Self-written PHP Trojan webshell Scanner

Because the front-end time server has been released, a webshell scanner has been written to kill PHP webshells. no matter whether the trojan or pony includes a sentence, the Code is now released.
 

<? PHP/* + ---------------------------------------------------------------------------- + | codz by indexphp version: 0.01 | (c) 2009 indexphp | http://www.indexphp.org | + keys + * // * ========================================== program Configuration =======================*/$ dir = 'cms '; // set the directory to be scanned $ jumpoff = false; // set the file to skip the check $ jump = 'safe. PHP | G'; // set the file or folder to skip the check $ jumpoff = false this setting is valid $ d Anger = 'eval | cmd | passthru '; // you can specify a function to identify the trojan file $ suffix = 'php | inc '; // set the suffix $ dir_num = 0; $ file_num = 0; $ danger_num = 0; /* = ======= */extract (gethttpvars ()); if ($ M = "edit") edit (); if ($ M = "Del") Delete (); if ($ check = 'check ') {$ safearr = explode ("|", $ jump); $ start_time = microtime (true); safe_check ($ DIR); $ end_time = microtime (true ); $ Total = $ end_time-$ start_time; $ file_nu M = $ file_num-$ dir_num; $ message = "number of files :". $ file_num; $ message. = "folder count :". $ dir_num; $ message. = "number of suspicious files :". $ danger_num; $ message. = "execution time :". $ total; echo $ message; exit ();} function gethttpvars () {// global variable $ superglobs = array ('_ Post',' _ get ', 'http _ post_vars', 'HTTP _ get_vars '); $ httpvars = array (); foreach ($ superglobs as $ glob) {Global $ glob; if (isset ($ glob) & is_array ($ glob) {$ httpvars = $ glob;} If (count ($ Httpvars)> 0) break;} return $ httpvars;} function safe_check ($ DIR) // traverses the file {Global $ danger, $ suffix, $ dir_num, $ file_num, $ danger_num;) or die ('Folder does not exist'); While ($ file = $ hand-> Read () {$ filename = $ dir. '/'. $ file; If (! $ Jumpoff) {If (jump ($ filename) continue;} If (@ is_dir ($ filename) & $ file! = '.' & $ File! = '..' & $ File! = '. /.. ') {$ Dir_num ++; safe_check ($ filename);} If (preg_match_all ("/. ($ suffix)/I ", $ filename, $ out) {$ STR =''; $ fp = @ fopen ($ filename, 'R ') or die ('no authorization'); While (! Feof ($ FP) {$ Str. = fgets ($ FP, 1024);} fclose ($ FP); If (preg_match_all ("/($ danger) [RNT] {0,} ([[(]) /I ", $ STR, $ out) {echo" <font color = 'green' style = 'font-size: 14px '> Suspicious file: {$ filename} </font> <a href = '? M = edit & filename = $ filename 'target = '_ blank'> <u> View Code </u> </a> <a href = '? M = del & filename = $ filename 'target = '_ blank'> Delete </u> </a> <br> "; $ danger_num ++ ;}} $ file_num ++ ;}} function edit () // www.2cto.com view suspicious files {Global $ filename; $ filename = str_replace (".. "," ", $ filename); $ file = $ filename; $ content =" "; if (is_file ($ file) {$ fp = fopen ($ file, "R") or die ('no authorization'); $ content = fread ($ FP, filesize ($ file); fclose ($ FP ); $ content = htmlspecialchars ($ content);} echo "<textarea name = 'str' St YLE = 'width: 100%; Height: pixel PX; Background: # cccccc; '> $ content </textarea> RN "; exit ();} function Delete () // delete the file {Global $ filename; (is_file ($ filename ))? ($ MEs = unlink ($ filename )? 'Deleted successfully': 'failed to view authorization'): ''; echo $ MES; exit ();} function jump ($ file) // skip the file {Global $ jump, $ safearr; if ($ jump! = '') {Foreach ($ safearr as $ v) {if ($ v ='') continue; If (eregi ($ V, $ file )) return true ;}} return false ;}?> <Form action = ""> <input type = "Submit" value = "Start detection"/> <input type = "hidden" name = "check" value = "check "/> </form>