Y00AOebLhlCX59D11qensmHJY7s Backdoor Scanner lookforbadguys Created (c) by Princexells Seyka (Princelling Saki)
Home » Tools » Backdoor Scanner lookforbadguys

Minggu, 25 Agustus 2013

0 Backdoor Scanner lookforbadguys

Ketika defacer mendapatkan akses ke server website Anda, mereka kadang meng-install sebuah script shell/backdoor yang dirancang untuk memungkinkan mereka untuk mendapatkan kembali jalan masuk setelah Anda telah membersihkan situs,

Berikut sebuah script dimana dapat berfungsi untuk menemukan script shell/backdoor tersebut :
<?php
/* lookforbadguys.php 3-10-2011
--Purpose: iterate through server files looking for hacker code snippets, backdoor scripts,
.htaccess redirects, and suspicious file names.
-- Caveats: Not all things it finds are hacks. Not all hacks are found.
--You should look also for weird files (such as .php files) in your image directories, especially
if your .htaccess has redirects or was made executable.
--Some searches are commented out because they can give too many false positives.
--This script should work the same on a Linux or Windows server.
It runs fast in Linux/Apache/PHP, and very slowly in Windows/Apache/PHP.

*/
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Language" content="en-us">
<title>Looking for bad guys</title>
</head>

<body>
<p>Looking for bad guys. </p>
<p>This script looks for traces of malicious code including code injections,
modified .htaccess that makes images executable, and so on.</p>
<p>

<?php
// SET MAXIMUM EXECUTION TIME TO UNLIMITED (0) BECAUSE THE SCRIPT CAN TAKE A WHILE.
// YOU COULD USE A MORE CONSERVATIVE TIME LIMIT SUCH AS 1 HOUR (3600 SECONDS), JUST IN CASE.
// THESE HAVE NO EFFECT IF YOU RUN PHP IN "SAFE MODE" (SAFE MODE IS USUALLY UNDESIRABLE ANYWAY).
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');

// --------------------------------------------------------------------------------
// UTILITY FUNCTIONS.
// OUTPUT TEXT IN SPECIFIED COLOR, CLEANING IT WITH HTMLENTITIES().
function CleanColorText($text, $color)
{
$outputcolor = 'black';
$color = trim($color);
if(preg_match('/^(red|blue|green|black)$/i', $color))
$outputcolor = $color;
return '<span style="color:' . $outputcolor . ';">' . htmlentities($text, ENT_QUOTES) . '</span>';
}

// --------------------------------------------------------------------------------
// THIS FUNCTION RECURSIVELY FINDS FILES AND PROCESSES THEM THROUGH THE SPECIFIED CALLBACK FUNCTION.
// DIFFERENT TYPES OF FILES NEED TO BE HANDLED BY DIFFERENT CALLBACK FUNCTIONS.

function find_files($path, $pattern, $callback)
{
// CHANGE BACKSLASHES TO FORWARD, WHICH IS OK IN PHP, EVEN IN WINDOWS.
// REMOVE ANY TRAILING SLASHES, THEN ADD EXACTLY ONE.
$path = rtrim(str_replace("\\", "/", $path), '/') . '/';
if(!is_readable($path))
{
echo "Warning: Unable to open and enter directory " . CleanColorText($path, 'blue') .
". Check its owner/group permissions.<br>";
return;
}
$dir = dir($path);
$entries = array();
while(($entry = $dir->read()) !== FALSE)
$entries[] = $entry;
$dir->close();
foreach($entries as $entry)
{
$fullname = $path . $entry;
if(($entry !== '.') && ($entry !== '..') && is_dir($fullname))
find_files($fullname, $pattern, $callback);
else
if(is_file($fullname) && preg_match($pattern, $entry))
call_user_func($callback, $fullname);
}
}

// --------------------------------------------------------------------------------
// CALLBACK FUNCTIONS.
// CALLBACK FUNCTION TO LOOK FOR MALICIOUS CODE - YOU COULD ADD ANY OTHER MALICIOUS CODE SNIPPETS YOU KNOW OF.
function maliciouscodesnippets($filename)
{
if(stripos($filename, "lookforbadguys.php")) // DON'T FLAG THIS FILE WHICH I CALLED lookforbadguys.php
return;

if(!is_readable($filename))
{
echo "Warning: Unable to read " . CleanColorText($filename, 'blue') .
". Check it manually and check its access permissions.<br>";
return;
}
$file = file_get_contents($filename); //READ THE FILE

// PRINTING EVERY FILENAME GENERATES A LOT OF OUTPUT.
//echo CleanColorText($filename, 'green') . " is being examined.<br>";

// TEXT FILES WILL BE SEARCHED FOR THESE SNIPPETS OF SUSPICIOUS TEXT.
// THESE ARE REGULAR EXPRESSIONS WITH THE REQUIRED /DELIMITERS/ AND WITH SPECIAL CHARACTERS ESCAPED.
// /i AT THE END MEANS CASE INSENSITIVE.
$SuspiciousSnippets = array
(
// POTENTIALLY SUSPICIOUS PHP CODE
'/edoced_46esab/i',
'/passthru *\(/i',
'/shell_exec *\(/i',
'/document\.write *\(unescape *\(/i',

