Webshell backdoor detection and removal tool for python in linux

Recently, there have been emergency response work almost every day. I wrote a linux webshell to scan and kill small scripts. If there are too many website files and the packages are too large, I can use this script to check and kill them, then find other webshells Based on the log and time. If the website file is small, we recommend you package them and use the {D shield Web backdoor to scan and kill V1.2.6} in windows. The script is as follows: http://www.cnseay.com/webshell.jpg instructions for use: 1. scan and kill the specified path: python webshell. py Path 2. search for files by Time: python webshell. py path "00:00:00 ″

#-*-Coding: UTF-8-*-import osimport sysimport reimport timerulelist = ['(\ $ _ (GET | POST | REQUEST )\[. {0, 15} \] \ s {0, 10} \ (\ s {0, 10} \ $ _ (GET | POST | REQUEST )\[. {200} \] \) ',' (base64_decode \ ([\ '"] [\ w \ +/=] {,} [\'"] \) ',' (eval (\ s | \ n) * \ (base64_decode (\ s | \ n )*\((. | \ n) {1,200}) ',' (eval | assert) (\ s | \ n) * \ (\ s | \ n) * \ $ _ (POST | GET | REQUEST )\[. {} \] \) ',' (\ $ [\ w _] {} (\ s | \ n) * \ (\ s | \ n) * \ $ _ (POST | GET | REQUEST )\[. {0, 15} \] \) ',' (Call_user_func \(. {0, 15} \ $ _ (GET | POST | REQUEST) ',' (preg_replace (\ s | \ n )*\(. {1,100} [/@]. {0, 3} e. {1, 6 },. {0, 10} \ $ _ (GET | POST | REQUEST) ',' (wscript \. shell) ',' (cmd \. exe) ',' (shell \. application) ',' (events \ s + and \ s + settings) ',' (system32) ',' (serv-u) ',' (phpspy )', '(jspy)', '(webshell)', '(Program \ s + Files)'] def Scan (path): print ('suspicious file ') print ('##################################### ###') for Root, dirs, files in OS. walk (path): for filespath in files: if OS. path. getsize (OS. path. join (root, filespath) <1024000: file = open (OS. path. join (root, filespath) filestr = file. read () file. close () for rule in rulelist: result = re. compile (rule ). findall (filestr) if result: print 'file:' + OS. path. join (root, filespath) print 'malicious code: '+ str (result [0]) [0: 200] print ('Last modification time:' + time. strftime ('% Y-% m-% d % H: % M: % s', tim E. localtime (OS. path. getmtime (OS. path. join (root, filespath) print '\ n \ n' break # scan def _ Get_Time_Files (_ path, _ time) at the last modification time of the file ): _ time = time. mktime (time. strptime (_ time, '% Y-% m-% d % H: % M: % s') print (' \ n') print ('suspicious files ') print ('##################################### ###') print ('file path last modification time \ n') for _ root, _ dirs, _ files in OS. walk (_ path): for _ file in _ files: if _ file. find ('. ')! =-1: _ txt = _ file [(_ file. rindex ('. ') + 1):]. lower () if _ txt = 'php' or _ txt = 'jsp ': _ File_Time = OS. path. getmtime (_ root + '/' + _ file) if _ File_Time> _ time: print (_ root + '/' + _ file + ''+ time. strftime ('% Y-% m-% d % H: % M: % s', time. localtime (OS. path. getmtime (_ root + '/' + _ file) if len (sys. argv )! = 3 and len (sys. argv )! = 2: print '[parameter error]: 'print' \ t scan by malicious code: '+ sys. argv [0] + 'Directory name' print '\ t:' + sys. argv [0] + 'directory name modification time (Format: "12:00:00")' if OS. path. lexists (sys. argv [1]) = False: print 'prompt: the specified scan directory does not exist --- pai'print (' \ n start to kill: '+ sys. argv [1]) if len (sys. argv) = 2: Scan (sys. argv [1]) else: _ Get_Time_Files (sys. argv [1], sys. argv [2]) print ('prompt: Killing completed -- O (detection _ success) O Haha ~ ') Begin