Malcode Finder, Searches for Files Contains Dangerous Command

Fungsinya untuk mencari command berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan akses lebih dalam sebuah sistem.

Berikut ini adalah tool pertama saya yang ditulis menggunakan bahasa Python. Fungsinya untuk mencari “command2” berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan “akses lebih” dalam sebuah sistem. Inspirasi dan beberapa line dari tools buatan d3hydr8 darkc0de.

Sekalian kado ultah buat Ketek tanda terima kasih saya secara pribadi atas dedikasinya buat Indonesia.

Nah langsung aja nih codenya :

  1#!/usr/bin/python
  2""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com >
  3Searches for file contains dangerous command
  4
  5Inspired from tools created by d3hydr8[at]gmail[dot]com
  6greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org,
  7ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-)
  8
  9PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p
 10PF : ?? Oct ???? - ?? Oct 2011 """
 11
 12
 13import sys, re
 14
 15def halo():
 16    print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >"
 17    print "\tSearches for file contains dangerous command"
 18    print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,"
 19    print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n"
 20
 21def usage():
 22    print "\tUsage: python " + sys.argv[0] + " <dir>"
 23    print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n"
 24    sys.exit(1)
 25
 26#Original from d3hydr8[at]gmail[dot]com
 27def Walk( root, recurse=0, pattern='*', return_folders=0 ):
 28    import fnmatch, os, string
 29
 30    result = []
 31
 32    try:
 33        names = os.listdir(root)
 34    except os.error:
 35        return result
 36
 37    pattern = pattern or '*'
 38    pat_list = string.splitfields( pattern , ';' )
 39
 40    for name in names:
 41        fullname = os.path.normpath(os.path.join(root, name))
 42
 43        for pat in pat_list:
 44            if fnmatch.fnmatch(name, pat):
 45                if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
 46                    result.append(fullname)
 47                continue
 48        if recurse:
 49            if os.path.isdir(fullname) and not os.path.islink(fullname):
 50                result = result + Walk( fullname, recurse, pattern, return_folders )
 51        
 52    return result
 53
 54def search(files, auto=0):
 55    
 56    if auto:
 57        searchstring = danger
 58    else:
 59        searchstring = specificstring
 60    
 61    print "\n[+] Searching:", len(files), "files"
 62    print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n"
 63    love.write("\n"+"-+-"*20)
 64    love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) )
 65    love.write("-+-"*20+"\n")
 66    
 67    for file in files:
 68        num = 0
 69        
 70        try:
 71            text = open(file, "r").readlines()
 72            
 73            for line in text:
 74                num +=1
 75                if re.search(searchstring.lower(), line.lower()):
 76                    print "[!] File:",file,"on Line:",num,"\n[!] Code:",line
 77                    love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) )
 78        
 79        except(IOError):
 80            pass
 81    
 82    print "[+] Done\n"
 83
 84halo()
 85
 86actions = [
 87    "base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan.
 88    "exec",
 89    "eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
 90    "escapeshellarg",
 91    "escapeshellcmd",
 92    "fpaththru",
 93    "getmy", # getmypid, getmygid, getmyuid, etc
 94    "gzinflate",
 95    "gzuncompress",
 96    "ini_alter",
 97    "leak",
 98    "mDbl8VndvJj2", # encoded devshell.asp 
 99    "php_uname",
100    "posix_", # any posix_* function
101    "proc_", # any proc_* function
102    "popen",
103    "passthru",
104    "pcntl_exec",
105    "socket_accept",
106    "socket_bind",
107    "socket_clear_error",
108    "socket_close",
109    "socket_connect",
110    "set_time_limit",
111    "shell_exec",
112    "system", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
113    "show_source",
114    "xrunexploit" # source function on devshell.*
115    ]
116
117minus_r = 1
118
119if len(sys.argv) < 2:
120    usage()
121
122recdir = raw_input("Recursive ? ( Y/n ): ")
123mode = raw_input("Full scan Mode (Y/n): ")
124
125if mode.lower() != "y":
126    specificstring = raw_input("String to search: ")
127
128ext = raw_input("Specific File extension to scan ( <return> to scan all extension ) : ")
129filelog = raw_input("logfile ( default sf.log ): ")
130
131if filelog == "":
132    filelog = "sf.log"
133
134if recdir.lower() != "y":
135    minus_r = 0
136
137love = open(filelog, "w")
138love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n")
139love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n")
140
141if mode.lower() == "y":
142    print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1]
143    print "[+] Logfile will be saved to: " + filelog
144    love.write("""
145    [+] FULL SCAN MODE ENABLED...
146    [+] %s danger commands loaded
147    [+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) )
148    for danger in actions :
149        if ext == "":
150            files = Walk(sys.argv[1], minus_r, '*', 1)
151        else:
152            files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
153        search(files, 1)
154    print "[+] Logfile saved to " + filelog
155
156else:
157    print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring
158    print "[+] Logfile will be saved to: " + filelog
159    love.write("""
160    [+] Target Dir: %s
161    [+] String to search %s\n""" % (sys.argv[1], specificstring ) )
162    if ext == "":
163        files = Walk(sys.argv[1], minus_r, '*', 1)
164    else:
165        files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
166    search(files)
167    print "[+] Logfile saved to " + filelog

https://github.com/ditatompel/Malcode-Finder

Cara penggunaannya:

1python sf-1.1.py /path/to/dir

Lalu nanti ada interaktif tanya jawab:

  • Recursive: untuk scan semua sub-directory dari direktori yang sudah ditentukan sebelumnya.
  • Full scan Mode: untuk scan semua command yang dianggap bahaya. Klo dijawab “Y”, command2 diambil dari actions array. Klo full scan modenya dijawab “n”, nanti om bakalan ditanya buat tentuin “command” apa yang mau di scan.
  • Specific File extension to scan: tipe file yang ingin di scan. Misal php / pl, dll. Kalau kosong brati semua file ikut di scan, termasuk jpg, gif, dll.
  • logfile: tempat nyimpen hasil scan. Klo kosong nama filenya jadi sf.log.