Python script to find webshell, pythonwebshell

Python script to find webshell, pythonwebshell

This article describes a python code used to search for webshell scripts. In addition to the webshell function, it also provides the White List function and functions such as sending email alerts when malicious code is found, if you are interested, you can test the results by yourself.

The specific function code is as follows:

#! /Usr/bin/env python #-*-coding: UTF-8-*-import osimport sysimport reimport smtplib # Set the email fromaddr = "smtp.qq.com" toaddrs = ["voilet@qq.com"] username = "voilet" password = "xxxxxx" # Set the whitelist pass_file = ["api_ucenter.php"] # define the email sending function def sendmail (toaddrs, sub, content): 'sending mail module '# Add the From: and To: headers at the start! Msg = ("From: % s \ r \ nTo: % s \ r \ nSubject: % s \ r \ n" % (fromaddr ,",". join (toaddrs), sub) msg + = content server = smtplib. SMTP ('mail .funshion.com ', 25,) server. login (username, password) server. sendmail (fromaddr, toaddrs, msg) server. quit () # Set the search signature rulelist = ['(\ $ _ (GET | POST | REQUEST )\[. {0, 15} \] \ (\ $ _ (GET | POST | REQUEST )\[. {200} \] \) ',' (base64_decode \ ([\ '"] [\ w \ +/=] {,} [\'"] \) ', 'eval \ (base64_decod E \ (',' (eval \ (\$ _ (POST | GET | REQUEST )\[. {0, 15} \] \) ',' (assert \ (\ $ _ (POST | GET | REQUEST )\[. {} \] \) ',' (\ $ [\ w _] {} \ (\ $ _ (POST | GET | REQUEST )\[. {0, 15} \] \) ',' (wscript \. shell) ',' (gethostbyname \ () ',' (cmd \. exe) ',' (shell \. application) ',' (events \ s + and \ s + settings) ',' (system32) ',' (serv-u) ',' (Elevation of Privilege )', '(phpspy)', '(backdoor)', '(webshell)', '(Program \ s + Files)', 'www .phpdp.com ', 'phpdp ', 'php shield ', 'decryptio N', 'ca3tie1 ', 'gif 89a', 'ikfbiluvm0vcjd \/APDolOjtW0tgeKAwA', '\ 'E \'\. \ 'v \'\. \ 'a \'\. \ 'l \ '',] def Scan (path): for root, dirs, files in OS. walk (path): for filespath in files: isover = False if '. 'In filespath: ext = filespath [(filespath. rindex ('. ') + 1):] if ext = 'php' and filespath not in pass_file: file = open (OS. path. join (root, filespath) filestr = file. read () file. close () for rule in rulelist: result = Re. compile (rule ). findall (filestr) if result: print 'file:' + OS. path. join (root, filespath) print 'malicious code: '+ str (result [0]) print' \ n \ n' sendmail (toaddrs, "value-added malicious code found ", 'File: '+ OS. path. join (root, filespath) + "\ n" + 'malicious code: '+ str (result [0]) breaktry: if OS. path. lexists ("/home/web_root/"): print ('\ n start scanning:' + "/home/web_root/") print ('suspicious files ') print ('##################################### ###') scan ("/home/web_root /") Print ('prompt: Scan completed --~ ') Else: print' prompt: the specified scan directory does not exist --- 'failed t IndexError: print "Please specify the scan file directory"

I want to use python to write a web interface for simple execution of remote linux commands. The web interface should be able to enter and execute shell commands and scripts freely.

For remote operations, do not use the web interface or secure shell. If you want to write this python program, you need the subprocess and cgi in the standard library.

Python calls the shell script to obtain the output value in the middle of the shell script.

You try to read it with a while loop. I can see it only once from your code ..