// THESE CAN GIVE MANY FALSE POSITIVES WHEN CHECKING WORDPRESS AND OTHER CMS.
// NONETHELESS, THEY CAN BE IMPORTANT TO FIND, ESPECIALLY BASE64_DECODE.
'/base64_decode *\(/i',
'/system *\(/i',
'/`.+`/', // BACKTICK OPERATOR INVOKES SYSTEM FUNCTIONS, SAME AS system()
// '/phpinfo *\(/i',
// '/chmod *\(/i',
// '/mkdir *\(/i',
// '/fopen *\(/i',
// '/fclose *\(/i',
// '/readfile *\(/i',

// SUSPICIOUS NAMES. SOME HACKERS SIGN THEIR SCRIPTS. MANY NAMES COULD GO HERE,
// HERE IS A GENERIC EXAMPLE. YOU CAN FILL IN WHATEVER NAMES YOU WANT.
'/hacked by /i',

// OTHER SUSPICIOUS TEXT STRINGS
'/web[\s-]*shell/i', // TO FIND BACKDOOR WEB SHELL SCRIPTS.
'/c99/i', // THE NAMES OF TWO POPULAR WEB SHELLS.
'/r57/i',

// YOU COULD ADD IN THE SPACE BELOW SOME REGULAR EXPRESSIONS TO MATCH THE NAMES OF MALICIOUS DOMAINS
// AND IP ADDRESSES MENTIONED IN YOUR GOOGLE SAFEBROWSING DIAGNOSTIC REPORT. SOME EXAMPLES:
'/gumblar\.cn/i',
'/martuz\.cn/i',
'/beladen\.net/i',
'/gooqle/i', // NOTE THIS HAS A Q IN IT.

// THESE 2 ARE THE WORDPRESS CODE INJECTION IN FRONT OF EVERY INDEX.PHP AND SOME OTHERS
'/_analist/i',
'/anaiytics/i' // THE LAST ENTRY IN THE LIST MUST HAVE NO COMMA AFTER IT.
);

foreach($SuspiciousSnippets as $i)
{
// STRPOS/STRIPOS WERE A LITTLE FASTER BUT LESS FLEXIBLE
if(preg_match($i, $file))
echo CleanColorText($filename, 'blue') . ' MATCHES REGEX: ' . CleanColorText($i, 'red') . '<br>';
}

if(!strpos($filename,"network.php") && !strpos($filename,"rewrite.php") && stripos($file,"RewriteRule"))
echo CleanColorText($filename, 'blue') . " contains " . CleanColorText("RewriteRule", 'red') .
" - check it manually for malicious redirects.<br>";

/*
// THIS FINDS ALL JAVASCRIPT CODE. IF ENABLED, IT WILL GIVE *MANY* FALSE POSITIVES IN MOST WEBSITES.
if($p = stripos($file, "<script "))
echo CleanColorText($filename, 'blue') . ' contains SCRIPT:<br>' .
CleanColorText(substr($file, $p, 100), 'red') . '<br><br>';
*/
/*
// THIS FINDS ALL IFRAMES. IF ENABLED, IT CAN GIVE MANY FALSE POSITIVES IN SOME WEBSITES.
if($p = stripos($file, "<iframe "))
echo CleanColorText($filename, 'blue') . ' contains IFRAME:<br>' .
CleanColorText(substr($file, $p, 100), 'red') . '<br><br>';
*/

if(stripos($file, "AddHandler"))
{
// THIS IS HOW THEY MAKE THE IMAGE FILES EXECUTABLE.
echo CleanColorText($filename, 'blue') . " contains " . CleanColorText('AddHandler', 'red') .
" - make sure it does not make ordinary files like images executable.<br>";
// IF YOU FIND NINE ZILLION OF THESE, UNCOMMENT IT BECAUSE IT IS A PAIN TO DELETE THEM BY HAND.
// BUT CHECK THE LIST CAREFULLY FIRST TO MAKE SURE YOU REALLY WANT TO DELETE
// ALL THE FILES AND NONE OF THEM ARE FALSE POSITIVES.
//unlink($filename); // THIS DELETES THE FILE WITHOUT GIVING YOU THE OPTION OF EXAMINING IT!
}
}

// CALLBACK FUNCTION TO REPORT PHARMA LINK HACKS.
function pharma($filename)
{
echo CleanColorText($filename, 'blue') . " is most likely a " . CleanColorText('pharma hack', 'red') . ".<br>";
}

// CALLBACK FUNCTION TO REPORT FILES WHOSE NAMES ARE SUSPICIOUS.
function badnames($filename)
{
echo CleanColorText($filename, 'blue') . " is a " . CleanColorText('suspicious file name', 'red') . ".<br>";
}

// --------------------------------------------------------------------------------
// SET UP THE SEARCH CRITERIA.

