python脚本查找webshell

浏览:
字体:
发布时间:2013-12-09 23:23:21
来源:东方联盟
前阵子在一朋友blog看到一个python查找 webshell脚本的代码,自己拿过来改了下,新增白名单功能,新增发现恶意代码发送邮件报警功能,现发出来供大家参考,如有需要的可以在自己的服务器上跑下试试
 


#!/usr/bin/env python#-*- coding: utf-8 -*-#=============================================================================#     FileName:#         Desc:#       Author: 苦咖啡#        Email: voilet@qq.com#     HomePage: http://blog.kukafei520.net#      Version: 0.0.1#      History:#=============================================================================import osimport sysimport reimport smtplib#设定邮件fromaddr = "smtp.qq.com"toaddrs = ["voilet@qq.com"]username = "voilet"password = "xxxxxx"#设置白名单pass_file = ["api_ucenter.php"]#定义发送邮件函数def sendmail(toaddrs,sub,content):    '发送邮件模块'    # Add the From: and To: headers at the start!    msg = ("From: %s/r/nTo: %s/r/nSubject: %s/r/n/r/n"           % (fromaddr, ", ".join(toaddrs), sub))    msg += content    server = smtplib.SMTP('mail.funshion.com', 25,)    server.login(username, password)    server.sendmail(fromaddr, toaddrs, msg)    server.quit()#设置搜索特征码rulelist = [    '(/$_(GET|POST|REQUEST)/[.{0,15}/]/(/$_(GET|POST|REQUEST)/[.{0,15}/]/))',    '(base64_decode/([/'"][/w/+/=]{200,}[/'"]/))',    'eval/(base64_decode/(',    '(eval/(/$_(POST|GET|REQUEST)/[.{0,15}/]/))',    '(assert/(/$_(POST|GET|REQUEST)/[.{0,15}/]/))',    '(/$[/w_]{0,15}/(/$_(POST|GET|REQUEST)/[.{0,15}/]/))',    '(wscript/.shell)',    '(gethostbyname/()',    '(cmd/.exe)',    '(shell/.application)',    '(documents/s+and/s+settings)',    '(system32)',    '(serv-u)',    '(提权)',    '(phpspy)',    '(后门)',    '(webshell)',    '(Program/s+Files)',    'www.phpdp.com',    'phpdp',    'PHP神盾',    'decryption',    'Ca3tie1',    'GIF89a',    'IKFBILUvM0VCJD//APDolOjtW0tgeKAwA',    '/'e/'/./'v/'/./'a/'/./'l/'',]def Scan(path):    for root,dirs,files in os.walk(path):        for filespath in files:            isover = False            if '.' in filespath:                ext = filespath[(filespath.rindex('.')+1):]                if ext=='php' and filespath not in pass_file:                    file= open(os.path.join(root,filespath))                    filestr = file.read()                    file.close()                    for rule in rulelist:                        result = re.compile(rule).findall(filestr)                        if result:                            print '文件:'+os.path.join(root,filespath)                            print '恶意代码:'+str(result[0])                            print '/n/n'                            sendmail(toaddrs,"增值发现恶意代码",'文件:'+os.path.join(root,filespath)+"/n" + '恶意代码:'+str(result[0]))                            breaktry:    if os.path.lexists("/home/web_root/"):        print('/n/n开始扫描:'+ "/home/web_root/")        print('               可疑文件                 ')        print('########################################')        Scan("/home/web_root/")        print('提示:扫描完成--~')    else:        print '提示:指定的扫描目录不存在--- 'except IndexError:    print "请指定扫描文件目录"   

 

>更多相关文章
24小时热门资讯
24小时回复排行
资讯 | QQ | 安全 | 编程 | 数据库 | 系统 | 网络 | 考试 | 站长 | 下载 | 关于东盟 | 安全雇佣 | 搞笑视频大全 | 微信学院 |
关于我们 | 联系我们 | 广告服务 | 人才招聘 | 服务条款 | 免责申明 | 帮助中心 | 作品发布 | 网站地图 | 技术培训
Copyright © 2007 - 2018 Vm888.Com. All Rights Reserved
东方联盟 版权所有