PHP Web Trojan scanner code v1.0 Security Testing Tool

Composer. php
Copy codeThe Code is as follows:
<? Php
/************* PHP Web Trojan scanner ********************* ***/
/* [+] By alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: weeming21@hotmail.com */
/* [+] Initial release: t00ls.net. For details, refer to t00ls */
/* [+] Version: v1.0 */
/* [+] Function: php Trojan scanning tool for the web version */
/* [+] Note: The scanned file is not necessarily a backdoor ,*/
/* Determine, review, and compare the original file by yourself. */
/* If you are not sure whether the scanned file is a backdoor ,*/
/* You are welcome to send this file to me for analysis. */
/*************************************** ****************/
Ob_start ();
Set_time_limit (0 );
$ Username = "t00ls"; // set the user name
$ Password = "t00ls"; // set the password
$ Md5 = md5 (md5 ($ username). md5 ($ password ));
$ Version = "PHP Web Trojan scanner v1.0 ";
$ Realpath = realpath ('./');
$ Selfpath = $ _ SERVER ['php _ SELF '];
$ Selfpath = substr ($ selfpath, 0, strrpos ($ selfpath ,'/'));
Define ('realpath', str_replace ('//', '/', str_replace ('\', '/', substr ($ REALPATH, 0, strlen ($ realpath) -strlen ($ selfpath )))));
Define ('myfile', basename (_ FILE __));
Define ('mypath', str_replace ('\', '/', dirname (_ FILE __)).'/');
Define ('myfullpath', str_replace ('\', '/', (_ FILE __)));
Define ('host', "http: //". $ _ SERVER ['HTTP _ host']);
?>
<Html>
<Head>
<Title> <? Php echo $ version?> </Title>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/>
<Style>
Body {margin: 0px ;}
Body, td {font: 12px Arial, Tahoma; line-height: 16px ;}
A {color: # 00f; text-decoration: underline ;}
A: hover {color: # f00; text-decoration: none ;}
. Alt1 td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # f1f1f1; padding: 5px 10px 5px 5px ;}
. Alt2 td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # f9f9f9; padding: 5px 10px 5px ;}
. Focus td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # ffffaa; padding: 5px 10px 5px 5px ;}
. Head td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # e9e9e9; padding: 5px 10px 5px 5px; font-weight: bold ;}
. Head td span {font-weight: normal ;}
</Style>
</Head>
<Body>
<? Php
If (! (Isset ($ _ COOKIE ['t00ls']) & $ _ COOKIE ['t00ls'] = $ md5 )&&! (Isset ($ _ POST ['username']) & isset ($ _ POST ['Password']) & (md5 (md5 ($ _ POST ['username']). md5 ($ _ POST ['Password']) = $ md5 )))
{
Echo '<form id = "frmlogin" name = "frmlogin" method = "post" action = ""> User name: <input type = "text" name = "username" id = "username"/> password: <input type = "password" name = "password" id = "password"/> <input type = "submit" name = "btnLogin" id = "btnLogin" value = "Login "/> </form> ';
}
Elseif (isset ($ _ POST ['username']) & isset ($ _ POST ['Password']) & (md5 (md5 ($ _ POST ['username']). md5 ($ _ POST ['Password']) = $ md5 ))
{
Setcookie ("t00ls", $ md5, time () + 60*60*24*365 ,"/");
Echo "Login successful! ";
Header ('refresh: 1; url = '. MYFILE .'? Action = scan ');
Exit ();
}
Else
{
Setcookie ("t00ls", $ md5, time () + 60*60*24*365 ,"/");
$ Setting = getSetting ();
$ Action = isset ($ _ GET ['action'])? $ _ GET ['action']: "";
