PHP Web Trojan Scanner Code v1.0 Security Test Tool _php Instance

scanner.php

Copy Code code as follows:

<?php
/**************php Web Trojan scanner ************************/
/* [+] Author: Alibaba * *
/* [+] qq:1499281192 * *
/* [+] msn:weeming21@hotmail.com * *
/* [+] Start: t00ls.net, reprint please specify T00LS * *
/* [+] Version: v1.0 * *
/* [+] Features: Web version of the PHP trojan scanning Tool * *
/* [+] Note: The scanned file is not necessarily the back door, * *
* Please judge, Audit, compare the original document. */
* * If you are not sure whether the scanned file is a back door, * *
* * You are welcome to send this document to me for analysis. */
/*******************************************************/
Ob_start ();
Set_time_limit (0);
$username = "T00ls"; Set User name
$password = "T00ls"; Set Password
$MD 5 = MD5 (MD5 ($USERNAME). MD5 ($password));
$version = "PHP Web Trojan Scanner v1.0";
$realpath = Realpath ('./');
$selfpath = $_server[' php_self '];
$selfpath = substr ($selfpath, 0, Strrpos ($selfpath, '/'));
Define (' Realpath ', str_replace ('//', '/', str_replace (' \ \ ', '/', substr ($realpath, 0, strlen ($realpath)-strlen ($ Selfpath)));
Define (' MYFILE ', basename (__file__));
Define (' MYPATH ', str_replace (' \ \ ', '/', dirname (__file__)). ' /');
Define (' Myfullpath ', str_replace (' \ \ ', '/', (__file__));
Define (' HOST ', "http://". $_server[' Http_host ');
?>
<title><?php Echo $version?></title>
<meta http-equiv= "Content-type" content= "text/html; charset=gb2312 "/>
<style>
body{margin:0px;}
BODY,TD{FONT:12PX arial,tahoma;line-height:16px;}
A {color: #00f; text-decoration:underline;}
A:hover{color: #f00; text-decoration:none;}
. ALT1 td{border-top:1px solid #fff; border-bottom:1px solid #ddd background: #f1f1f1;p adding:5px 10px 5px 5px;
. ALT2 td{border-top:1px solid #fff; border-bottom:1px solid #ddd background: #f9f9f9;p adding:5px 10px 5px 5px;
. Focus TD{BORDER-TOP:1PX Solid #fff border-bottom:1px solid #ddd background: #ffffaa;p adding:5px 10px 5px 5px;
. Head td{border-top:1px Solid #fff border-bottom:1px solid #ddd background: #e9e9e9;p adding:5px 10px 5px 5px; Font-weight:bold;}
. head TD Span{font-weight:normal;
</style>
<body>
<?php
if (!) ( Isset ($_cookie[' t00ls ']) && $_cookie[' t00ls '] = = $MD 5) &&! (Isset ($_post[' username ']) && isset ($_post[' password ']) && MD5 (MD5 ($_post[' username ')). MD5 ($_post [' Password ']) = = $MD 5)))
{
Echo ' <form id= "Frmlogin" name= "Frmlogin" method= "POST" action= "" > User name: <input type= "text" name= "username" id= " Username "/> Password: <input type=" password "name=" password "id=" password "/> <input type=" Submit "Name=" Btnlogin "Id=" Btnlogin "value=" Landing "/></form>";
}
ElseIf (isset ($_post[' username ')) && isset ($_post[' password ']) && (MD5 MD5 ($_post[' username ')). MD5 ( $_post[' password]) = = = $MD 5))
{
Setcookie ("T00ls", $md 5, Time () +60*60*24*365, "/");
echo "landed successfully! ";
Header (' refresh:1; Url= '. MYFILE. '? Action=scan ');
Exit ();
}
Else
{
Setcookie ("T00ls", $md 5, Time () +60*60*24*365, "/");
$setting = GetSetting ();
$action = Isset ($_get[' action ')] $_get[' action ': "";
if ($action = = "Logout")
{
Setcookie ("T00ls", "" ", Time ()-3600);
Header ("Location:"). MYFILE);
Exit ();
}
if ($action = = "Download" && isset ($_get[' file ')) && trim ($_get[' file '])!= "")
{
$file = $_get[' file '];
Ob_clean ();
if (@file_exists ($file)) {
Header ("Content-type:application/octet-stream");
Header ("Content-disposition:filename=\". BaseName ($file). " \"");
Echo file_get_contents ($file);
}
Exit ();
}
?>
<table border= "0" cellpadding= "0" cellspacing= "0" width= "100%" >
<tbody><tr class= "Head" >
<td><?php echo $_server[' server_addr ']?><span style= ' float:right; Font-weight:bold; " ><?php echo "<a href= ' http://www.t00ls.net/' > $version </a>"?></span></td>
</tr>
<tr class= "ALT1" >
<td><span style= "float:right;" ><?=date ("y-m-d h:i:s", Mktime ())?></span>
<a href= "? Action=scan" > Scan </a> |
<a href= "? action=setting" > Settings </a> |
<a href= "? action=logout" > Logout </a>
</td>
</tr>
</tbody></table>
<br>
<?php
if ($action = = "setting")
{
if (Isset ($_post[' btnsetting '))
{
$Ssetting = Array ();
$Ssetting [' User ']=isset ($_post[' checkuser '])? $_post[' checkuser ']: "PHP | php? | Phtml ";
$Ssetting [' All ']=isset ($_post[' Checkall ']) &&$_post[' Checkall ']== ' on '? 1:0;
