<? Php /************* PHP Web Trojan scanner ********************* ***/ /* [+] By alibaba */ /* [+] QQ: 1499281192 * www. bKjia. c0m/ /* [+] MSN: weeming21@hotmail.com */ /* [+] Initial release: t00ls.net. For details, refer to t00ls */ /* [+] Version: v1.0 */ /* [+] Function: php Trojan scanning tool for the web version */ /* [+] Note: The scanned file is not necessarily a backdoor ,*/ /* Determine, review, and compare the original file by yourself. */ /* If you are not sure whether the scanned file is a backdoor ,*/ /* You are welcome to send this file to me for analysis. */ /*************************************** ****************/ Ob_start (); Set_time_limit (0 ); $ Username = "t00ls"; // set the user name $ Password = "t00ls"; // set the password $ Md5 = md5 (md5 ($ username). md5 ($ password )); $ Version = "PHP Web Trojan scanner v1.0 "; PHP Web Trojan Scanner $ Realpath = realpath ('./'); $ Selfpath = $ _ SERVER ['php _ SELF ']; $ Selfpath = substr ($ selfpath, 0, strrpos ($ selfpath ,'/')); Define ('realpath', str_replace ('//', '/', str_replace ('\', '/', substr ($ REALPATH, 0, strlen ($ realpath) -strlen ($ selfpath ))))); Define ('myfile', basename (_ FILE __)); Define ('mypath', str_replace ('\', '/', dirname (_ FILE __)).'/'); Define ('myfullpath', str_replace ('\', '/', (_ FILE __))); Define ('host', "http: //". $ _ SERVER ['HTTP _ host']); ?> <Html> <Head> <Title> <? Php echo $ version?> </Title> <Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312"/> <Style> Body {margin: 0px ;} Body, td {font: 12px Arial, Tahoma; line-height: 16px ;} A {color: # 00f; text-decoration: underline ;} A: hover {color: # f00; text-decoration: none ;} . Alt1 td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # f1f1f1; padding: 5px 10px 5px 5px ;} . Alt2 td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # f9f9f9; padding: 5px 10px 5px ;} . Focus td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # ffffaa; padding: 5px 10px 5px 5px ;} . Head td {border-top: 1px solid # fff; border-bottom: 1px solid # ddd; background: # e9e9e9; padding: 5px 10px 5px 5px; font-weight: bold ;} . Head td span {font-weight: normal ;} </Style> </Head> <Body> <? Php If (! (Isset ($ _ COOKIE ['t00ls']) & $ _ COOKIE ['t00ls'] = $ md5 )&&! (Isset ($ _ POST ['username']) & isset ($ _ POST ['Password']) & (md5 (md5 ($ _ POST ['username']). md5 ($ _ POST ['Password']) = $ md5 ))) { Echo '<form id = "frmlogin" name = "frmlogin" method = "post" action = ""> User name: <input type = "text" name = "username" id = "username"/> password: <input type = "password" name = "password" id = "password"/> <input type = "submit" name = "btnLogin" id = "btnLogin" value = "Login "/> </form> '; } Elseif (isset ($ _ POST ['username']) & isset ($ _ POST ['Password']) & (md5 (md5 ($ _ POST ['username']). md5 ($ _ POST ['Password']) = $ md5 )) { Setcookie ("t00ls", $ md5, time () + 60*60*24*365 ,"/"); Echo "Login successful! "; Header ('refresh: 1; url = '. MYFILE .'? Action = scan '); Exit (); } Else { Setcookie ("t00ls", $ md5, time () + 60*60*24*365 ,"/"); $ Setting = getSetting (); $ Action = isset ($ _ GET ['action'])? $ _ GET ['action']: ""; If ($ action = "logout ") { Setcookie ("t00ls", "", time ()-3600 ); Header ("Location:". MYFILE ); Exit (); } If ($ action = "download" & isset ($ _ GET ['file']) & trim ($ _ GET ['file'])! = "") { $ File = $ _ GET ['file']; Ob_clean (); If (@ file_exists ($ file )){ Header ("Content-type: application/octet-stream "); Header ("Content-Disposition: filename =" ". basename ($ file )."""); Echo file_get_contents ($ file ); } Exit (); } ?