If ($ action = "logout ")
{
Setcookie ("t00ls", "", time ()-3600 );
Header ("Location:". MYFILE );
Exit ();
}
If ($ action = "download" & isset ($ _ GET ['file']) & trim ($ _ GET ['file'])! = "")
{
$ File = $ _ GET ['file'];
Ob_clean ();
If (@ file_exists ($ file )){
Header ("Content-type: application/octet-stream ");
Header ("Content-Disposition: filename = \" ". basename ($ file )."\"");
Echo file_get_contents ($ file );
}
Exit ();
}
?>
<Table border = "0" cellpadding = "0" cellspacing = "0" width = "100%">
<Tbody> <tr class = "head">
<Td> <? Php echo $ _ SERVER ['server _ ADDR ']?> <Span style = "float: right; font-weight: bold;"> <? Php echo "<a href = 'HTTP: // www.t00ls.net/'> $ version </a>"?> </Span> </td>
</Tr>
<Tr class = "alt1">
<Td> <span style = "float: right;"> <? = Date ("Y-m-d H: I: s", mktime ()?> </Span>
<A href = "? Action = scan "> scan </a> |
<A href = "? Action = setting "> set </a> |
<A href = "? Action = logout "> logout </a>
</Td>
</Tr>
</Tbody> </table>
<Br>
<? Php
If ($ action = "setting ")
{
If (isset ($ _ POST ['btnsetting'])
{
$ Ssetting = array ();
$ Ssetting ['user'] = isset ($ _ POST ['checkuser'])? $ _ POST ['checkuser']: "php | php? | Phtml ";
$ Ssetting ['all'] = isset ($ _ POST ['checkall']) & $ _ POST ['checkall'] = "on "? 1:0;
$ Ssetting ['hta'] = isset ($ _ POST ['checkhta']) & $ _ POST ['checkhta'] = "on "? 1:0;
Setcookie ("t00ls_s", base64_encode (serialize ($ Ssetting), time () + 60*60*24*365 ,"/");
Echo "Settings complete! ";
Header ('refresh: 1; url = '. MYFILE .'? Action = setting ');
Exit ();
}
?>
<Form name = "frmSetting" method = "post" action = "? Action = setting ">
<FIELDSET style = "width: 400px">
<LEGEND> scan Settings </LEGEND>
<Table width = "100%" border = "0" cellspacing = "0" cellpadding = "0">
<Tr>
<Td width = "60"> file Suffix: </td>
<Td width = "300"> <input type = "text" name = "checkuser" id = "checkuser" style = "width: 300px;" value = "<? Php echo $ setting ['user']?> "> </Td>
</Tr>
<Tr>
<Td> <label for = "checkall"> all files </label> </td>
<Td> <input type = "checkbox" name = "checkall" id = "checkall" <? Php if ($ setting ['all'] = 1) echo "checked"?> </Td>
</Tr>
<Tr>
<Td> <label for = "checkhta"> setting file </label> </td>
<Td> <input type = "checkbox" name = "checkhta" id = "checkhta" <? Php if ($ setting ['hta'] = 1) echo "checked"?> </Td>
</Tr>
<Tr>
<Td> </td>
<Td>
<Input type = "submit" name = "btnsetting" id = "btnsetting" value = "submit">
</Td>
</Tr>
</Table>
</Fieldset>
</Form>
<? Php
}
Else
{
$ Dir = isset ($ _ POST ['path'])? $ _ POST ['path']: MYPATH;
$ Dir = substr ($ dir,-1 )! = "/"? $ Dir. "/": $ dir;
?>
<Form name = "frmScan" method = "post" action = "">
<Table width = "100% %" border = "0" cellspacing = "0" cellpadding = "0">
<Tr>
<Td width = "35" style = "vertical-align: middle; padding-left: 5px;"> scan path: </td>
& Lt; td width = "690" & gt;
<Input type = "text" name = "path" id = "path" style = "width: 600px" value = "<? Php echo $ dir?> ">
<Input type = "submit" name = "btnScan" id = "btnScan" value = "Start scan"> </td>
</Tr>
</Table>
</Form>
<? Php
If (isset ($ _ POST ['btnscan'])
{
$ Start = mktime ();
$ Is_user = array ();
$ Is_ext = "";
$ List = "";