$Ssetting [' HTA ']=isset ($_post[' Checkhta ']) &&$_post[' Checkhta ']== ' on '? 1:0;
Setcookie ("t00ls_s", Base64_encode (Serialize ($Ssetting)), Time () +60*60*24*365, "/");
echo "Setup Complete! ";
Header (' refresh:1; Url= '. MYFILE. '? Action=setting ');
Exit ();
}
?>
<form name= "frmsetting" method= "post" action= "action=setting" >
<fieldset style= "width:400px" >
<LEGEND> Scan Settings </LEGEND>
<table width= "100%" border= "0" cellspacing= "0" cellpadding= "0" >
<tr>
&LT;TD width= > file suffix:</td>
&LT;TD width= "><input type=" text "Name=" checkuser "id=" checkuser "style=" width:300px; "value=" <?php Echo $setting [' User ']?> ' ></td>
</tr>
<tr>
<td><label for= "Checkall" > All Files </label></td>
<td><input type= "checkbox" Name= "Checkall" id= "Checkall" <?php if ($setting [' All ']==1] echo "Checked"?> ></td>
</tr>
<tr>
<td><label for= "Checkhta" > Settings file </label></td>
<td><input type= "checkbox" Name= "Checkhta" id= "Checkhta" <?php if ($setting [' HTA ']==1) echo "Checked"?> ></td>
</tr>
<tr>
<td> </td>
<td>
<input type= "Submit" Name= "btnsetting" id= "btnsetting" value= "submitted" >
</td>
</tr>
</table>
</fieldset>
</form>
<?php
}
Else
{
$dir = isset ($_post[' path ')? $_post[' path ']:mypath;
$dir = substr ($dir, -1)!= "/"? $dir. " /": $dir;
?>
<form name= "Frmscan" method= "POST" action= "" >
<table width= "100%%" border= "0" cellspacing= "0" cellpadding= "0" >
<tr>
&LT;TD width= "style=" vertical-align:middle; padding-left:5px; " > Scan Path:</td>
&LT;TD width= "690" >
<input type= "text" name= "path" id= "path" style= "width:600px" value= "<?php echo $dir?>" >
<input type= "Submit" Name= "Btnscan" id= "Btnscan" value= "Start scanning" ></td>
</tr>
</table>
</form>
<?php
if (Isset ($_post[' Btnscan '))
{
$start =mktime ();
$is _user = Array ();
$is _ext = "";
$list = "";
if (Trim ($setting [' user '])!= "")
{
$is _user = explode ("|"), $setting [' user ']);
if (count ($is _user) >0)
{
foreach ($is _user as $key => $value)
$is _user[$key]=trim (Str_replace ("?", "(.)", $value));
$is _ext = "(\."). Implode ("($|\.)) | (\. ", $is _user)." ($|\.))";
}
}
if ($setting [' HTA ']==1)
{
$is _hta=1;
$is _ext = strlen ($is _ext) >0 $is _ext. "|": $is _ext;
$is _ext.= "(^\.htaccess$)";
}
if ($setting [' All ']==1 | | (Strlen ($is _ext) ==0 && $setting [' HTA ']==0)]
{
$is _ext= "(. +)";
}
$php _code = GetCode ();
if (!is_readable ($dir))
$dir = MYPATH;
$count = $scanned = 0;
Scan ($dir, $is _ext);
$end =mktime ();
$spent = ($end-$start);
?>
<div style= "padding:10px; Background-color: #ccc "> Scan: <?php echo $scanned?> File | Discovery: <?php echo $count?> suspicious File | Time consuming: <?php Echo $spent?> sec </div>
<table width= "100%" border= "0" cellspacing= "0" cellpadding= "0" >
<tr class= "Head" >
&LT;TD width= "align=" center ">No.</td>
&LT;TD width= "48%" > File </td>
&LT;TD width= "12%" > Update time </td>
&LT;TD width= "10%" > Reasons </td>
&LT;TD width= "20%" > Features </td>
<td> Action </td>
</tr>
<?php Echo $list?>
</table>
<?php
}
}
}
Ob_flush ();
?>
</body>
<?php
function Scan ($path = '. ', $is _ext) {
Global $php _code, $count, $scanned, $list;
$ignore = Array ('. ', ' ... ');
$replace =array ("", "\ n", "\ r", "T");
$DH = @opendir ($path);
while (false!== ($file =readdir ($DH))) {
if (!in_array ($file, $ignore)) {
if (Is_dir ("$path $file")) {
Scan ("$path $file/", $is _ext);
} else {
$current = $path. $file;
if (myfullpath== $current) continue;
if (!preg_match ("/$is _ext/i", $file)) continue;
if (is_readable ($current))
{
$scanned + +;
$content =file_get_contents ($current);
$content = Str_replace ($replace, "", $content);
foreach ($php _code as $key => $value)
{
if (Preg_match ("/$value/I", $content))
{
$count + +;
$j = $count% 2 + 1;
$filetime = Date (' y-m-d h:i:s ', Filemtime ($current));
$reason = Explode ("->", $key);
$url = Str_replace (Realpath,host, $current);
Preg_match ("/$value/I", $content, $arr);
$list. = "
<tr class= ' alt$j ' onmouseover= ' this.classname=\ ' focus\; ' onmouseout= ' this.classname=\ ' alt$j\ '; ' >
<td> $count </td>
<td><a href= ' $url ' target= ' _blank ' > $current </a></td>
<td> $filetime </td>
<td><font color=red> $reason [0]</font></td>
<td><font color= #090 > $reason [1]</font></td>
<td><a href= '? action=download&file= $current ' target= ' _blank ' > Download </a></td>
</tr> ";
Echo $key. "-" . $path. $file. " (" . $arr [0]. ")" ." <br/> ";
Echo $path. $file. " <br/> ";
Break
