In the Web security emergency response, it is inevitable to check whether the webshell is uploaded on the server. the manual check is slow and you have written a script to check it. On the Windows platform, lake2 has been written to the Lake chart, and the general check is enough. I wrote a Linux image written in python. 1. usage: find. py directory name
2. python regular expressions are used for matching. you can add your own defined regular expressions in keywords. the format is as follows:
["Eval \ (\ $ \ _ POST", "found a PHP Trojan! "] # The regular expression is followed by the regular expression description, which is displayed in the log.
3. modify the file suffix and the regular expression of the keyword to become a webshell check tool in other languages, ^_^.
4. The development environment is windows xp + ActivePython 2.6.2.2. if your computer does not have a Linux environment, you are too lazy to install a virtual machine. you will test the environment on your Linux virtual machine tomorrow.
5. Currently, it is only a framework that will be gradually improved.
The code is as follows:
# Coding: gbk
Import OS, sys
Import re
Findtype = ['. php','. Inc'] # file suffix type to be checked
# The regular expression of the keyword to be checked and the description in the log are two-dimensional arrays.
Keywords = [["eval \ (\ $ \ _ POST", "found a PHP Trojan! "], \
["(System | shell_exec | exec | popen)", "PHP command execution function found! "] \
]
Writelog = open('log.txt ', 'W + ')
Def checkfile (filename ):
Fp = open (filename)
Content = fp. read ()
For keyword in keywords:
If re. search (keyword [0], content, re. I ):
Log = "% s: % s" % (filename, keyword [1])
# Print log
Print> writelog, log
Fp. close ()
Def checkdir (dirname ):
Try:
Ls = OS. listdir (dirname)
Except t:
Print 'Access deny'
Else:
For l in ls:
Temp = OS. path. join (dirname, l)
If (OS. path. isdir (temp )):
Checkdir (temp)
Else:
Ext = temp [temp. rindex ('.'):]
If ext in findtype:
Checkfile (temp)
If _ name __= = "_ main __":
Print "PHP webshell check for Python! "
Print "By: Neeao"
Print "http://Neeao.com"
If len (sys. argv) <2:
Print "% s C :\\" % sys. argv [0]
Else:
Print "Check start! "
Dirs = sys. argv [1:]
# Print dirs [0]
If OS. path. exists (dirs [0]):
Checkdir (dirs [0])
Else:
Print "Dir: '% s' not exists! "% Dirs [0]
Print "Check finsh! "
Writelog. close ()