By ShiDao
#! /Usr/bin/perl-w
# Findshell v1.0 = code taken/modified from traps.darkmindz.com
# Usage:./findshell. pl
Use strict;
Use File: Find;
My $ sens = shift | 10;
My $ folder = shift | './';
Find (\ & backdoor, "$ folder ");
Sub backdoor {
If (/\. (php | txt )/)){
Open (my $ IN, "my @ file =;
# Maybe edevil stuffs
My $ score = grep (/function_exists \ (| phpinfo \ (| safe _? Mode | shell_exec \ (| popen \ (| passthru \ (| system \ (| myshellexec \ (| exec \ (| getpwuid \ (| getgrgid \ (| fileperms \ (/I, @ file );
# Probably edevil stuffs
My $ tempscore = grep (/\ '\ $ \ _ (post | request | get ). {0, 20} \ '| (include | require | eval | system | passthru | shell_exec ). {0, 10} \ $ \ _ (post | request | get) | eval. {0, 10} protocol | back_connect | backdoor | r57 | PHPJackal | PhpSpy | GiX | Fx29SheLL | Protocol | milw0rm | PhpShell | k1r4 | FeeLCoMz | Protocol | UnixOn | C99madShell | region | Locus7s | c100 | c99 | x2300 | cgitelnet | webadmin | cybershell | STUNSHELL | Pr! V8 | PHPShell | KaMeLeOn | S4T | oRb | tryag | sniper | noexecshell | \/etc \/passwd | revengans/I, @ file );
$ Score + = 50 * $ tempscore;
Print "$ score-Possible backdoor: $ File: Find: name \ n" if ($ score >$ sens-1 );
Close $ IN;
} Elsif (/\. (jpg | jpeg | gif | png | tar | zip | gz | rar | pdf )/)){
Open (my $ IN, "print" 5000-Possible backdoor (php in non-php file): $ File: Find: name \ n "if grep /(\;
Close $ IN;
}
}
Usage
Perl findshell. pl 10/srv/www/htdocs> scanout.txt
Sort scanout.txt
GOT MEMORY LIMIT USE FOLLOWING
For I in/srv/www/htdocs/; do perl findshell. pl 10 $ I >> scanout.txt; done
PHP backdoor keyword www.2cto.com
• Passthru
• Shell_exec
• System
• Phpinfo
• Base64_decode
• Edoced_46esab (base64_decode used backwards to avoid detection by string searches like this)
• Chmod
• Mkdir
• "(Backticks with an operating system command between them)
• Fopen
• Fclose
• Readfile
Search for backdoor keywords using commands
0 × 01
Grep-RPn "(passthru | shell_exec | system | phpinfo | base64_decode | chmod | mkdir | fopen | fclose | readfile) * \ (" public_html/
0 × 02
Findstr/r/s/n "passthru shell_exec system (phpinfo base64_decode chmod mkdir fopen fclose readfile "*.*