}
}
}
}
}
}
Closedir ($DH);
}
function GetSetting ()
{
$Ssetting = Array ();
if (Isset ($_cookie[' t00ls_s '))
{
$Ssetting = Unserialize (Base64_decode ($_cookie[' t00ls_s '));
$Ssetting [' User ']=isset ($Ssetting [' user ']) $Ssetting [' User ']: "PHP | php? | phtml | sHTML ";
$Ssetting [' All ']=isset ($Ssetting [' All ']) intval ($Ssetting [' All ']): 0;
$Ssetting [' HTA ']=isset ($Ssetting [' HTA ']) intval ($Ssetting [' HTA ']): 1;
}
Else
{
$Ssetting [' user ']=] php | php? | phtml | sHTML ";
$Ssetting [' All ']=0;
$Ssetting [' HTA ']=1;
Setcookie ("t00ls_s", Base64_encode (Serialize ($Ssetting)), Time () +60*60*24*365, "/");
}
return $Ssetting;
}
function GetCode ()
{
Return Array (
' Backdoor features->cha88.cn ' => ' cha88\.cn ',
' Backdoor features->c99shell ' => ' C99shell ',
' Backdoor features->phpspy ' => ' Phpspy ',
' Backdoor features->scanners ' => ' scanners ',
' Backdoor features->cmd.php ' => ' cmd\.php ',
' Backdoor features->str_rot13 ' => ' str_rot13 ',
' Backdoor features->webshell ' => ' Webshell ',
' Backdoor features->egy_spider ' => ' Egy_spider ',
' Backdoor features->tools88.com ' => ' tools88\.com ',
' Backdoor features->secforce ' => ' Secforce ',
' Backdoor features->eval ('?> ' => ' eval\ ((\ ' | ' | ') \?> ',
' Suspicious code feature->system (' => ' system\ ('),
' Suspicious code feature->passthru (' => ' passthru\ ('),
' Suspicious code feature->shell_exec (' => ' shell_exec\ ('),
' Suspicious code feature->exec (' => ' exec\ ('),
' Suspicious code feature->popen (' => ' popen\ ('),
' Suspicious code feature->proc_open ' => ' Proc_open ',
' Suspicious code feature->eval ($ ' => ' eval\ (\ ' | ' | "| \s*) \\$ ',
' Suspicious code feature->assert ($ ' => ' assert\ (\ ' | ' | "| \s*) \\$ ',
' Dangerous MySQL code->returns string soname ' => ' returnsstringsoname ',
' Dangerous MySQL code->into outfile ' => ' intooutfile ',
' Dangerous MySQL code->load_file ' => ' Select (\s+) (. *) Load_file ',
' Cryptographic Backdoor features->eval (gzinflate (' => ' eval\ ('),
' Cryptographic Backdoor features->eval (Base64_decode (' => ' eval\ ('),
' Cryptographic Backdoor features->eval (gzuncompress (' => ' eval\ ('),
' Cryptographic Backdoor features->eval (Gzdecode (' => ' eval\ ('),
' Cryptographic Backdoor features->eval (str_rot13 (' => ' eval\ ('),
' Cryptographic Backdoor features->gzuncompress (Base64_decode (' => ' gzuncompress\ ('),
' Cryptographic Backdoor features->base64_decode (gzuncompress (' => ' base64_decode\ ('),
' A word back door features->eval ($_ ' => ' eval\ () | \s*) \\$_ (post| Get| Request| Cookies) ',
' A word back door features->assert ($_ ' => ' assert\ () | \s*) \\$_ (post| Get| Request| Cookies) ',
' A word back door features->require ($_ ' => ' require\ () | \s*) \\$_ (post| Get| Request| Cookies) ',
' A word back door features->require_once ($_ ' => ' require_once\ () | \s*) \\$_ (post| Get| Request| Cookies) ',
' A word back door features->include ($_ ' => ' include\ () | \s*) \\$_ (post| Get| Request| Cookies) ',
' A word back door features->include_once ($_ ' => ' include_once\ () | \s*) \\$_ (post| Get| Request| Cookies) ',
' A word back door feature->call_user_func ("Assert" ' => ' call_user_func\ ("|\ ') assert (" |\ ') ",
' A word back door features->call_user_func ($_ ' => ' call_user_func\ () | \s*) \\$_ (post| Get| Request| Cookies) ',
' A word back door feature->$_post/get/request/cookie[?] ($_post/get/request/cookie[?] ' => ' \$_ (post| Get| Request| Cookies) \[([^\]]+) \]\ (\ ' | | ' | \s*) \\$_ (post| Get| Request| COOKIE) \[',
' A word back door features->echo (file_get_contents ($_post/get/request/cookie ' => ' echo\ () file_get_contents\ ((\ ' | ' | \s*) \\$_ (post| Get| Request| Cookies) ',
' Upload back door feature->file_put_contents ($_post/get/request/cookie,$_post/get/request/cookie ' => ' file_put_contents\ (\ ' |"| \s*) \\$_ (post| Get| Request| Cookies) \[([^\]]+) \], (\ ' | "| \s*) \\$_ (post| Get| Request| Cookies) ',
' Upload back door features->fputs (fopen ("?", "W"), $_post/get/request/cookie[' => ' fputs\ ((. +), (\ ' |) W (\ ' | ") \),(\'|"| \s*) \\$_ (post| Get| Request| COOKIE) \[',
'. htaccess features->sethandler application/x-httpd-php ' => ' sethandlerapplication\/x-httpd-php ',
'. htaccess features->php_value auto_prepend_file ' => ' php_valueauto_prepend_file ',
'. htaccess features->php_value auto_append_file ' => ' php_valueauto_append_file '
);
}
?>