> <Table border = "0" cellpadding = "0" cellspacing = "0" width = "100%"> <Tbody> <tr class = "head"> <Td> <? Php echo $ _ SERVER ['server _ ADDR ']?> <Span style = "float: right; font-weight: bold;"> <? Php echo "<a href = 'HTTP: // www.t00ls.net/'> $ version </a>"?> </Span> </td> </Tr> <Tr class = "alt1"> <Td> <span style = "float: right;"> <? = Date ("Y-m-d H: I: s", mktime ()?> </Span> <A href = "? Action = scan "> scan </a> | <A href = "? Action = setting "> set </a> | <A href = "? Action = logout "> logout </a> </Td> </Tr> </Tbody> </table> <Br> <? Php If ($ action = "setting ") { If (isset ($ _ POST ['btnsetting']) { $ Ssetting = array (); $ Ssetting ['user'] = isset ($ _ POST ['checkuser'])? $ _ POST ['checkuser']: "php | php? | Phtml "; $ Ssetting ['all'] = isset ($ _ POST ['checkall']) & $ _ POST ['checkall'] = "on "? 1:0; $ Ssetting ['hta'] = isset ($ _ POST ['checkhta']) & $ _ POST ['checkhta'] = "on "? 1:0; Setcookie ("t00ls_s", base64_encode (serialize ($ Ssetting), time () + 60*60*24*365 ,"/"); Echo "Settings complete! "; Header ('refresh: 1; url = '. MYFILE .'? Action = setting '); Exit (); } ?> <Form name = "frmSetting" method = "post" action = "? Action = setting "> <FIELDSET style = "width: 400px"> <LEGEND> scan Settings </LEGEND> <Table width = "100%" border = "0" cellspacing = "0" cellpadding = "0"> <Tr> <Td width = "60"> file Suffix: </td> <Td width = "300"> <input type = "text" name = "checkuser" id = "checkuser" style = "width: 300px;" value = "<? Php echo $ setting ['user']?> "> </Td> </Tr> <Tr> <Td> <label for = "checkall"> all files </label> </td> <Td> <input type = "checkbox" name = "checkall" id = "checkall" <? Php if ($ setting ['all'] = 1) echo "checked"?> </Td> </Tr> <Tr> <Td> <label for = "checkhta"> setting file </label> </td> <Td> <input type = "checkbox" name = "checkhta" id = "checkhta" <? Php if ($ setting ['hta'] = 1) echo "checked"?> </Td> </Tr> <Tr> <Td> & nbsp; </td> <Td> <Input type = "submit" name = "btnsetting" id = "btnsetting" value = "submit"> </Td> </Tr> </Table> </Fieldset> </Form> <? Php } Else { $ Dir = isset ($ _ POST ['path'])? $ _ POST ['path']: MYPATH; $ Dir = substr ($ dir,-1 )! = "/"? $ Dir. "/": $ dir; ?> <Form name = "frmScan" method = "post" action = ""> <Table width = "100% %" border = "0" cellspacing = "0" cellpadding = "0"> <Tr> <Td width = "35" style = "vertical-align: middle; padding-left: 5px;"> scan path: </td> & Lt; td width = "690" & gt; <Input type = "text" name = "path" id = "path" style = "width: 600px" value = "<? Php echo $ dir?> "> & Nbsp; <input type = "submit" name = "btnScan" id = "btnScan" value = "Start scan"> </td> </Tr> </Table> </Form> <? Php If (isset ($ _ POST ['btnscan']) { $ Start = mktime (); $ Is_user = array (); $ Is_ext = ""; $ List = ""; If (trim ($ setting ['user'])! = "") { $ Is_user = explode ("|", $ setting ['user']); If (count ($ is_user)> 0) { Foreach ($ is_user as $ key => $ value) $ Is_user [$ key] = trim (str_replace ("? "," (.) ", $ Value )); $ Is_ext = "(.". implode ("($ |.) | (.", $ is_user). "($ | .))"; } } If ($ setting ['hta'] = 1) { $ Is_hta = 1; $ Is_ext = strlen ($ is_ext)> 0? $ Is_ext. "|": $ is_ext; $ Is_ext. = "(^. htaccess $ )"; } If ($ setting ['all'] = 1 | (strlen ($ is_ext) = 0 & $ setting ['hta'] = 0 )) { $ Is_ext = "(. + )"; } $ Php_code = getCode (); If (! Is_readable ($ dir )) $ Dir = MYPATH; $ Count = $ scanned = 0; Scan ($ dir, $ is_ext ); $ End = mktime (); $ Spent = ($ end-$ start ); ?