// SEARCHES WILL BE DONE IN THIS DIRECTORY AND ALL DIRS INSIDE IT.
// './' MEANS CURRENT DIRECTORY, WHERE THIS SCRIPT IS NOW.
// THUS, TO SEARCH EVERYTHING INSIDE PUBLIC_HTML, THAT'S WHERE THIS FILE SHOULD BE PUT.
// TO SEARCH OUTSIDE PUBLIC_HTML, OR TO SEARCH A FOLDER OTHER THAN WHERE THIS SCRIPT IS STORED,
// CHANGE THIS TO THE FULL PATHNAME, SUCH AS /home/userid/ OR /home/userid/public_html/somefolder/
// USE FORWARD SLASHES FOR PATH. WINDOWS EXAMPLE: C:/wamp/apache2/htdocs/test/
$StartPath = './';

// ENTRIES IN THE FOLLOWING 3 ARRAYS ARE REGULAR EXPRESSIONS, WHICH IS THE REASON FOR THE /DELIMITERS/.
// FILES WHOSE NAMES MATCH THESE REGEXES WILL HAVE THEIR TEXT SEARCHED FOR MALICIOUS CODE.
$FiletypesToSearch = array
(
'/\.htaccess$/i',
'/\.php[45]?$/i',
'/\.html?$/i',
'/\.aspx?$/i',
'/\.inc$/i',
'/\.cfm$/i',
'/\.js$/i',
'/\.css$/i'
);

// FILES OR FOLDERS WITH THESE STRINGS IN THEIR *NAMES* WILL BE REPORTED AS SUSPICIOUS.
$SuspiciousFileAndPathNames = array
(
// '/root/i',
// '/kit/i',
'/c99/i',
'/r57/i',
'/gifimg/i'
);

// FILENAMES RELATED TO WORDPRESS PHARMA HACK, USING THE NAMING CONVENTIONS
// DESCRIBED AT http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
// FILES MATCHING THESE NAMES WILL BE REPORTED AS POSSIBLE PHARMA HACK FILES.
$PharmaFilenames = array
(
'/^\..*(cache|bak|old)\.php/i', // HIDDEN FILES WITH PSEUDO-EXTENSIONS IN THE MIDDLE OF THE FILENAME
'/^db-.*\.php/i',

// PERMIT THE STANDARD WORDPRESS FILES THAT START WITH CLASS-, BUT FLAG ALL OTHERS AS SUSPICIOUS.
// THE (?!) IS CALLED A NEGATIVE LOOKAHEAD ASSERTION. IT MEANS "NOT FOLLOWED BY..."

'/^class-(?!snoopy|smtp|feed|pop3|IXR|phpmailer|json|simplepie|phpass|http|oembed|ftp-pure|wp-filesystem-ssh2|wp-filesystem-ftpsockets|ftp|wp-filesystem-ftpext|pclzip|wp-importer|wp-upgrader|wp-filesystem-base|ftp-sockets|wp-filesystem-direct)\.php/i'
);

// --------------------------------------------------------------------------------
// FINALLY, DO THE SEARCHES, USING THE ABOVE ARRAYS AS THE STRING DATA SOURCES.

// REPORT FILES WITH SUSPICIOUS NAMES
foreach($SuspiciousFileAndPathNames as $i)
find_files($StartPath, $i, 'badnames');

// REPORT FILES WITH SUSPICIOUS PHARMA-RELATED NAMES
foreach($PharmaFilenames as $i)
find_files($StartPath, $i, 'pharma');

// REPORT FILES CONTAINING SUSPICIOUS CODE OR TEXT
foreach($FiletypesToSearch as $i)
find_files($StartPath, $i, 'maliciouscodesnippets');

echo "<br>Done<br>";

?>

</p>
</body>
</html>
PETUNJUK :
1. Save as lookforbadguys.php
2. Upload pada public_html lalu jalankan pada browser, misal http://situskamu.com/lookforbadguys.php
3. Untuk melindungi file ini dijalankan oleh pengunjung lain, letakkan code berikut pada file .htaccess
 Files lookforbadguys.php>
order deny,allow
deny from all
#GANTI DENGAN IP ADDRESS ANDA
allow from 111.222.333.444
</Files>
Contoh dari hasil scanning pada file yang mengandung Backdoor PHP Shell Scripts :
 ./shell.php MATCHES REGEX: /r57/i
./shell.php MATCHES REGEX: /c99/i
./shell.php MATCHES REGEX: /passthru *\(/i
./shell.php MATCHES REGEX: /shell_exec *\(/i
./shell.php MATCHES REGEX: /system *\(/i
./shell.php MATCHES REGEX: /`.+`/
./shell.php MATCHES REGEX: /web[\s-]*shell/i


Artikel Terkait

Ditulis Oleh : Nyubi Crew

Artikel Backdoor Scanner lookforbadguys ini ditulis oleh Nyubi Crew pada hari Minggu, 25 Agustus 2013. Terimakasih atas kunjungan Anda pada blog ini. Kritik dan saran tentang Backdoor Scanner lookforbadguys dapat Anda sampaikan melalui kotak komentar diatas.
Home » » Backdoor Scanner lookforbadguys
 
Copyright © 2013 NyubiCrew Doc
Design by ...::[BABY CORP]::...