我们来自五湖四海,不为别的,只因有共同的爱好,为中国互联网发展出一分力!

扫描目录下的php文件,是否含有木马特征

2014年07月26日05:23 阅读: 21351 次

标签: 扫描目录下的php文件,是否含有木马特征

 shell_checkl

 

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/usr/bin/python
#-*- encoding:UTF-8 -*-
###
## @package
## @desc 扫描目录下的php文件,是否含有木马特征,注意,不是“木马扫描”
## @useage python shell_check.py /your/web/path/ 1=是否递归
###
import os
import sys
import re
import time
def listdir(dirs,liston='0'):
    flog = open(os.getcwd()+"/check_php_shell.log","a+")
    if not os.path.isdir(dirs):
        print "directory %s is not exist"% (dirs)
        return
    lists = os.listdir(dirs)
    for list in lists:
        filepath = os.path.join(dirs,list)
        if os.path.isdir(filepath):
            if liston == '1':
                listdir(filepath,'1')
        elif os.path.isfile(filepath):
            filename = os.path.basename(filepath)
            if re.search(r"\.(?:php|inc|html?)$", filename, re.IGNORECASE):
                i = 0
                iname = 0
                f = open(filepath)
                while f:
                    file_contents = f.readline()
                    if not file_contents:
                        break
                    i += 1
                    match = re.search(r'''(?P<function>\b(?:include|require)(?:_once)?\b)\s*\(?\s*["'](?P<filename>.*?(?<!\.(?:php|inc)))["']''', file_contents, re.IGNORECASE| re.MULTILINE)
                    if match:
                        function = match.group("function")
                        filename = match.group("filename")
                        if iname == 0:
                            info = '\n[%s] :\n'% (filepath)
                        else:
                            info = ''
                        info += '\t|-- [%s] - [%s]  line [%d] \n'% (function,filename,i)
                        flog.write(info)
                        print info
                        iname += 1
                      
                    match = re.search(r'\b(?P<function>eval|proc_open|popen|shell_exec|exec|passthru|system)\b\s*\(', file_contents, re.IGNORECASE| re.MULTILINE)
                    if match:
                        function = match.group("function")
                        if iname == 0:
                            info = '\n[%s] :\n'% (filepath)
                        else:
                            info = ''
                        info += '\t|-- [%s]  line [%d] \n'% (function,i)
                        flog.write(info)
                        print info
                        iname += 1
                      
                    match = re.findall(r'(\$[a-z0-9_]*?\s*?\(.*?\))', file_contents, re.IGNORECASE)
                    if match:
                        if iname == 0:
                            info = '\n[%s] :\n'% (filepath)
                        else:
                            info = ''
                        info += '\t|-- [%s]  line [%d] \n'% (match[0],i)
                        flog.write(info)
                        print info
                        iname += 1
  
                f.close()
    flog.close()
if '__main__' == __name__:
    argvnum = len(sys.argv)
    liston = '0'
    if argvnum == 1:
        action = os.path.basename(sys.argv[0])
        print "Command is like:\n   %s D:\wwwroot\ \n   %s D:\wwwroot\ 1    -- recurse subfolders"% (action,action)
        quit()
    elif argvnum == 2:
        path = os.path.realpath(sys.argv[1])
        listdir(path,liston)
    else:
        liston = sys.argv[2]
        path = os.path.realpath(sys.argv[1])
        listdir(path,liston)
    flog = open(os.getcwd()+"/check_php_shell.log","a+")
    ISOTIMEFORMAT='%Y-%m-%d %X'
    now_time = time.strftime(ISOTIMEFORMAT,time.localtime())
    flog.write("\n----------------------%s checked ---------------------\n"% (now_time))
    flog.close()

 

分享到: 更多
©2017 安全焦点 版权所有.
人才招聘联系我们