If (trim ($ setting ['user'])! = "")
{
$ Is_user = explode ("|", $ setting ['user']);
If (count ($ is_user)> 0)
{
Foreach ($ is_user as $ key => $ value)
$ Is_user [$ key] = trim (str_replace ("? "," (.) ", $ Value ));
$ Is_ext = "(\.". implode ("($ | \.) | (\.", $ is_user). "($ | \.))";
}
}
If ($ setting ['hta'] = 1)
{
$ Is_hta = 1;
$ Is_ext = strlen ($ is_ext)> 0? $ Is_ext. "|": $ is_ext;
$ Is_ext. = "(^ \. htaccess $ )";
}
If ($ setting ['all'] = 1 | (strlen ($ is_ext) = 0 & $ setting ['hta'] = 0 ))
{
$ Is_ext = "(. + )";
}
$ Php_code = getCode ();
If (! Is_readable ($ dir ))
$ Dir = MYPATH;
$ Count = $ scanned = 0;
Scan ($ dir, $ is_ext );
$ End = mktime ();
$ Spent = ($ end-$ start );
?>
<Div style = "padding: 10px; background-color: # ccc"> scan: <? Php echo $ scanned?> File | found: <? Php echo $ count?> Suspicious File | time consumed: <? Php echo $ spent?> Seconds </div>
<Table width = "100%" border = "0" cellspacing = "0" cellpadding = "0">
<Tr class = "head">
<Td width = "15" align = "center"> No. </td>
<Td width = "48%"> file </td>
<Td width = "12%"> Update time </td>
<Td width = "10%"> cause </td>
<Td width = "20%"> features </td>
<Td> action </td>
</Tr>
<? Php echo $ list?>
</Table>
<? Php
}
}
}
Ob_flush ();
?>
</Body>
</Html>
<? Php
Function scan ($ path = '.', $ is_ext ){
Global $ php_code, $ count, $ scanned, $ list;
$ Ignore = array ('.','..');
$ Replace = array ("", "\ n", "\ r", "\ t ");
$ Dh = @ opendir ($ path );
While (false! ==( $ File = readdir ($ dh ))){
If (! In_array ($ file, $ ignore )){
If (is_dir ("$ path $ file ")){
Scan ("$ path $ file/", $ is_ext );
} Else {
$ Current = $ path. $ file;
If (MYFULLPATH = $ current) continue;
If (! Preg_match ("/$ is_ext/I", $ file) continue;
If (is_readable ($ current ))
{
$ Scanned ++;
$ Content = file_get_contents ($ current );
$ Content = str_replace ($ replace, "", $ content );
Foreach ($ php_code as $ key => $ value)
{
If (preg_match ("/$ value/I", $ content ))
{
$ Count ++;
$ J = $ count % 2 + 1;
$ Filetime = date ('Y-m-d H: I: s', filemtime ($ current ));
$ Reason = explode ("->", $ key );
$ Url = str_replace (REALPATH, HOST, $ current );
Preg_match ("/$ value/I", $ content, $ arr );
$ List. ="
<Tr class = 'alt $ J' onmouseover = 'this. className = \ "focus \"; 'onmouseout = 'this. className = \ "alt $ j \"; '>
<Td> $ count </td>
<Td> <a href = '$ url' target =' _ blank '> $ current </a> </td>
<Td> $ filetime </td>
<Td> <font color = red> $ reason [0] </font> </td>
<Td> <font color = #090> $ reason [1] </font> </td>
<Td> <a href = '? Action = download & file = $ current 'target = '_ blank'> download </a> </td>
</Tr> ";
// Echo $ key. "-". $ path. $ file. "(". $ arr [0]. ")". "<br/> ";
// Echo $ path. $ file. "<br/> ";
Break;
}
}
}
}
}
}
Closedir ($ dh );
}
Function getSetting ()
{
$ Ssetting = array ();
If (isset ($ _ COOKIE ['t00ls _ s'])
{
$ Ssetting = unserialize (base64_decode ($ _ COOKIE ['t00ls _ s']);
$ Ssetting ['user'] = isset ($ Ssetting ['user'])? $ Ssetting ['user']: "php | php? | Phtml | shtml ";
$ Ssetting ['all'] = isset ($ Ssetting ['all'])? Intval ($ Ssetting ['all']): 0;
$ Ssetting ['hta'] = isset ($ Ssetting ['hta'])? Intval ($ Ssetting ['hta']): 1;
}
Else
{
