diff --git a/content/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf.png b/content/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf.png new file mode 100644 index 0000000..1000788 Binary files /dev/null and b/content/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf.png differ diff --git a/content/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/index.id.md b/content/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/index.id.md new file mode 100644 index 0000000..7c0f68c --- /dev/null +++ b/content/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/index.id.md @@ -0,0 +1,222 @@ +--- +title: "Malcode Finder, Searches for Files Contains Dangerous Command" +description: Fungsinya untuk mencari command berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan akses lebih dalam sebuah sistem. +date: 2011-10-16T23:21:18+07:00 +lastmod: +draft: false +noindex: false +featured: false +pinned: false +# comments: false +series: +# - +categories: + - Programming + - Security +tags: + - Python +images: +# - +# menu: +# main: +# weight: 100 +# params: +# icon: +# vendor: bs +# name: book +# color: '#e24d0e' +authors: + - ditatompel +--- + +Berikut ini adalah **tool pertama saya yang ditulis menggunakan bahasa Python**. Fungsinya untuk mencari "command2" berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan "akses lebih" dalam sebuah sistem. Inspirasi dan beberapa line dari tools buatan **d3hydr8 darkc0de**. + + + +Sekalian kado ultah buat [Ketek](https://github.com/b374k/b374k) tanda terima kasih saya secara pribadi atas dedikasinya buat Indonesia. + +Nah langsung aja nih codenya : + +```python +#!/usr/bin/python +""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com > +Searches for file contains dangerous command + +Inspired from tools created by d3hydr8[at]gmail[dot]com +greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org, +ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-) + +PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p +PF : ?? Oct ???? - ?? Oct 2011 """ + + +import sys, re + +def halo(): + print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >" + print "\tSearches for file contains dangerous command" + print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders," + print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n" + +def usage(): + print "\tUsage: python " + sys.argv[0] + " " + print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n" + sys.exit(1) + +#Original from d3hydr8[at]gmail[dot]com +def Walk( root, recurse=0, pattern='*', return_folders=0 ): + import fnmatch, os, string + + result = [] + + try: + names = os.listdir(root) + except os.error: + return result + + pattern = pattern or '*' + pat_list = string.splitfields( pattern , ';' ) + + for name in names: + fullname = os.path.normpath(os.path.join(root, name)) + + for pat in pat_list: + if fnmatch.fnmatch(name, pat): + if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)): + result.append(fullname) + continue + if recurse: + if os.path.isdir(fullname) and not os.path.islink(fullname): + result = result + Walk( fullname, recurse, pattern, return_folders ) + + return result + +def search(files, auto=0): + + if auto: + searchstring = danger + else: + searchstring = specificstring + + print "\n[+] Searching:", len(files), "files" + print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n" + love.write("\n"+"-+-"*20) + love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) ) + love.write("-+-"*20+"\n") + + for file in files: + num = 0 + + try: + text = open(file, "r").readlines() + + for line in text: + num +=1 + if re.search(searchstring.lower(), line.lower()): + print "[!] File:",file,"on Line:",num,"\n[!] Code:",line + love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) ) + + except(IOError): + pass + + print "[+] Done\n" + +halo() + +actions = [ + "base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan. + "exec", + "eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan. + "escapeshellarg", + "escapeshellcmd", + "fpaththru", + "getmy", # getmypid, getmygid, getmyuid, etc + "gzinflate", + "gzuncompress", + "ini_alter", + "leak", + "mDbl8VndvJj2", # encoded devshell.asp + "php_uname", + "posix_", # any posix_* function + "proc_", # any proc_* function + "popen", + "passthru", + "pcntl_exec", + "socket_accept", + "socket_bind", + "socket_clear_error", + "socket_close", + "socket_connect", + "set_time_limit", + "shell_exec", + "system", # may generate false positive result, remove this if necessary. Especially when using recursive scan. + "show_source", + "xrunexploit" # source function on devshell.* + ] + +minus_r = 1 + +if len(sys.argv) < 2: + usage() + +recdir = raw_input("Recursive ? ( Y/n ): ") +mode = raw_input("Full scan Mode (Y/n): ") + +if mode.lower() != "y": + specificstring = raw_input("String to search: ") + +ext = raw_input("Specific File extension to scan ( to scan all extension ) : ") +filelog = raw_input("logfile ( default sf.log ): ") + +if filelog == "": + filelog = "sf.log" + +if recdir.lower() != "y": + minus_r = 0 + +love = open(filelog, "w") +love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n") +love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n") + +if mode.lower() == "y": + print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1] + print "[+] Logfile will be saved to: " + filelog + love.write(""" + [+] FULL SCAN MODE ENABLED... + [+] %s danger commands loaded + [+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) ) + for danger in actions : + if ext == "": + files = Walk(sys.argv[1], minus_r, '*', 1) + else: + files = Walk(sys.argv[1], minus_r, '*.'+ext+';') + search(files, 1) + print "[+] Logfile saved to " + filelog + +else: + print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring + print "[+] Logfile will be saved to: " + filelog + love.write(""" + [+] Target Dir: %s + [+] String to search %s\n""" % (sys.argv[1], specificstring ) ) + if ext == "": + files = Walk(sys.argv[1], minus_r, '*', 1) + else: + files = Walk(sys.argv[1], minus_r, '*.'+ext+';') + search(files) + print "[+] Logfile saved to " + filelog +``` + +[https://github.com/ditatompel/Malcode-Finder](https://github.com/ditatompel/Malcode-Finder) + +Cara penggunaannya: +```bash +python sf-1.1.py /path/to/dir +``` + +Lalu nanti ada interaktif tanya jawab: + +* **Recursive**: untuk *scan* semua *sub-directory* dari direktori yang sudah ditentukan sebelumnya. +* **Full scan Mode**: untuk *scan* semua *command* yang dianggap bahaya. Klo dijawab "`Y`", *command2* diambil dari *actions array*. Klo *full scan modenya* dijawab "`n`", nanti om bakalan ditanya buat tentuin *"command"* apa yang mau di *scan*. +* **Specific File extension to scan**: tipe file yang ingin di *scan*. Misal `php` / `pl`, dll. Kalau kosong brati semua file ikut di *scan*, termasuk `jpg`, `gif`, dll. +* **logfile**: tempat nyimpen hasil *scan*. Klo kosong nama filenya jadi `sf.log`. diff --git a/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_0x360_resize_box_3.png b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_0x360_resize_box_3.png new file mode 100644 index 0000000..e2b485f Binary files /dev/null and b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_0x360_resize_box_3.png differ diff --git a/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_0x640_resize_box_3.png b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_0x640_resize_box_3.png new file mode 100644 index 0000000..c1eb577 Binary files /dev/null and b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_0x640_resize_box_3.png differ diff --git a/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_5524f8c7782d8370faec88932c87dc88.webp b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_5524f8c7782d8370faec88932c87dc88.webp new file mode 100644 index 0000000..224411f Binary files /dev/null and b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_5524f8c7782d8370faec88932c87dc88.webp differ diff --git a/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_dcb609ac50bb115702fd8d9bbaae8eed.webp b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_dcb609ac50bb115702fd8d9bbaae8eed.webp new file mode 100644 index 0000000..6174e8a Binary files /dev/null and b/resources/_gen/images/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/feature-sf_hu488064a503f8795ebff70cf2a1ace5c5_297241_dcb609ac50bb115702fd8d9bbaae8eed.webp differ