Malcode Finder, Searches for Files Contains Dangerous Command

  1#!/usr/bin/python
  2""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com >
  3Searches for file contains dangerous command
  4
  5Inspired from tools created by d3hydr8[at]gmail[dot]com
  6greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org,
  7ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-)
  8
  9PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p
 10PF : ?? Oct ???? - ?? Oct 2011 """
 11
 12
 13import sys, re
 14
 15def halo():
 16    print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >"
 17    print "\tSearches for file contains dangerous command"
 18    print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,"
 19    print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n"
 20
 21def usage():
 22    print "\tUsage: python " + sys.argv[0] + " <dir>"
 23    print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n"
 24    sys.exit(1)
 25
 26#Original from d3hydr8[at]gmail[dot]com
 27def Walk( root, recurse=0, pattern='*', return_folders=0 ):
 28    import fnmatch, os, string
 29
 30    result = []
 31
 32    try:
 33        names = os.listdir(root)
 34    except os.error:
 35        return result
 36
 37    pattern = pattern or '*'
 38    pat_list = string.splitfields( pattern , ';' )
 39
 40    for name in names:
 41        fullname = os.path.normpath(os.path.join(root, name))
 42
 43        for pat in pat_list:
 44            if fnmatch.fnmatch(name, pat):
 45                if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
 46                    result.append(fullname)
 47                continue
 48        if recurse:
 49            if os.path.isdir(fullname) and not os.path.islink(fullname):
 50                result = result + Walk( fullname, recurse, pattern, return_folders )
 51        
 52    return result
 53
 54def search(files, auto=0):
 55    
 56    if auto:
 57        searchstring = danger
 58    else:
 59        searchstring = specificstring
 60    
 61    print "\n[+] Searching:", len(files), "files"
 62    print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n"
 63    love.write("\n"+"-+-"*20)
 64    love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) )
 65    love.write("-+-"*20+"\n")
 66    
 67    for file in files:
 68        num = 0
 69        
 70        try:
 71            text = open(file, "r").readlines()
 72            
 73            for line in text:
 74                num +=1
 75                if re.search(searchstring.lower(), line.lower()):
 76                    print "[!] File:",file,"on Line:",num,"\n[!] Code:",line
 77                    love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) )
 78        
 79        except(IOError):
 80            pass
 81    
 82    print "[+] Done\n"
 83
 84halo()
 85
 86actions = [
 87    "base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan.
 88    "exec",
 89    "eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
 90    "escapeshellarg",
 91    "escapeshellcmd",
 92    "fpaththru",
 93    "getmy", # getmypid, getmygid, getmyuid, etc
 94    "gzinflate",
 95    "gzuncompress",
 96    "ini_alter",
 97    "leak",
 98    "mDbl8VndvJj2", # encoded devshell.asp 
 99    "php_uname",
100    "posix_", # any posix_* function
101    "proc_", # any proc_* function
102    "popen",
103    "passthru",
104    "pcntl_exec",
105    "socket_accept",
106    "socket_bind",
107    "socket_clear_error",
108    "socket_close",
109    "socket_connect",
110    "set_time_limit",
111    "shell_exec",
112    "system", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
113    "show_source",
114    "xrunexploit" # source function on devshell.*
115    ]
116
117minus_r = 1
118
119if len(sys.argv) < 2:
120    usage()
121
122recdir = raw_input("Recursive ? ( Y/n ): ")
123mode = raw_input("Full scan Mode (Y/n): ")
124
125if mode.lower() != "y":
126    specificstring = raw_input("String to search: ")
127
128ext = raw_input("Specific File extension to scan ( <return> to scan all extension ) : ")
129filelog = raw_input("logfile ( default sf.log ): ")
130
131if filelog == "":
132    filelog = "sf.log"
133
134if recdir.lower() != "y":
135    minus_r = 0
136
137love = open(filelog, "w")
138love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n")
139love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n")
140
141if mode.lower() == "y":
142    print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1]
143    print "[+] Logfile will be saved to: " + filelog
144    love.write("""
145    [+] FULL SCAN MODE ENABLED...
146    [+] %s danger commands loaded
147    [+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) )
148    for danger in actions :
149        if ext == "":
150            files = Walk(sys.argv[1], minus_r, '*', 1)
151        else:
152            files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
153        search(files, 1)
154    print "[+] Logfile saved to " + filelog
155
156else:
157    print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring
158    print "[+] Logfile will be saved to: " + filelog
159    love.write("""
160    [+] Target Dir: %s
161    [+] String to search %s\n""" % (sys.argv[1], specificstring ) )
162    if ext == "":
163        files = Walk(sys.argv[1], minus_r, '*', 1)
164    else:
165        files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
166    search(files)
167    print "[+] Logfile saved to " + filelog

1python sf-1.1.py /path/to/dir