$ Ssetting ['user'] = "php | php? | Phtml | shtml ";
$ Ssetting ['all'] = 0;
$ Ssetting ['hta'] = 1;
Setcookie ("t00ls_s", base64_encode (serialize ($ Ssetting), time () + 60*60*24*365 ,"/");
}
Return $ Ssetting;
}
Function getCode ()
{
Return array (
'Backdoor features-> cha88.cn' => 'cha88 \. cn ',
'Backdoor features-> c99shell' => 'c99shell ',
'Backdoor features-> phpspy' => 'phpspy ',
'Backdoor features-> scanners' => 'scanners ',
'Backdoor features-> cmd. php' => 'cmd \. php ',
'Backdoor features-> str_rot13 '=> 'str _ rot13 ',
'Webshell' => 'webshell ',
'Backdoor features-> EgY_SpIdEr '=> 'egy _ SpIdEr ',
'Backdoor features-> tools88.com '=> 'tools88 \. com ',
'Backdoor features-> secforce' => 'secforce ',
'Backdoor features-> eval ("?> '=> 'Eval \ (\' | ") \?> ',
'Suspicious code features-> system ('=> 'System \(',
'Suspicious code features-> passthru ('=> 'passthru \(',
'Suspicious code features-> shell_exec ('=> 'Shell _ exec \(',
'Suspicious code features-> exec ('=> 'exec \(',
'Suspicious code features-> popen ('=> 'popen \(',
'Suspicious code features-> proc_open '=> 'proc _ open ',
'Suspicious code features-> eval ($ '=> 'eval \ (\' | "| \ s *) \ $ ',
'Suspicious code features-> assert ($ '=> 'assert \ (\' | "| \ s *) \ $ ',
'Dangerous MYSQL code-> returns string soname' => 'returnsstringsoname ',
'Dangerous MYSQL code-> into outfile' => 'invalid outfile ',
'Dangerous MYSQL code-> load_file '=> 'select (\ s +) (. *) load_file ',
'Encrypted backdoor features-> eval (gzinflate ('=> 'eval \ (gzinflate \(',
'Encrypted backdoor features-> eval (base64_decode ('=> 'eval \ (base64_decode \(',
'Encrypted backdoor features-> eval (gzuncompress ('=> 'eval \ (gzuncompress \(',
'Encrypted backdoor features-> eval (gzdecode ('=> 'eval \ (gzdecode \(',
'Encrypted backdoor features-> eval (str_rot13 ('=> 'eval \ (str_rot13 \(',
'Encrypted backdoor features-> gzuncompress (base64_decode ('=>' gzuncompress \ (base64_decode \(',
'Encrypted backdoor features-> base64_decode (gzuncompress ('=> 'base64 _ decode \ (gzuncompress \(',
'Backdoor features in one sentence-> eval ($ _ '=> 'eval \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'One-sentence backdoor feature-> assert ($ _ '=> 'assert \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'Webshell features in one sentence-> require ($ _ '=> 'require \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'Webshell features in one sentence-> require_once ($ _ '=> 'require _ once \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Backdoor features in one sentence-> include ($ _ '=> 'include \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'Backdoor features in one sentence-> include_once ($ _ '=> 'include _ once \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Backdoor features in one sentence-> call_user_func ("assert" '=> 'call _ user_func \ ("| \') assert (" | \')',
'Webshell features in one sentence-> call_user_func ($ _ '=> 'call _ user_func \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Webshell features in one sentence-> $ _ POST/GET/REQUEST/COOKIE [?] ($ _ POST/GET/REQUEST/COOKIE [?] '=>' \ $ _ (POST | GET | REQUEST | COOKIE) \ [([^ \] +) \] \ (\ '| "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )\[',
