This article mainly introduces the website Trojan Detection program implemented by Python. if you need it, you can refer to the system administrator who usually retrieves code from svn/git, after a site is deployed, the MD5 value of all files on the site is usually generated. if the content of the website page is tampered with (such as Trojans) after the site is launched, you can quickly find the files that have been changed by comparing the previously generated MD5 values. to enable the system administrator to immediately discover the files, you can use tools such as crontab or nagios.
The program test is as follows:
# Python check_change.py Usage: python check_change.py update/home/wwwroot python check_change.py check/home/wwwroot # python check_change.py update/data/www # generate site md5 value # echo ''>/data/www/sitemap.html # test to clear the file # rm-rf/data/www/sitemap. xml # Test and delete files # python check_change.py check/data/www # search for files tampered with/data/www/sitemap. xml/data/www/sitemap.html
The code is as follows (check_change.py ):
#!/usr/bin/env pythonimport os,sys,subprocessdef update(path): f = open(file,'w') for root,dirs,files in os.walk(path): for name in files: line = os.path.join(root, name) (stdin,stderr) = subprocess.Popen(['md5sum',line],stdout=subprocess.PIPE).communicate() f.write(stdin) f.close()def check(path): f = open(file,'r') for line in f: check_ok = """echo '%s' | md5sum -c > /dev/null 2>&1""" % line #print check_ok if not subprocess.call(check_ok, shell = True) == 0: abnormal = line.split() print abnormal[1] f.close()def Usage(): print ''' Usage: python %s update /home/wwwroot python %s check /home/wwwroot ''' % (sys.argv[0],sys.argv[0]) sys.exit()if len(sys.argv) != 3: Usage()file = 'file.key'model = sys.argv[1]path = sys.argv[2]if os.path.exists(path) == False: print "\033[;31mThe directory or file does not exist\033[0m" sys.exit()elif model == 'update': update(path)elif model == 'check': check(path)else: Usage()