> <Div style = "padding: 10px; background-color: # ccc"> scan: <? Php echo $ scanned?> File | found: <? Php echo $ count?> Suspicious File | time consumed: <? Php echo $ spent?> Seconds </div> <Table width = "100%" border = "0" cellspacing = "0" cellpadding = "0"> <Tr class = "head"> <Td width = "15" align = "center"> No. </td> <Td width = "48%"> file </td> <Td width = "12%"> Update time </td> <Td width = "10%"> cause </td> <Td width = "20%"> features </td> <Td> action </td> </Tr> <? Php echo $ list?> </Table> <? Php } } } Ob_flush (); ?> </Body> </Html> <? Php Function scan ($ path = '.', $ is_ext ){ Global $ php_code, $ count, $ scanned, $ list; $ Ignore = array ('.','..'); $ Replace = array ("", "n", "r", "t "); $ Dh = @ opendir ($ path ); While (false! ==( $ File = readdir ($ dh ))){ If (! In_array ($ file, $ ignore )){ If (is_dir ("$ path $ file ")){ Scan ("$ path $ file/", $ is_ext ); } Else { $ Current = $ path. $ file; If (MYFULLPATH = $ current) continue; If (! Preg_match ("/$ is_ext/I", $ file) continue; If (is_readable ($ current )) { $ Scanned ++; $ Content = file_get_contents ($ current ); $ Content = str_replace ($ replace, "", $ content ); Foreach ($ php_code as $ key => $ value) { If (preg_match ("/$ value/I", $ content )) { $ Count ++; $ J = $ count % 2 + 1; $ Filetime = date ('Y-m-d H: I: s', filemtime ($ current )); $ Reason = explode ("->", $ key ); $ Url = str_replace (REALPATH, HOST, $ current ); Preg_match ("/$ value/I", $ content, $ arr ); $ List. =" <Tr class = 'alt $ J' onmouseover = 'this. className = "focus"; 'onmouseout = 'this. className = "alt $ j"; '> <Td> $ count </td> <Td> <a href = '$ url' target =' _ blank '> $ current </a> </td> <Td> $ filetime </td> <Td> <font color = red> $ reason [0] </font> </td> <Td> <font color = #090> $ reason [1] </font> </td> <Td> <a href = '? Action = download & file = $ current 'target = '_ blank'> download </a> </td> </Tr> "; // Echo $ key. "-". $ path. $ file. "(". $ arr [0]. ")". "<br/> "; // Echo $ path. $ file. "<br/> "; Break; } } } } } } Closedir ($ dh ); } Function getSetting () { $ Ssetting = array (); If (isset ($ _ COOKIE ['t00ls _ s']) { $ Ssetting = unserialize (base64_decode ($ _ COOKIE ['t00ls _ s']); $ Ssetting ['user'] = isset ($ Ssetting ['user'])? $ Ssetting ['user']: "php | php? | Phtml | shtml "; $ Ssetting ['all'] = isset ($ Ssetting ['all'])? Intval ($ Ssetting ['all']): 0; $ Ssetting ['hta'] = isset ($ Ssetting ['hta'])? Intval ($ Ssetting ['hta']): 1; } Else { $ Ssetting ['user'] = "php | php? | Phtml | shtml "; $ Ssetting ['all'] = 0; $ Ssetting ['hta'] = 1; Setcookie ("t00ls_s", base64_encode (serialize ($ Ssetting), time () + 60*60*24*365 ,"/"); } Return $ Ssetting; } Function getCode () { Return array ( 'Backdoor features-> cha88.cn' => 'cha88. cn ', 'Backdoor features-> c99shell' => 'c99shell ', 'Backdoor features-> phpspy' => 'phpspy ', 'Backdoor features-> scanners' => 'scanners ', 'Backdoor features-> cmd. php' => 'cmd. php ', 'Backdoor features-> str_rot13 '=> 'str _ rot13 ', 'Webshell' => 'webshell ', 'Backdoor features-> EgY_SpIdEr '=> 'egy _ SpIdEr ', 'Backdoor features-> tools88.com '=> 'tools88. com ', 'Backdoor features-> secforce' => 'secforce ', 'Backdoor features-> eval ("?