'Backdoor features in one sentence-> echo (file_get_contents ($ _ POST/GET/REQUEST/COOKIE '=> 'echo \ (file_get_contents \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Upload backdoor features-> file_put_contents ($ _ POST/GET/REQUEST/COOKIE, $ _ POST/GET/REQUEST/COOKIE '=> 'file _ put_contents \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE) \ [([^ \] +) \], (\ '| "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Upload backdoor features-> fputs (fopen ("? "," W "), $ _ POST/GET/REQUEST/COOKIE ['=> 'fputs \ (fopen \((. +), (\ '| ") w (\' |") \), (\ '| "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )\[',
'. Htaccess plug-in Feature-> SetHandler application/x-httpd-php' => 'sethandlerapplication \/x-httpd-php ',
'. Htaccess plug-in Feature-> php_value auto_prepend_file' => 'php _ valueauto_prepend_file ',
'. Htaccess plug-in Feature-> php_value auto_append_file' => 'php _ valueauto_append_file'
);
}
?>

A tool that scans php Trojans in the php environment. The following features can be scanned:
Copy codeThe Code is as follows:
Signature:
Backdoor features-> cha88.cn
Backdoor features-> c99shell
Backdoor features-> phpspy
Backdoor features-> Scanners
Backdoor features-> cmd. php
Backdoor features-> str_rot13
Webshell
Backdoor features-> EgY_SpIdEr
Backdoor features-> tools88.com
Backdoor features-> SECFORCE
Backdoor features-> eval ("?>
Suspicious code features-> system (
Suspicious code features-> passthru (
Suspicious code features-> shell_exec (
Suspicious code features-> exec (
Suspicious code features-> popen (
Suspicious code features-> proc_open
Suspicious code features-> eval ($
Suspicious code features-> assert ($
Dangerous MYSQL code-> returns string soname
Dangerous MYSQL code-> into outfile
Dangerous MYSQL code-> load_file
Encrypted backdoor features-> eval (gzinflate (
Encrypted backdoor features-> eval (base64_decode (
Encrypted backdoor features-> eval (gzuncompress (
Encrypted backdoor features-> gzuncompress (base64_decode (
Encrypted backdoor features-> base64_decode (gzuncompress (
Backdoor features in one sentence-> eval ($ _
One-sentence backdoor feature-> assert ($ _
Webshell features in one sentence-> require ($ _
Webshell features in one sentence-> require_once ($ _
Backdoor features in one sentence-> include ($ _
Backdoor features in one sentence-> include_once ($ _
Backdoor features in one sentence-> call_user_func ("assert"
Webshell features in one sentence-> call_user_func ($ _
Webshell features in one sentence-> $ _ POST/GET/REQUEST/COOKIE [?] ($ _ POST/GET/REQUEST/COOKIE [?]
Backdoor features in one sentence-> echo (file_get_contents ($ _ POST/GET/REQUEST/COOKIE
Upload backdoor features-> file_put_contents ($ _ POST/GET/REQUEST/COOKIE, $ _ POST/GET/REQUEST/COOKIE
Upload backdoor features-> fputs (fopen ("? "," W "), $ _ POST/GET/REQUEST/COOKIE [
. Htaccess plug-in Feature-> SetHandler application/x-httpd-php
. Htaccess plug-in Feature-> php_value auto_prepend_file
. Htaccess plug-in Feature-> php_value auto_append_file

Lazy design, directly apply the phpspy Style
Note: The scanned file is not necessarily a backdoor. Please judge, review, and compare the original file by yourself.