PHPWeb Trojan scanner ghost. php
The code is as follows:
/************* PHP Web Trojan scanner ********************* ***/
/* [+] By alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: weeming21@hotmail.com */
/* [+] Initial release: t00ls.net. for details, refer to t00ls */
/* [+] Version: v1.0 */
/* [+] Function: php Trojan scanning tool for the web version */
/* [+] Note: the scanned file is not necessarily a backdoor ,*/
/* Determine, review, and compare the original file by yourself. */
/* If you are not sure whether the scanned file is a backdoor ,*/
/* You are welcome to send this file to me for analysis. */
/*************************************** ****************/
Ob_start ();
Set_time_limit (0 );
$ Username = "t00ls"; // Set the user name
$ Password = "t00ls"; // Set the password
$ Md5 = md5 (md5 ($ username). md5 ($ password ));
$ Version = "PHP Web Trojan scanner v1.0 ";
$ Realpath = realpath ('./');
$ Selfpath = $ _ SERVER ['php _ SELF '];
$ Selfpath = substr ($ selfpath, 0, strrpos ($ selfpath ,'/'));
Define ('realpath', str_replace ('//', '/', str_replace ('\', '/', substr ($ REALPATH, 0, strlen ($ realpath) -strlen ($ selfpath )))));
Define ('myfile', basename (_ FILE __));
Define ('mypath', str_replace ('\', '/', dirname (_ FILE __)).'/');
Define ('myfullpath', str_replace ('\', '/', (_ FILE __)));
Define ('host', "http: //". $ _ SERVER ['http _ host']);
?>
<? Php echo $ version?>
If (! (Isset ($ _ COOKIE ['t00ls']) & $ _ COOKIE ['t00ls'] = $ md5 )&&! (Isset ($ _ POST ['username']) & isset ($ _ POST ['password']) & (md5 (md5 ($ _ POST ['username']). md5 ($ _ POST ['password']) = $ md5 )))
{
Echo '';
}
Elseif (isset ($ _ POST ['username']) & isset ($ _ POST ['password']) & (md5 (md5 ($ _ POST ['username']). md5 ($ _ POST ['password']) = $ md5 ))
{
Setcookie ("t00ls", $ md5, time () + 60*60*24*365 ,"/");
Echo "login successful! ";
Header ('refresh: 1; url = '. MYFILE .'? Action = scan ');
Exit ();
}
Else
{
Setcookie ("t00ls", $ md5, time () + 60*60*24*365 ,"/");
$ Setting = getSetting ();
$ Action = isset ($ _ GET ['action'])? $ _ GET ['action']: "";
If ($ action = "logout ")
{
Setcookie ("t00ls", "", time ()-3600 );
Header ("Location:". MYFILE );
Exit ();
}
If ($ action = "download" & isset ($ _ GET ['file']) & trim ($ _ GET ['file'])! = "")
{
$ File = $ _ GET ['file'];
Ob_clean ();
If (@ file_exists ($ file )){
Header ("Content-type: application/octet-stream ");
Header ("Content-Disposition: filename = \" ". basename ($ file )."\"");
Echo file_get_contents ($ file );
}
Exit ();
}
?>
If ($ action = "setting ")
{
If (isset ($ _ POST ['btnsetting'])
{
$ Ssetting = array ();
$ Ssetting ['user'] = isset ($ _ POST ['checkuser'])? $ _ POST ['checkuser']: "php | php? | Phtml ";
$ Ssetting ['all'] = isset ($ _ POST ['checkall']) & $ _ POST ['checkall'] = "on "? 1:0;
$ Ssetting ['hta'] = isset ($ _ POST ['checkhta']) & $ _ POST ['checkhta'] = "on "? 1:0;
Setcookie ("t00ls_s", base64_encode (serialize ($ Ssetting), time () + 60*60*24*365 ,"/");
Echo "settings complete! ";
Header ('refresh: 1; url = '. MYFILE .'? Action = setting ');
Exit ();
}
?>
}
Else
{
$ Dir = isset ($ _ POST ['path'])? $ _ POST ['path']: MYPATH;
$ Dir = substr ($ dir,-1 )! = "/"? $ Dir. "/": $ dir;
?>
If (isset ($ _ POST ['btnscan'])
{
$ Start = mktime ();
$ Is_user = array ();
$ Is_ext = "";
$ List = "";
If (trim ($ setting ['user'])! = "")
{
$ Is_user = explode ("|", $ setting ['user']);
If (count ($ is_user)> 0)
{
Foreach ($ is_user as $ key => $ value)
$ Is_user [$ key] = trim (str_replace ("? "," (.) ", $ Value ));
$ Is_ext = "(\.". implode ("($ | \.) | (\.", $ is_user). "($ | \.))";
}
}
If ($ setting ['hta'] = 1)
{
$ Is_hta = 1;
$ Is_ext = strlen ($ is_ext)> 0? $ Is_ext. "|": $ is_ext;
$ Is_ext. = "(^ \. htaccess $ )";
}
If ($ setting ['all'] = 1 | (strlen ($ is_ext) = 0 & $ setting ['hta'] = 0 ))
{
$ Is_ext = "(. + )";
}
$ Php_code = getCode ();
If (! Is_readable ($ dir ))
$ Dir = MYPATH;
$ Count = $ scanned = 0;
Scan ($ dir, $ is_ext );
$ End = mktime ();
$ Spent = ($ end-$ start );
?>