A PHP in the context of the scanning of the Trojan Horse tool, currently can be swept out the following signature

Copy Code code as follows:

Signature code:
Backdoor features->cha88.cn
Backdoor features->c99shell
Backdoor features->phpspy
Backdoor features->scanners
Backdoor features->cmd.php
Backdoor features->str_rot13
Backdoor features->webshell
Backdoor features->egy_spider
Backdoor features->tools88.com
Backdoor features->secforce
Backdoor features->eval ("?>
Suspicious code feature->system (
Suspicious code feature->passthru (
Suspicious code feature->shell_exec (
Suspicious code feature->exec (
Suspicious code feature->popen (
Suspicious code Characteristics->proc_open
Suspicious code feature->eval ($
Suspicious code feature->assert ($
Dangerous MySQL code->returns string soname
Dangerous MySQL Code->into outfile
Dangerous MySQL Code->load_file
Cryptographic backdoor feature->eval (Gzinflate (
Cryptographic backdoor feature->eval (Base64_decode (
Cryptographic backdoor feature->eval (Gzuncompress (
Cryptographic backdoor feature->gzuncompress (Base64_decode (
Cryptographic backdoor feature->base64_decode (Gzuncompress (
A word back door features->eval ($_
A word back door features->assert ($_
A word back door features->require ($_
A word back door features->require_once ($_
A word back door features->include ($_
A word back door features->include_once ($_
A word back door feature->call_user_func ("Assert"
A word back door features->call_user_func ($_
A word back door feature->$_post/get/request/cookie[?] ($_post/get/request/cookie[?]
A word back door features->echo (file_get_contents ($_post/get/request/cookie
Uploading Backdoor features->file_put_contents ($_post/get/request/cookie,$_post/get/request/cookie
Upload Backdoor features->fputs (fopen ("?", "W"), $_post/get/request/cookie[
. htaccess features->sethandler application/x-httpd-php
. htaccess features->php_value Auto_prepend_file
. htaccess features->php_value Auto_append_file

Lazy design, direct apply Phpspy style
Note: The scanned file is not necessarily the back door, please judge, Audit, contrast the original document.