Skip to main content

Code Auto Scan Shell qua Keyword

Đây là 1 code scan shell qua keyword mình phát triển thêm từ code cũ của KID - Xgroup đã đc pub lên mạng.
Về mặt code này. Bạn chỉ cần up file lên thư mục public_html để cho tools scan.
Chức năng:
Scan shell qua keyword đã được quy định sẵn.
Disable Shell không cho phép shell chạy.
Send mail cho mail đã cài đặt để báo cáo địa chỉ file nghi ngờ shell để cho admin có thể lên ktra.
Nếu bạn nào thix auto thì có thể tích hợp chung với corn để làm thành auto scan shell.
Hiện mình đang tiếp tục phát triển ver tiếp theo, nếu bạn nào muốn có thể tham gia thảo luận chung.
Code mình ko mã hóa nên nếu có share đề nghị giữ nguyên dòng bản quyền để tôn trọng tác giả.
Lưu ý: Khi dùng thì các bạn edit mail nhận thành mail của mình để nhận thông tin.

ini_set("safe_mode","off");
$safe_mode = @ini_get('safe_mode');
if (!$safe_mode)set_time_limit(0);

    
    
    $folder = $_SERVER['DOCUMENT_ROOT'];    
    define('TAB',"        ");                        
    define('IGNORE_EXTENSIONS',"jpg pdf zip psd doc gif swf xls gz txt");    
    define("MAX_SIZE",1024*1024*1024);                                    
    define("IGNORE_BEFORE", strtotime('2009-08-01') );                
    $shell = $_SERVER["PHP_SELF"];
    function findexts($filename)
    {    
        $filename = strtolower($filename);    
        $exts = explode("[/\\.]", $filename);    
        $n = count($exts)-1;    
        $exts = $exts[$n];    
        return strtolower($exts);
    }
    function percent($num_amount, $num_total) 
    {
        $count1 = $num_amount / $num_total;
        $count2 = $count1 * 100;
        $count = number_format($count2, 0);
        return $count;
    }
    function report($messega)
    {
        $email = "csvietteam@gmail.com";
        $subject = "Report Scan Shell";
        $headers   = array();
        $headers[] = "MIME-Version: 1.0";
        $headers[] = "Content-type: text/plain; charset=iso-8859-1";
        $headers[] = "From: Report Scan Shell on ".gethostbyname($_SERVER['SERVER_NAME'])."";
        $headers[] = "Reply-To: Gmail Team <$email>";
        $headers[] = "Subject: {$subject}";
        $headers[] = "X-Mailer: PHP/".phpversion();
        mail($email, $subject,$messega, implode("\r\n", $headers));
    }    
    function check_dir($directory,$level) 
    {    
        global $virus_detected, $all, $detect_errors_only, $detected_Keyword_in_test_script, $listfile, $listWarning,$listDetect;    
        $indent='';
        /*Key Word Shell*/
        $Keyword = array();
        $Keyword[]= "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC";
        $Keyword[]= "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj";
        $Keyword[]= "PEJPRFkgT25LZXlQcmVzcz0iR2V0S2V5Q29kZSgpOyIgdGV4dD0jZmZmZmZmIGJvdHRvbU1hcmdp";
        $Keyword[] = "IyEvdXNyL2Jpbi9wZXJsIC1JL3Vzci9sb2NhbC9iYW5kbWFpbg0KIw0KIyBQZXJsS2l0LTAuMSAt";
        $Keyword[] = "PD9waHAKJGNwYW5lbF9wb3J0PSIyMDgyIjsKJGNvbm5lY3RfdGltZW91dD01OwpzZXRfdGltZV9s";
        $Keyword[] = "c3QgOiA8SU5QVVQgc2l6ZT1cIjE1XCIgdmFsdWU9XCJsb2NhbGhvc3RcIiBuYW1lPVwibG9jYWxo";
        $Keyword[] = "ZGUgPSAkQVJHVlswXTsKICAgICAgICAkYWFhYSA9ICRBUkdWWzFdOwogICAgICAgICAgaWYgKCEk";
        $Keyword[] = "aGF0IHUgV2FudCB0byBTeW1saW5rIEl0PC9mb250PjwvYnI+PC9jZW50ZXI+PC9iPjwvaDQ+IAo8";
        $Keyword[] = "bnQgZmFjZT0iV2luZ2RpbmdzIj48aW1nIGJvcmRlcj0iMCIgc3JjPSJodHRwOi8vcHJpdjguaWJs";
        $Keyword[] = "PHRpdGxlPkxpdGVTcGVlZCBXZWIgQnlwYXNzIC0gaXpvY2luIHByaXY5PC90aXRsZT4KICAgICAg";
        $Keyword[] = "IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCgojICMgIyAjICMgIyAjICMgIyAjICMgIyAjICMgIyAjICMg";
        $Keyword[] = "ZSA9fiB0ci8rLyAvOw0KICAkbmFtZSA9fiBzLyUoW2EtZkEtRjAtOV1bYS1mQS1GMC05XSkvcGFj";
        $Keyword[] = "JyBzdHlsZT0nY29sb3I6ICNmZmZmZmY7IGJvcmRlcjogMXB4IGRvdHRlZCByZWQ7IGJhY2tncm91";
        $Keyword[] = "PSdodHRwOi8vdXBsb2FkLnRyYWlkbnQubmV0L3VwZmlsZXMvbzhJOTk4MTAucG5nJyB3aWR0aD0n";
        $Keyword[] = "ICAgIGRpZSgibm90IHdyaXRhYmxlIGRpcmVjdG9yeSIpOw0KDQokbGV2ZWw9MDsNCg0KZm9yKCRh";
        $Keyword[] = "PicKICAgICAgICBwcmludCAnUmVzdWx0IDogPEJSPjxCUj4nCiAgICAgICAgdHJ5OgogICAgICAg";
        $Keyword[] = "MHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQogICAgICBpZiAoISRBUkdWWzBdKSB7DQog";
        $Keyword[] = "ZmVyRmlsZSBlcSAiIikNCgl7DQoJCSZQcmludFBhZ2VIZWFkZXIoImYiKTsNCgkJJlByaW50Rmls";
        $Keyword[] = "ZDUKaW1wb3J0IHN5cwoKIyMjIyMjIyMjIyNfRGVmYXVsdF8jIyMjIyMjIyMjIyMjIyMjIyMjIyMj";
        $Keyword[] = "substr(@php_uname(),0,120)";
        $Keyword[] = "@getmyuid()";    
        $Keyword[] = "eval(base64_decode";        
        for ($count=0;$count<$level;$count++) 
        {        
            $indent.=TAB;    
        }    
        $level++;    
        $read_dir=opendir($directory);    
        while ($file=readdir($read_dir)) 
        {    
            $filepath=$directory."/".$file;    
                if ($detect_errors_only && $virus_detected) 
                {    
                    exit;        
                }        
                if (is_dir($filepath)) 
                {                        
                    if ( ($file<>'.') && ($file<>'..') ) 
                        {                
                            check_dir($filepath,$level);            
                        }        
                }        
                else 
                {    
                    if (is_file($filepath)) 
                    {                                    
                        if ( (is_readable($filepath) )  &&  (!stristr(IGNORE_EXTENSIONS, findexts($file)))  ) 
                        {                        
                            if ((filesize($filepath)< MAX_SIZE) && (filemtime($filepath)>IGNORE_BEFORE) )
                            {
                                $listfile[] = $filepath;
                                $fileentry=$directory."/".$file.' - '.date('j F Y H:i',filemtime($filepath));    
                                $filestring=file_get_contents($filepath);                        
                                $found=stripos($filestring,"eval(base64_decode(");                     
                                $found=stristr($filestring,"eval(base64_decode(");
                                if ($found !=false)
                                {
                                    $detect_errors_only = true;
                                }
                                else
                                {
                                    foreach ($Keyword as $key)
                                    {
                                        $found=stripos($filestring,$key);                     
                                        $found=stristr($filestring,$key);
                                        if ($found !=false) break;
                                    }
                                }
                                flush();    
                                if ($found!=false) 
                                {                            
                                    if ($file=='scanshell.php')
                                    {                                
                                        $detected_Keyword_in_test_script=true;                            
                                    }                        
                                    else 
                                    {                                
                                        $virus_detected=true;    
                                        if ($detect_errors_only) 
                                        {                    
                                            $listWarning[]  = $fileentry.' -- Warning Shell';                        
                                        }                                
                                        else 
                                        {        
                                            $listDetect[]  = $fileentry.' -- Detect Shell';
                                            chmod($filepath,0000);
                                        }                            
                                    }                                                 
                                    $found='';                    
                                }                    
                                        
