phpAV is a script designed to work as antivirus for malicious PHP scripts. It will search a given directory and related files for dangerous functions and provide a report.
68ab3725b4466890a2330c5c5dd11622666a09c408af5bb5c60f44d048036ba0#!/usr/bin/php
<?php
ini_set("max_execution_time", 0);
$start = get_time();
/*
** Title: phpAV
** Version: 1.1
** Author: Milos Zivanovic
** Email: milosz.security@gmail.com
** Date: January 2010.
**
** PHP script designed to work as antivirus for malicious php scripts. It
will
** search given directory and related files for dangerous functions and also
** look for recognizable pattern in file names. phpAV is designed so it can
be
** easily configured and look in more file types in search for more
functions
** and file name patterns.
**
** Usage: ./phpAV.php /var/www/
** Log file will appear in the same directory as phpAV.php IF dangerous
** functions/files are found, else the file won't be there.
**
** Thanks:
** Special thanks to Teo Manojlovic, idea for this originated in his mind.
** Thanks to Ivan Markovic for additional ideas and tips.
**
** Note: Script tested on linux (ubuntu karmic koala (9.10))
**/
// CONFIGURATION SECTION
$functions = array('shell_exec', 'system', 'passthru', 'exec', 'eval',
'ftp_connect'); // dangerous functions
$file_types = array('php', 'php3', 'php4', 'php5', 'phps', 'ph3', 'ph4',
'html', 'htm', 'phtml', 'pl'); // file types to scan
$suspicious = array('c99', 'c100', 'r57', 'locus7', 'storm7', 'g00n'); //
pattern names to look for
$log_file = "Log.txt"; // log file
// END OF CONFIGURATION SECTION
$dir = $argv[1];
if($argc != 2) {
echo "Usage: ".$argv[0]." [DIR PATH]\n";
exit();
}
if(substr($dir, -1) != "/") $dir .= "/";
$dirs_found = 0;
$files_found = 0;
$files_with_bad_functions = 0;
$bad_functions_found = 0;
$suspicious_files_found = 0;
search_dir($dir);
// print info & statistics
echo "phpAV-v1.1\nMilos Zivanovic [milosz.security@gmail.com]\n";
echo "Dir: \t\t\t\t\t".$dir."\n";
echo "Dirs scanned: \t\t\t\t".$dirs_found."\n";
echo "Files scanned: \t\t\t\t".$files_found."\n";
echo "Files with dangerous functions found:
\t".$files_with_bad_functions."\n";
echo "Dangerous functions detected: \t\t".$bad_functions_found."\n";
echo "Suspicious files detected: \t\t".$suspicious_files_found."\n";
echo "Time taken: \t\t\t\t".number_format((get_time() - $start), 5)."
seconds\n";
// ----- functions
--------------------------------------------------------------------------------
function search_dir($path) {
global $file_types, $dirs_found, $files_found;
if ($dh = opendir($path)) {
while (($file = readdir($dh)) !== false) {
if($file != "." && $file != "..") {
if(is_dir($path.$file)) {
$dirs_found++;
search_dir($path.$file."/");
}
else if(is_readable($path.$file) &&
in_array(end(explode(".", $file)), $file_types)) {
$files_found++;
search_suspicious($path.$file);
search_in_file($path.$file);
}
}
}
}
closedir($dh);
}
function search_in_file($file) {
global $functions, $bad_functions_found, $log_file,
$files_with_bad_functions;
$lines = array();
$found_str = array();
$found_line = array();
$lines = file($file);
for($i=0;$i<count($functions);$i++) {
for($j=0;$j<count($lines);$j++) {
if(strstr($lines[$j], " ".$functions[$i]."(") ||
strstr($lines[$j], "(".$functions[$i]."(") ||
strstr($lines[$j], ".".$functions[$i]."(") ||
strstr($lines[$j], "=".$functions[$i]."(") ||
strstr($lines[$j], "{".$functions[$i]."(") ||
strstr($lines[$j], ">".$functions[$i]."(") ||
strstr($lines[$j], "\t".$functions[$i]."(") ||
strstr($lines[$j], " ".$functions[$i]." (") ||
strstr($lines[$j], "=".$functions[$i]." (") ||
strstr($lines[$j], "{".$functions[$i]." (") ||
strstr($lines[$j], ".".$functions[$i]." (") ||
strstr($lines[$j], "(".$functions[$i]." (") ||
strstr($lines[$j], ">".$functions[$i]." (") ||
strstr($lines[$j], "\t".$functions[$i]." (") ||
substr($lines[$j], 0, strlen($functions[$i])) ==
$functions[$i]) {
$found_str[] = str_replace("\n", "", $lines[$j]);
$found_line[] = $j+1;
$bad_functions_found++;
}
}
}
if(!empty($found_str)) {
$files_with_bad_functions++;
file_put_contents($log_file, "File: ".$file."\n", FILE_APPEND);
for($l=0;$l<count($found_str);$l++) {
file_put_contents($log_file, "Line: ".$found_line[$l]." |
".$found_str[$l]."\n", FILE_APPEND);
}
}
}
function search_suspicious($file) {
global $suspicious, $log_file, $suspicious_files_found;
$filename = end(explode("/", $file));
for($i=0;$i<count($suspicious);$i++)
if(strstr($filename, $suspicious[$i])) {
$suspicious_files_found++;
file_put_contents($log_file, "WARNING: ".$file."\n",
FILE_APPEND);
break;
}
}
function get_time() {
$a = explode(" ", microtime());
return(double) $a[0] + $a[1];
}
?>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed