forked from traceur/LinuxFindWebshell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.py
executable file
·137 lines (125 loc) · 5.27 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#!/usr/bin/python2.7
#coding:utf-8
#author:0xExploit
#email:0xExploit@gmail.com
#weibo:http://weibo.com/u/2829314982
import os
import sys
import time
import re
#reload(sys)
#sys.setdefaultencoding('utf-8')
plusarr=[] #插件列表
backdoor_count=0
rule = '(\.js)$'#不检查js文件
def loadplus():
#if len(plusarr)>0:
# for plus in plusarr:
# del sys.modules['plus.'+plus]
# del plusarr[:]
for root,dirs,files in os.walk("plus"):
for filespath in files:
if filespath[-3:] == '.py':
plusname = filespath[:-3]
if plusname=='__init__':
continue
__import__('plus.'+plusname)
plusarr.append(plusname)
def Scan(path):
loadplus() #动态加载插件
global backdoor_count
for root,dirs,files in os.walk(path):
for filename in files:
filepath = os.path.join(root,filename)
if os.path.getsize(filepath)<500000:
for plus in plusarr:
file= open(filepath,"rb")
filestr = file.read()
file.close()
if re.compile(rule).findall(filepath):
continue
result = sys.modules['plus.'+plus].Check(filestr,filepath)
if result!=None:
print '文件: ',
print filepath
print '后门描述: ',
print result[1]
print '后门代码: ',
#print result[0]
for code in result[0]:
print code[0][0:200],
print '最后修改时间: '+time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(os.path.getmtime(filepath)))+'\n\n'
backdoor_count= backdoor_count+1
break
def ScanFiletime(path,times):
global backdoor_count
times = time.mktime(time.strptime(times, '%Y-%m-%d %H:%M:%S'))
print '########################################'
print '文件路径 最后修改时间 \n'
for root,dirs,files in os.walk(path):
for curfile in files:
if '.' in curfile:
suffix = curfile[-4:].lower()
filepath = os.path.join(root,curfile)
if suffix=='.php' or suffix=='.jsp':
FileTime =os.path.getmtime(filepath)
if FileTime>times:
backdoor_count +=1
print filepath+' '+ time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(FileTime))
if __name__ == "__main__":
print """
######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
## ### #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
author:0xExploit
email:0xExploit@gmail.com
weibo:http://weibo.com/u/2829314982
本程序根据seay的findshell改编,添加了一些
php扫描模块和JSP扫描模块,感谢seay
"""
if len(sys.argv)!=3 and len(sys.argv)!=2:
print '【参数错误】'
print '\t按恶意代码查杀: '+sys.argv[0]+' 目录名'
print '\t按修改时间查杀: '+sys.argv[0]+' 目录名 最后修改时间(格式:"2013-09-09 12:00:00")'
exit()
if os.path.lexists(sys.argv[1])==False:
print '【错误提示】:指定的扫描目录不存在--- '
exit()
if len(sys.argv)==2:
print '\n\n【开始查杀】'
print sys.argv[1]+'\n'
Scan(sys.argv[1])
print '【查杀完成】'
print '\t可疑后门总数: '+str(backdoor_count)
else:
print '\n\n【开始查找】'
print sys.argv[1]+'\n'
ScanFiletime(sys.argv[1],sys.argv[2])
print '\n【查找完成】'
print '\t文件总数: '+str(backdoor_count)