Webshell Trading PHP Trojan Webshell scanner code

Copy CodeThe code is as follows:

/*
+--------------------------------------------------------------------------+
| Codz by indexphp version:0.01 |
| (c) indexphp |
| http://www.indexphp.org |
+--------------------------------------------------------------------------+
*/
/*===================== Program Configuration =====================*/
$dir = ' CMS '; Set the directory to scan
$jumpoff =false;//Set the file to skip check
$jump = ' safe.php|g '; Set to skip checking files or folders $jumpoff =false When this setting is valid
$danger = ' eval|cmd|passthru ';//set to find the dangerous function to determine whether the Trojan file
$suffix = ' php|inc ';//Set the suffix of the file to be scanned
$dir _num=0;
$file _num=0;
$danger _num=0;
/*===================== Configuration End =====================*/
Extract (Gethttpvars ());
if ($m = = "edit") edit ();
if ($m = = "Del") Delete ();
if ($check = = ' Check ')
{$safearr = explode ("|", $jump);
$start _time=microtime (TRUE);
Safe_check ($dir);
$end _time=microtime (TRUE);
$total = $end _time-$start _time;
$file _num= $file _num-$dir _num;
$message = "Number of files:". $file _num;
$message. = "Number of folders:". $dir _num;
$message. = "Number of suspicious files:" $danger _num;
$message. = "Execution time:" $total;
Echo $message;
Exit ();
}
function Gethttpvars () {//global variable
$superglobs = Array (
' _post ',
' _get ',
' Http_post_vars ',
' Http_get_vars ');
$httpvars = Array ();
foreach ($superglobs as $glob) {
Global $ $glob;
if (Isset ($ $glob) && Is_array ($ $glob)) {
$httpvars = $ $glob;
}
if (count ($httpvars) > 0)
Break
}
return $httpvars;
}
function Safe_check ($DIR)//Traversal file
{
Global $danger, $suffix, $dir _num, $file _num, $danger _num;
$hand = @dir ($dir) or Die (' folder does not exist ');
while ($file = $hand->read ())
{
$filename = $dir. '/'. $file;
if (! $jumpoff) {
if (jump ($filename)) continue;
}
if (@is_dir ($filename) && $file! = '. ' && $file! = ' ... ' && $file! = './... ')
{$dir _num++;
Safe_check ($filename);
}
if (Preg_match_all ("/\." ( $suffix)/I ", $filename, $out))
{
$str = ";
$fp = @fopen ($filename, ' r ') or Die (' no permission ');
while (!feof ($FP))
{
$str. = Fgets ($fp, 1024);
}
Fclose ($FP);
if (Preg_match_all ("/($danger) [\r\n\t]{0,} ([\[\ (])/I", $str, $out))
{
echo "suspicious file: {$filename}
View Code
Delete
";
$danger _num++;
}
}
$file _num++;
}
}
function Edit ()//view suspicious file
{
Global $filename;
$filename = Str_replace ("..", "", $filename);
$file = $filename;
$content = "";
if (Is_file ($file))
{
$fp = fopen ($file, "R") or Die (' no permission ');
$content = Fread ($fp, FileSize ($file));
Fclose ($FP);
$content = Htmlspecialchars ($content);
}
echo "<textarea name="str">$content</textarea>\ r \ n ";
Exit ();
}
function Delete ()//delete file
{
Global $filename;
(Is_file ($filename))? ($mes =unlink ($filename)? ' Delete succeeded ': ' Delete failed view permission '): ';
Echo $mes;
Exit ();
}
function jump ($file)//Skip File
{
Global $jump, $safearr;
if ($jump! = ")
{
foreach ($safearr as $v)
{
if ($v = = ") continue;
if (eregi ($v, $file)) return true;
}
}
return false;
}
?>

The above describes the Webshell transaction PHP Trojan Webshell scanner code, including the contents of the Webshell transaction, I hope the PHP tutorial interested in a friend helpful.