Scan: File | found: Suspicious file | time consumed: Seconds
No. |
File |
Update Time |
Cause |
Features |
Action |
}
}
}
Ob_flush ();
?>
Function scan ($ path = '.', $ is_ext ){
Global $ php_code, $ count, $ scanned, $ list;
$ Ignore = array ('.','..');
$ Replace = array ("", "\ n", "\ r", "\ t ");
$ Dh = @ opendir ($ path );
While (false! ==( $ File = readdir ($ dh ))){
If (! In_array ($ file, $ ignore )){
If (is_dir ("$ path $ file ")){
Scan ("$ path $ file/", $ is_ext );
} Else {
$ Current = $ path. $ file;
If (MYFULLPATH = $ current) continue;
If (! Preg_match ("/$ is_ext/I", $ file) continue;
If (is_readable ($ current ))
{
$ Scanned ++;
$ Content = file_get_contents ($ current );
$ Content = str_replace ($ replace, "", $ content );
Foreach ($ php_code as $ key => $ value)
{
If (preg_match ("/$ value/I", $ content ))
{
$ Count ++;
$ J = $ count % 2 + 1;
$ Filetime = date ('Y-m-d H: I: S', filemtime ($ current ));
$ Reason = explode ("->", $ key );
$ Url = str_replace (REALPATH, HOST, $ current );
Preg_match ("/$ value/I", $ content, $ arr );
$ List. ="
$ Count
$ Current
$ Filetime
$ Reason [0]
$ Reason [1]
Download
";
// Echo $ key. "-". $ path. $ file. "(". $ arr [0]. ")"."
";
// Echo $ path. $ file ."
";
Break;
}
}
}
}
}
}
Closedir ($ dh );
}
Function getSetting ()
{
$ Ssetting = array ();
If (isset ($ _ COOKIE ['t00ls _ s'])
{
$ Ssetting = unserialize (base64_decode ($ _ COOKIE ['t00ls _ s']);
$ Ssetting ['user'] = isset ($ Ssetting ['user'])? $ Ssetting ['user']: "php | php? | Phtml | shtml ";
$ Ssetting ['all'] = isset ($ Ssetting ['all'])? Intval ($ Ssetting ['all']): 0;
$ Ssetting ['hta'] = isset ($ Ssetting ['hta'])? Intval ($ Ssetting ['hta']): 1;
}
Else
{
$ Ssetting ['user'] = "php | php? | Phtml | shtml ";
$ Ssetting ['all'] = 0;
$ Ssetting ['hta'] = 1;
Setcookie ("t00ls_s", base64_encode (serialize ($ Ssetting), time () + 60*60*24*365 ,"/");
}
Return $ Ssetting;
}
Function getCode ()
{
Return array (
'Backdoor features-> cha88.cn' => 'cha88 \. cn ',
'Backdoor features-> c99shell' => 'c99shell ',
'Backdoor features-> phpspy' => 'phpspy ',
'Backdoor features-> scanners' => 'Scanners ',
'Backdoor features-> cmd. php' => 'cmd \. php ',
'Backdoor features-> str_rot13 '=> 'Str _ rot13 ',
'Webshell' => 'webshell ',
'Backdoor features-> EgY_SpIdEr '=> 'egy _ SpIdEr ',
'Backdoor features-> tools88.com '=> 'tools88 \. com ',
'Backdoor features-> secforce' => 'secforce ',
'Backdoor features-> eval ("?> '=> 'Eval \ (\' | ") \?> ',
'Suspicious code features-> system ('=> 'system \(',
'Suspicious code features-> passthru ('=> 'passthru \(',
'Suspicious code features-> shell_exec ('=> 'shell _ exec \(',
'Suspicious code features-> exec ('=> 'exec \(',
'Suspicious code features-> popen ('=> 'popen \(',
'Suspicious code features-> proc_open '=> 'proc _ open ',
'Suspicious code features-> eval ($ '=> 'eval \ (\' | "| \ s *) \ $ ',
'Suspicious code features-> assert ($ '=> 'assert \ (\' | "| \ s *) \ $ ',
'Dangerous MYSQL code-> returns string soname' => 'returnsstringsoname ',
'Dangerous MYSQL code-> into outfile' => 'Invalid outfile ',
'Dangerous MYSQL code-> load_file '=> 'Select (\ s +) (. *) load_file ',
'Encrypted backdoor features-> eval (gzinflate ('=> 'eval \ (gzinflate \(',
'Encrypted backdoor features-> eval (base64_decode ('=> 'eval \ (base64_decode \(',
'Encrypted backdoor features-> eval (gzuncompress ('=> 'eval \ (gzuncompress \(',
'Encrypted backdoor features-> eval (gzdecode ('=> 'eval \ (gzdecode \(',
'Encrypted backdoor features-> eval (str_rot13 ('=> 'eval \ (str_rot13 \(',
'Encrypted backdoor features-> gzuncompress (base64_decode ('=>' gzuncompress \ (base64_decode \(',
'Encrypted backdoor features-> base64_decode (gzuncompress ('=> 'base64 _ decode \ (gzuncompress \(',
'Backdoor features in one sentence-> eval ($ _ '=> 'eval \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'One-sentence backdoor feature-> assert ($ _ '=> 'assert \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'Webshell features in one sentence-> require ($ _ '=> 'Require \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'Webshell features in one sentence-> require_once ($ _ '=> 'Require _ once \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Backdoor features in one sentence-> include ($ _ '=> 'Include \ (\' | "| \ s *) \ $ _ (POST | GET | REQUEST | COOKIE) ',
