Because the front-end time server has been released, a webshell scanner has been written to kill phpwebshell. no matter whether the trojan or pony includes a sentence, the Code is now released.
The Code is as follows:
/*
+ -------------------------------------------------------------------------- +
| Codz by indexphp Version: 0.01 |
| (C) 2009 indexphp |
| Http://www.indexphp.org |
+ -------------------------------------------------------------------------- +
*/
/* = ======= */
$ Dir = 'cms '; // you can specify the directory to scan.
$ Jumpoff = false; // you can specify the object to skip the check.
$ Jump = 'safe. php | G'; // This setting is valid when the check object or folder to be skipped is set to $ jumpoff = false.
$ Danger = 'eval | cmd | passthru '; // sets a dangerous function to be searched to determine whether the trojan file is used.
$ Suffix = 'php | inc'; // you can specify the suffix of the file to be scanned.
$ Dir_num = 0;
$ File_num = 0;
$ Danger_num = 0;
/* = ======= */
Extract (GetHttpVars ());
If ($ m = "edit") Edit ();
If ($ m = "del") Delete ();
If ($ check = 'check ')
{$ Safearr = explode ("|", $ jump );
$ Start_time = microtime (true );
Safe_check ($ dir );
$ End_time = microtime (true );
$ Total = $ end_time-$ start_time;
$ File_num = $ file_num-$ dir_num;
$ Message = "number of files:". $ file_num;
$ Message. = "Number of folders:". $ dir_num;
$ Message. = "number of suspicious files:". $ danger_num;
$ Message. = "execution time:". $ total;
Echo $ message;
Exit ();
}
Function GetHttpVars () {// global variable
$ Superglobs = array (
'_ Post ',
'_ Get ',
'Http _ post_vars ',
'Http _ get_vars ');
$ Httpvars = array ();
Foreach ($ superglobs as $ glob ){
Global $ glob;
If (isset ($ glob) & is_array ($ glob )){
$ Httpvars = $ glob;
}
If (count ($ httpvars)> 0)
Break;
}
Return $ httpvars;
}
Function Safe_Check ($ dir) // traverses a file
{
Global $ danger, $ suffix, $ dir_num, $ file_num, $ danger_num;
$ Hand = @ dir ($ dir) or die ('Folder does not exist ');
While ($ file = $ hand-> read ())
{
$ Filename = $ dir. '/'. $ file;
If (! $ Jumpoff ){
If (Jump ($ filename) continue;
}
If (@ is_dir ($ filename) & $ file! = '.' & $ File! = '..' & $ File! = './..')
{$ Dir_num ++;
Safe_Check ($ filename );
}
If (preg_match_all ("/\. ($ suffix)/I", $ filename, $ out ))
{
$ Str = '';
$ Fp = @ fopen ($ filename, 'R') or die ('no authorization ');
While (! Feof ($ fp ))
{
$ Str. = fgets ($ fp, 1024 );
}
Fclose ($ fp );
If (preg_match_all ("/($ danger) [\ r \ n \ t] {0,} ([\ [\ (])/I", $ str, $ out ))
{
Echo "Suspicious File: {$ filename}
View code
Delete
";
$ Danger_num ++;
}
}
$ File_num ++;
}
}
Function Edit () // view suspicious files
{
Global $ filename;
$ Filename = str_replace ("..", "", $ filename );
$ File = $ filename;
$ Content = "";
If (is_file ($ file ))
{
$ Fp = fopen ($ file, "r") or die ('no authorization ');
$ Content = fread ($ fp, filesize ($ file ));
Fclose ($ fp );
$ Content = htmlspecialchars ($ content );
}
Echo"$ Content\ R \ n ";
Exit ();
}
Function Delete () // Delete an object
{
Global $ filename;
(Is_file ($ filename ))? ($ Mes = unlink ($ filename )? 'Deleted successfully': 'failed to delete view authorization '):'';
Echo $ mes;
Exit ();
}
Function Jump ($ file) // skip the file
{
Global $ jump, $ safearr;
If ($ jump! = '')
{
Foreach ($ safearr as $ v)
{
If ($ v = '') continue;
If (eregi ($ v, $ file) return true;
}
}
Return false;
}
?>