The Python script implements the method of finding Webshell _python

This article describes a python to find Webshell script code, in addition to looking for the Webshell function also has a whitelist function, as well as the discovery of malicious code to send e-mail alerts and other functions, interested friends can test their own to see the effect.

The specific functional code is as follows:

#!/usr/bin/env python #-*-coding:utf-8-*-import OS import sys import re import smtplib #设定邮件 fromaddr = "smtp.qq.co 
M "Toaddrs = [" voilet@qq.com "] username =" Voilet "password =" xxxxxx "#设置白名单 pass_file = [" api_ucenter.php "] #定义发送邮件函数
  def sendmail (toaddrs,sub,content): ' Send mail module ' # ADD the From:and to:headers at the start! msg = ("From:%s\r\nto:%s\r\nsubject:%s\r\n\r\n"% (Fromaddr, ",". Join (Toaddrs), sub)) MSG + Content Server = Smtplib. SMTP (' mail.funshion.com ', +,) server.login (username, password) server.sendmail (fromaddr, Toaddrs, msg) Server.quit ( ) #设置搜索特征码 rulelist = [' (\$_ get| Post| REQUEST) \[.{ 0,15}\]\ (\$_ (get| Post| REQUEST) \[.{ 0,15}\]\)) ', ' (base64_decode\ ([\ '][\w\+/=]{200,}[\ ']\)] ', ' Eval\ (base64_decode\ (', ') (Eval\ (\$_ Get| REQUEST) \[.{ 0,15}\]\)) ', ' (assert\ \$_ (post| Get| REQUEST) \[.{ 0,15}\]\)) ', ' (\$[\w_]{0,15}\ \$_ (post| Get| REQUEST) \[.{ 0,15}\]\)) ', ' (Wscript\.shell) ', ' (gethostbyname\ () ', ' (Cmd\.exe) ', ' (shell\.application) ', ' (documents\s+and\s+settings) ', ' (System32) ', ' (serv-u) ', ' (claim) ', ' (phpspy) ', ' (Back door) ', ' (webshe ll) ', ' (program\s+files) ', ' www.phpdp.com ', ' phpdp ', ' php shield ', ' decryption ', ' ca3tie1 ', ' gif89a ', ' Ikfbiluv
    M0vcjd\/apdolojtw0tgekawa ', ' e\ ' \.\ ' v\ ' \.\ ' a\ ' \.\ ' l\ ' ', ' def Scan (path): For root,dirs,files in Os.walk (path): For filespath in files:isover = False if '. ' In Filespath:ext = filespath[(Filespath.rindex ('. ') +1):] If ext== ' php ' and Filespath not in pass_file:file= open (Os.path.join (Root,filespath)) F Ilestr = File.read () file.close () for rule in rulelist:result = re.compile (rule). FindAll ( FILESTR) If Result:print ' file: ' +os.path.join (root,filespath) print ' Malicious code: ' +str (res Ult[0]) print ' \ n ' sendmail (Toaddrs, "Value-added discovery malicious code", ' File: ' +os.path.join (root,filespath) + "\ n" + ' malicious
      Code: ' +str (Result[0])        Break Try:if os.path.lexists ("/home/web_root/"): print (' \ n \ nthe start scan: ' + '/home/web_root/') print ('
  Suspicious file ') print (' ######################################## ') Scan ("/home/web_root/") print (' Hint: Scan complete--~ ')  Else:print ' Hint: The specified scan directory does not exist---' except indexerror:print ' Please specify scan file directory