                            }
                        }
    
                    }            
                    
                }    
        }        
        closedir($read_dir);
    } 
    $virus_detected=false;
    $all=true;
    $detect_errors_only=false;
    $detected_Keyword_in_test_script=false;
    check_dir($folder,0);
    //Report Mail
    $message = "Report Scan Shell On Server ".gethostbyname($_SERVER['SERVER_NAME'])." by VnDragon \n\n";
    $message .= "Scan Complete at ".date('j F Y H:i')."\n\n";
    $message .= "Statistics\n\n";
    $message .= "Skip File : ".IGNORE_EXTENSIONS."\n\n";
    $message .= "Ingore File Max : ".MAX_SIZE."/bytes.\n\n";
    if (count($listfile) != 0 )
    {
        $message .= "Total File Scan: " .count($listfile)."\n\n";
    
        if (count($listWarning) != 0)
        {
            $warning = percent(count($listWarning),count($listfile));
            $message .= "Total File Warning: " .count($listWarning)." - ". $warning."% \n\n";
            $message .= "List File Warning: \n\n";
            foreach ($listWarning as $Warning) 
            {
                    $message .= $Warning." \n\n";
            }
        }
        else
        {
            $message .= "Total File Warning: 0  -  0% \n\n";
        }
        if (count($listDetect) != 0)
        {
            $detechted = percent(count($listDetect),count($listfile));
            $message .= "Total File Detected: " .count($listDetect)." - ". $detechted."% \n\n";
            $message .= "List File Detected: \n";
            foreach ($listDetect as $Detechted) 
            {
                $message .= $Detechted." \n\n";
            }
        }
        else
        {
            $message .= "Total File Detected: 0  -  0% \n\n";
        }
    }
    else
    {
        $message .= "File Not Found\n\n";
    }
    $message .= "End Report \n\n";
    $message .= "---------------------------------------------------\n\n";
    $message .= "File Detected Has been Chmod 000. Please Online And Check It\n\n";
    $message .= "Thank You For Used Tools Scan Shell VerSion 2\n\n";
    $message .= "Power By VnDragon \n\n";
    report($message);
?>  

Share this with your friends
Loading...