This shows you the differences between two versions of the page.
Next revision | Previous revision Next revision Both sides next revision | ||
phpshell_scanner [2010/04/14 00:10] k2patel created |
phpshell_scanner [2010/12/13 06:12] jt |
||
---|---|---|---|
Line 18: | Line 18: | ||
my $score = grep (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid \(|fileperms\(/i,@file); | my $score = grep (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid \(|fileperms\(/i,@file); | ||
#probably evil stuffs | #probably evil stuffs | ||
- | my $tempscore = grep(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|PHPShell|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file); | + | my $tempscore = grep(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|PHPShell|KaMeLeOn|S4T|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file); |
$score += 50 * $tempscore; | $score += 50 * $tempscore; | ||
print "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 ); | print "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 ); | ||
Line 28: | Line 28: | ||
} | } | ||
} | } | ||
+ | |||
+ | </code> | ||
+ | |||
+ | ==== Usage ==== | ||
+ | |||
+ | <code text> | ||
+ | perl findshell.pl 10 /srv/www/htdocs > scanout.txt | ||
+ | sort scanout.txt | ||
+ | </code> | ||
+ | |||
+ | ** GOT MEMORY LIMIT USE FOLLOWING ** | ||
+ | |||
+ | <code text> | ||
+ | for i in /srv/www/htdocs/ ; do perl findshell.pl 10 $i >> scanout.txt ; done | ||
</code> | </code> |