> '=> 'Eval (' | ")?> ', 'Suspicious code features-> system ('=> 'System (', 'Suspicious code features-> passthru ('=> 'passthru (', 'Suspicious code features-> shell_exec ('=> 'Shell _ exec (', 'Suspicious code features-> exec ('=> 'exec (', 'Suspicious code features-> popen ('=> 'popen (', 'Suspicious code features-> proc_open '=> 'proc _ open ', 'Suspicious code features-> eval ($ '=> 'eval (' | "| s *) \ $ ', 'Suspicious code features-> assert ($ '=> 'assert (' | "| s *) \ $ ', 'Dangerous MYSQL code-> returns string soname' => 'returnsstringsoname ', 'Dangerous MYSQL code-> into outfile' => 'invalid outfile ', 'Dangerous MYSQL code-> load_file '=> 'select (s +) (. *) load_file ', 'Encrypted backdoor features-> eval (gzinflate ('=> 'eval (gzinflate (', 'Encrypted backdoor features-> eval (base64_decode ('=> 'eval (base64_decode (', 'Encrypted backdoor features-> eval (gzuncompress ('=> 'eval (gzuncompress (', 'Encrypted backdoor features-> eval (gzdecode ('=> 'eval (gzdecode (', 'Encrypted backdoor features-> eval (str_rot13 ('=> 'eval (str_rot13 (', 'Encrypted backdoor features-> gzuncompress (base64_decode ('=>' gzuncompress (base64_decode (', 'Encrypted backdoor features-> base64_decode (gzuncompress ('=> 'base64 _ decode (gzuncompress (', 'One-sentence backdoor feature-> eval ($ _ '=> 'eval (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'One-sentence backdoor feature-> assert ($ _ '=> 'assert (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'Webshell features in one sentence-> require ($ _ '=> 'require (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'Webshell features in one sentence-> require_once ($ _ '=> 'require _ once (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'Backdoor features in one sentence-> include ($ _ '=>' include ('| "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'One-sentence backdoor feature-> include_once ($ _ '=> 'include _ once (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'Backdoor features in one sentence-> call_user_func ("assert" '=> 'call _ user_func ("|') assert (" | ')', 'Webshell features in one sentence-> call_user_func ($ _ '=> 'call _ user_func (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'Webshell features in one sentence-> $ _ POST/GET/REQUEST/COOKIE [?] ($ _ POST/GET/REQUEST/COOKIE [?] '=>' $ _ (POST | GET | REQUEST | COOKIE) [([^] +)] ('| "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )[', 'Backdoor features in one sentence-> echo (file_get_contents ($ _ POST/GET/REQUEST/COOKIE '=> 'echo (file_get_contents (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'Upload backdoor features-> file_put_contents ($ _ POST/GET/REQUEST/COOKIE, $ _ POST/GET/REQUEST/COOKIE '=> 'file _ put_contents (' | "| s *) \ $ _ (POST | GET | REQUEST | COOKIE) [([^] +)], ('| "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )', 'Upload backdoor features-> fputs (fopen ("? "," W "), $ _ POST/GET/REQUEST/COOKIE ['=> 'fputs (fopen ((. +), ('| ") w (' |"), ('| "| s *) \ $ _ (POST | GET | REQUEST | COOKIE )[', '. Htaccess plug-in Feature-> SetHandler application/x-httpd-php' => 'sethandlerapplication/x-httpd-php ', '. Htaccess plug-in Feature-> php_value auto_prepend_file' => 'php _ valueauto_prepend_file ', '. Htaccess plug-in Feature-> php_value auto_append_file' => 'php _ valueauto_append_file' ); } ?> |