查找 php webshell 小工具

  • A+
所属分类:lcx

思路就是匹配脚本文件以及配置文件hash,找出hash改变的脚本或者配置文件,脚本共三个参数

1,-save 即读取web目录和配置文件,计算hash匹配并且保存文件

2,-find 即通过保存的hash与当前web目录脚本文件和配置文件hash匹配,找出hash变动的文件

3,-listen 首先执行save。然后循环执行find,如果发现hash异常通过email通知管理员。每次find完成后都sleep一段时间,这里默认半个小时,相当于半个小时检查一次。

import hashlib 
import sys 
import os 
import re 
import time 
import smtplib 
from email.mime.text import MIMEText 

def send_mail(content): 
    to_list=["[email protected]"] 
    mail_host="smtp.163.com" 
    mail_user="xxxx" 
    mail_pass="xxxr" 
    mail_postfix="163.com" 
    me=mail_user+"" 
    msg = MIMEText(content) 
    msg['Subject'] ='warning' 
    msg['From'] = me 
    msg['To'] = ";".join(to_list) 
    try: 
        s = smtplib.SMTP() 
        s.connect(mail_host) 
        s.login(mail_user,mail_pass) 
        s.sendmail(me, to_list, msg.as_string()) 
        s.close() 
        return True 
    except Exception, e: 
        print str(e) 
        return False 

def md5Checksum(filePath): 
        fh = open(filePath, 'rb') 
        m = hashlib.md5() 
        while True: 
            data = fh.read(8192) 
            if not data: 
                break 
            m.update(data) 
        fh.close() 
        return m.hexdigest() 
def load_hash(filepath): 
        pass 
def load_filelist(f): 
        f1=open(f,'r') 
        f_list=[] 
        while 1: 
            line=f1.readline() 
            if not line: 
                break 
            f_list.append(line) 
        dic={} 
        for str1 in f_list: 
            item1,item2= str1.split(':') 
            dic[item1]=item2 
        f1.close() 
        return dic 

def save_config(configpath,webdir): 
        f1=open('config','w') 
        f1.writelines('configpath:'+configpath+'rn') 
        f1.writelines('webdir:'+webdir+'rn') 
        f1.close() 
def find(): 
        lists=[] 
        lists=findchange() 
        for str1 in lists: 
           print str1 
def findchange(): 
        relist=[] 
        dic1={} 
        dic1= load_filelist('save_hash') 
        dic2={} 
        dic2=load_filelist('config') 
        weblist=[] 
        weblist=load_all_path(dic2['webdir'].replace('rn','')) 
        weblist.append(str(dic2['configpath'].replace('rn',''))) 
        for webpage in weblist: 
           if str(dic1.get(webpage))=='None': 
               relist.append(webpage+' is new filern') 
           elif str(dic1.get(webpage)).replace('rn','')!=md5Checksum(webpage):
               relist.append(webpage+'   has been changedrn') 
        return relist 
def load_all_path(rootDir): 
    str1=[] 
    list_dirs = os.walk(rootDir) 
    for root, dirs, files in list_dirs: 
        for f in files: 
               if  str(os.path.splitext(f)[1])=='.php' or str(os.path.splitext(f)[0])=='.htaccess':
                    str1.append(str(os.path.join(root, f))) 
    return str1 
def save(config,webpath): 
    save_config(config,webpath) 
    confighash=md5Checksum(config) 
    weblist=[] 
    weblist=load_all_path(webpath) 
    print weblist 
    f1=open('save_hash','w') 
    f1.writelines(config+':'+confighash+"rn") 
    for str1 in weblist: 
        print str1 
        f1.writelines(str1+':'+md5Checksum(str1)+"rn") 
    f1.close() 
def listen(config,webpath): 
    save(config,webpath) 
    while 1: 
        lists=[] 
        lists=findchange() 
        if(len(lists)!=0): 
           str2='' 
           for str1 in lists: 
               str2=str2+str1.replace('rn','')+'n' 
           send_mail(str2) 
        time.sleep(3600) 


if __name__ == '__main__': 
    banner='''usage: 
    find.py -save config webpath 
    find.py -find 
    nohup python  find.py -listen config webpath $ 
    Example: 
    python find.py -save /etc/apache2/apache2.conf /var/www 
    python find.py -find 
    nohup python find.py -listen /etc/apache2/apache2.conf /var/www & 
    ''' 

    if (len(sys.argv)

摘自:http://zone.wooyun.org/content/3189

留言评论(旧系统):

佚名 @ 2013-04-08 11:00:20

上来首先把全部文件touch一遍,怎么破

本站回复:

站长:看我杀手锏“整站备份.rar”,解压……

文章来源于lcx.cc:查找 php webshell 小工具

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: