Loading

Malware Scanner

  1. <?php
  2.  
  3. if($_GET['acao'] == "eliminar") {
  4.     unlink($_GET['ficheiro']);
  5.     echo "<p color=\"red\">Ficheiro ". $_GET['ficheiro'] ." eliminado com sucesso!</p>";
  6.    
  7. }
  8.  
  9. if($_GET['acao'] == "verficheiro") {
  10.         $file = file_get_contents($_GET['ficheiro']);
  11.  
  12.        
  13.     echo "<pre>";
  14.     echo htmlentities(highlight_string($file));
  15.     echo "</pre>";
  16.         exit();
  17.     }
  18. ?>
  19. <html><head><title>Find String</title></head><body>
  20.  
  21. <?php
  22. echo "<table><tr><th>Ficheiro</th><th>String</th><th>Data</th><th>Funcionalidade</th></tr>";
  23. // Most hosting services will have a time limit on how long a php script can run, typically 30 seconds.
  24. // On large sites with a lot of files this script may not be able to find and check all files within the time limit.
  25. // If you get a time out error you can try over riding the default time limits by removing the // in the front of these two lines.
  26.  
  27. // ini_set('max_execution_time', '0');
  28. // ini_set('set_time_limit', '0');
  29.  
  30.  
  31. find_files('.');
  32.  
  33. function find_files($seed)
  34. {
  35. if(! is_dir($seed)) return false;
  36. $files = array();
  37. $dirs = array($seed);
  38. while(NULL !== ($dir = array_pop($dirs)))
  39. {
  40. if($dh = opendir($dir))
  41. {
  42. while( false !== ($file = readdir($dh)))
  43. {
  44. if($file == '.' || $file == '..') continue;
  45. $path = $dir . '/' . $file;
  46. if(is_dir($path)) { $dirs[] = $path; }
  47.  
  48. // the line below tells the script to only check the content of files with a .php extension.
  49. // the if{} statement says if you "match" php[\d]? at the end of the file name then check the contents
  50. // of the file. The [\d]? part means also match if there is a digit \d such as .php4 in the file extension
  51.  
  52. // else { if(preg_match('/\/*\.php[\d]?$/i', $path)) { check_files($path); }}
  53.  
  54. // 07/26/2011 Based on some recent Pharma hacks I have changed the default to check php, js and txt files
  55.  
  56.  
  57. else { if(preg_match('/^.*\.(php[\d]?|js|txt|php.)$/i', $path)) { check_files($path); }}
  58.  
  59. // if you would like to check other (all) file types you can comment out/un-comment and or modify
  60. // the following lines as needed. You can only have one of the else{} statements un-commented.
  61. // The first example contains a lengthy OR (the | means OR) statement, the part inside the (),
  62. // (php[\d]?|htm|html|shtml|js|asp|aspx) You can add/remove filetypes by modifying this part
  63. // (php[\d]?|htm|html|shtml) will only check .php, .htm, .html, .shtml files.
  64.  
  65. // else { if(preg_match('/^.*\.(php[\d]?|htm|html|shtml|js|asp|aspx)$/i', $path)) { check_files($path); }}
  66. // In the next else{} statement there is no if{}, no checking of the file extension every file will be checked
  67. // else { check_files($path); } // will check all file types for the code
  68. }
  69. closedir($dh);
  70. }}} function check_files($this_file)
  71. {
  72. // the variable $str_to_find is an array that contains the strings to search for inside the single quotes.
  73. // if you want to search for other strings replace base64_decode with the string you want to search for.
  74.  
  75.   $str_to_find[]='eval(';
  76.   $str_to_find[]='timthumb';
  77.   $str_to_find[]='eval(base64_decode(gzunc';
  78.   $str_to_find[]='gzuncompress';
  79.   $str_to_find[]='PCT4BA6ODSE_';
  80.   $str_to_find[]='base64_decode';
  81.   $str_to_find[]='edoced_46esab'; // base64_decode reversed
  82.   $str_to_find[]='SHELL_PASSWORD';
  83.   $str_to_find[]='\x47\x4c\x4fB\x41\x4c\x53';
  84.   $str_to_find[]='"base" . "64_decode"';
  85.   $str_to_find[]='$_POST[\'security_code\']';
  86.   $str_to_find[]='                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 ';
  87.   $str_to_find[]='\116\x6d\131\x52\150';
  88.   $str_to_find[]='pod_h1kgzu0cqr';
  89.   $str_to_find[]='goto xZzt5';
  90.  
  91. if(strpos($this_file, 'wt.php') == false) {
  92. if(strpos($this_file, '.php.') == true OR strpos($this_file, '.php') == true) {
  93. if(!($content = file_get_contents($this_file)))
  94. {
  95.     if($_GET['simples'] == "sim") { echo $this_file."<br>"; } else {
  96.         echo("<tr><td><b><p>$this_file</b></td><td><b>Nao foi possivel verificar o conteudo do ficheiro</b></td><td>Data</td><td>(<a href=\"wt.php?acao=verficheiro&ficheiro=$this_file\">Ver ficheiro</a>) - <a href=\"wt.php?acao=eliminar&ficheiro=$this_file\">Eliminar ficheiro</a>)</td></tr>\n");
  97.     }
  98. }
  99. else
  100. {
  101. while(list(,$value)=each($str_to_find))
  102. {
  103. if (stripos($content, $value) !== false)
  104. {
  105.     if($_GET['simples'] == "sim") { echo $this_file."<br>"; } else {
  106.         echo("<tr><td><b><p>$this_file</b></td><td><b>$value</b></td><td>". date("d m Y H:i:s.", filemtime($this_file)) ."</td><td>(<a href=\"wt.php?acao=verficheiro&ficheiro=$this_file\">Ver ficheiro</a>) - <a href=\"wt.php?acao=eliminar&ficheiro=$this_file\">Eliminar ficheiro</a>)</td></tr>\n");
  107.     }
  108. }
  109. }
  110. }
  111. }
  112. }
  113. unset($content);
  114. }?>
  115. </body></html>