyMjIyMjIyMjIyMjIyMjIyMj";
$Keyword[] = "substr(@php_uname(),0,120)";
$Keyword[] = "@getmyuid()";
$Keyword[] = "eval(base64_decode";
for ($count=0;$count<$level;$count++)
{
$indent.=TAB;
}
$level++;
$read_dir=opendir($directory);
while ($file=readdir($read_dir))
{
$filepath=$directory."/".$file;
if ($detect_errors_only && $virus_detected)
{
exit;
}
if (is_dir($filepath))
{
if ( ($file<>'.') && ($file<>'..') )
{
check_dir($filepath,$level);
}
}
else
{
if (is_file($filepath))
{
if ( (is_readable($filepath) ) && (!stristr(IGNORE_EXTENSIONS, findexts($file))) )
{
if ((filesize($filepath)< MAX_SIZE) && (filemtime($filepath)>IGNORE_BEFORE) )
{
$listfile[] = $filepath;
$fileentry=$directory."/".$file.' - '.date('j F Y H:i',filemtime($filepath));
$filestring=file_get_contents($filepath);
$found=stripos($filestring,"eval(base64_decode(");
$found=stristr($filestring,"eval(base64_decode(");
if ($found !=false)
{
$detect_errors_only = true;
}
else
{
foreach ($Keyword as $key)
{
$found=stripos($filestring,$key);
$found=stristr($filestring,$key);
if ($found !=false) break;
}
}
flush();
if ($found!=false)
{
if ($file=='scanshell.php')
{
$detected_Keyword_in_test_script=true;
}
else
{
$virus_detected=true;
if ($detect_errors_only)
{
$listWarning[] = $fileentry.' -- Warning Shell';
}
else
{
$listDetect[] = $fileentry.' -- Detect Shell';
chmod($filepath,0000);
}
}
$found='';
}
}
}
}
}
}
closedir($read_dir);
}
$virus_detected=false;
$all=true;
$detect_errors_only=false;
$detected_Keyword_in_test_script=false;
check_dir($folder,0);
//Report Mail
$message = "Report Scan Shell On Server ".gethostbyname($_SERVER['SERVER_NAME'])." by VnDragon \n\n";
$message .= "Scan Complete at ".date('j F Y H:i')."\n\n";
$message .= "Statistics\n\n";
$message .= "Skip File : ".IGNORE_EXTENSIONS."\n\n";
$message .= "Ingore File Max : ".MAX_SIZE."/bytes.\n\n";
if (count($listfile) != 0 )
{
$message .= "Total File Scan: " .count($listfile)."\n\n";
if (count($listWarning) != 0)
{
$warning = percent(count($listWarning),count($listfile));
$message .= "Total File Warning: " .count($listWarning)." - ". $warning."% \n\n";
$message .= "List File Warning: \n\n";
foreach ($listWarning as $Warning)
{
$message .= $Warning." \n\n";
}
}
else
{
$message .= "Total File Warning: 0 - 0% \n\n";
}
if (count($listDetect) != 0)
{
$detechted = percent(count($listDetect),count($listfile));
$message .= "Total File Detected: " .count($listDetect)." - ". $detechted."% \n\n";
$message .= "List File Detected: \n";
foreach ($listDetect as $Detechted)
{
$message .= $Detechted." \n\n";
}
}
else
{
$message .= "Total File Detected: 0 - 0% \n\n";
}
}
else
{
$message .= "File Not Found\n\n";
}
$message .= "End Report \n\n";
$message .= "---------------------------------------------------\n\n";
$message .= "File Detected Has been Chmod 000. Please Online And Check It\n\n";
$message .= "Thank You For Used Tools Scan Shell VerSion 2\n\n";
$message .= "Power By VnDragon \n\n";
report($message); ?>Bạn sử dụng chính những phần mềm diệt Virut quét là được. Hoặc bạn có thể sử dụng các chương trình Scan Virus Online như:
Mã:http://www.eset.com/us/online-scanner/ http://www.bitdefender.com/scanner/online/free.html https://www.virustotal.com/