'Backdoor features in one sentence-> include_once ($ _ '=> 'Include _ once \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Backdoor features in one sentence-> call_user_func ("assert" '=> 'Call _ user_func \ ("| \') assert (" | \')',
'Webshell features in one sentence-> call_user_func ($ _ '=> 'Call _ user_func \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Webshell features in one sentence-> $ _ POST/GET/REQUEST/COOKIE [?] ($ _ POST/GET/REQUEST/COOKIE [?] '=>' \ $ _ (POST | GET | REQUEST | COOKIE) \ [([^ \] +) \] \ (\ '| "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )\[',
'Backdoor features in one sentence-> echo (file_get_contents ($ _ POST/GET/REQUEST/COOKIE '=> 'echo \ (file_get_contents \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Upload backdoor features-> file_put_contents ($ _ POST/GET/REQUEST/COOKIE, $ _ POST/GET/REQUEST/COOKIE '=> 'File _ put_contents \ (\' | "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE) \ [([^ \] +) \], (\ '| "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )',
'Upload backdoor features-> fputs (fopen ("? "," W "), $ _ POST/GET/REQUEST/COOKIE ['=> 'fputs \ (fopen \((. +), (\ '| ") w (\' |") \), (\ '| "| \ s *) \\$ _ (POST | GET | REQUEST | COOKIE )\[',
'. Htaccess plug-in feature-> SetHandler application/x-httpd-php' => 'sethandlerapplication \/x-httpd-php ',
'. Htaccess plug-in feature-> php_value auto_prepend_file' => 'php _ valueauto_prepend_file ',
'. Htaccess plug-in feature-> php_value auto_append_file' => 'php _ valueauto_append_file'
);
}
?>
A tool that scans php Trojans in the php environment. the following features can be scanned:
The code is as follows:
Signature:
Backdoor features-> cha88.cn
Backdoor features-> c99shell
Backdoor features-> phpspy
Backdoor features-> Scanners
Backdoor features-> cmd. php
Backdoor features-> str_rot13
Webshell
Backdoor features-> EgY_SpIdEr
Backdoor features-> tools88.com
Backdoor features-> SECFORCE
Backdoor features-> eval ("?>
Suspicious code features-> system (
Suspicious code features-> passthru (
Suspicious code features-> shell_exec (
Suspicious code features-> exec (
Suspicious code features-> popen (
Suspicious code features-> proc_open
Suspicious code features-> eval ($
Suspicious code features-> assert ($
Dangerous MYSQL code-> returns string soname
Dangerous MYSQL code-> into outfile
Dangerous MYSQL code-> load_file
Encrypted backdoor features-> eval (gzinflate (
Encrypted backdoor features-> eval (base64_decode (
Encrypted backdoor features-> eval (gzuncompress (
Encrypted backdoor features-> gzuncompress (base64_decode (
Encrypted backdoor features-> base64_decode (gzuncompress (
Backdoor features in one sentence-> eval ($ _
One-sentence backdoor feature-> assert ($ _
Webshell features in one sentence-> require ($ _
Webshell features in one sentence-> require_once ($ _
Backdoor features in one sentence-> include ($ _
Backdoor features in one sentence-> include_once ($ _
Backdoor features in one sentence-> call_user_func ("assert"
Webshell features in one sentence-> call_user_func ($ _
Webshell features in one sentence-> $ _ POST/GET/REQUEST/COOKIE [?] ($ _ POST/GET/REQUEST/COOKIE [?]
Backdoor features in one sentence-> echo (file_get_contents ($ _ POST/GET/REQUEST/COOKIE
Upload backdoor features-> file_put_contents ($ _ POST/GET/REQUEST/COOKIE, $ _ POST/GET/REQUEST/COOKIE
Upload backdoor features-> fputs (fopen ("? "," W "), $ _ POST/GET/REQUEST/COOKIE [
. Htaccess plug-in feature-> SetHandler application/x-httpd-php
. Htaccess plug-in feature-> php_value auto_prepend_file
. Htaccess plug-in feature-> php_value auto_append_file
Lazy design, directly apply the phpspy style
Note: the scanned file is not necessarily a backdoor. please judge, review, and compare the original file by yourself.