Adding old content "malcode-finder.py, Searches for Files Contains Dangerous Command"

content/blog/malcode-finder-py-searches-for-files-contains-dangerous-command/index.id.md

@@ -0,0 +1,222 @@
+---
+title: "Malcode Finder, Searches for Files Contains Dangerous Command"
+description: Fungsinya untuk mencari command berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan akses lebih dalam sebuah sistem.
+date: 2011-10-16T23:21:18+07:00
+lastmod:
+draft: false
+noindex: false
+featured: false
+pinned: false
+# comments: false
+series:
+#  - 
+categories:
+  - Programming
+  - Security
+tags:
+  - Python
+images:
+#  - 
+# menu:
+#   main:
+#     weight: 100
+#     params:
+#       icon:
+#         vendor: bs
+#         name: book
+#         color: '#e24d0e'
+authors:
+  - ditatompel
+---
+
+Berikut ini adalah **tool pertama saya yang ditulis menggunakan bahasa Python**. Fungsinya untuk mencari "command2" berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan "akses lebih" dalam sebuah sistem. Inspirasi dan beberapa line dari tools buatan **d3hydr8 darkc0de**.
+
+<!--more-->
+
+Sekalian kado ultah buat [Ketek](https://github.com/b374k/b374k) tanda terima kasih saya secara pribadi atas dedikasinya buat Indonesia.
+
+Nah langsung aja nih codenya :
+
+```python
+#!/usr/bin/python
+""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com >
+Searches for file contains dangerous command
+
+Inspired from tools created by d3hydr8[at]gmail[dot]com
+greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org,
+ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-)
+
+PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p
+PF : ?? Oct ???? - ?? Oct 2011 """
+
+
+import sys, re
+
+def halo():
+    print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >"
+    print "\tSearches for file contains dangerous command"
+    print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,"
+    print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n"
+
+def usage():
+    print "\tUsage: python " + sys.argv[0] + " <dir>"
+    print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n"
+    sys.exit(1)
+
+#Original from d3hydr8[at]gmail[dot]com
+def Walk( root, recurse=0, pattern='*', return_folders=0 ):
+    import fnmatch, os, string
+
+    result = []
+
+    try:
+        names = os.listdir(root)
+    except os.error:
+        return result
+
+    pattern = pattern or '*'
+    pat_list = string.splitfields( pattern , ';' )
+
+    for name in names:
+        fullname = os.path.normpath(os.path.join(root, name))
+
+        for pat in pat_list:
+            if fnmatch.fnmatch(name, pat):
+                if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
+                    result.append(fullname)
+                continue
+        if recurse:
+            if os.path.isdir(fullname) and not os.path.islink(fullname):
+                result = result + Walk( fullname, recurse, pattern, return_folders )
+        
+    return result
+
+def search(files, auto=0):
+    
+    if auto:
+        searchstring = danger
+    else:
+        searchstring = specificstring
+    
+    print "\n[+] Searching:", len(files), "files"
+    print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n"
+    love.write("\n"+"-+-"*20)
+    love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) )
+    love.write("-+-"*20+"\n")
+    
+    for file in files:
+        num = 0
+        
+        try:
+            text = open(file, "r").readlines()
+            
+            for line in text:
+                num +=1
+                if re.search(searchstring.lower(), line.lower()):
+                    print "[!] File:",file,"on Line:",num,"\n[!] Code:",line
+                    love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) )
+        
+        except(IOError):
+            pass
+    
+    print "[+] Done\n"
+
+halo()
+
+actions = [
+    "base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan.
+    "exec",
+    "eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
+    "escapeshellarg",
+    "escapeshellcmd",
+    "fpaththru",
+    "getmy", # getmypid, getmygid, getmyuid, etc
+    "gzinflate",
+    "gzuncompress",
+    "ini_alter",
+    "leak",
+    "mDbl8VndvJj2", # encoded devshell.asp 
+    "php_uname",
+    "posix_", # any posix_* function
+    "proc_", # any proc_* function
+    "popen",
+    "passthru",
+    "pcntl_exec",
+    "socket_accept",
+    "socket_bind",
+    "socket_clear_error",
+    "socket_close",
+    "socket_connect",
+    "set_time_limit",
+    "shell_exec",
+    "system", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
+    "show_source",
+    "xrunexploit" # source function on devshell.*
+    ]
+
+minus_r = 1
+
+if len(sys.argv) < 2:
+    usage()
+
+recdir = raw_input("Recursive ? ( Y/n ): ")
+mode = raw_input("Full scan Mode (Y/n): ")
+
+if mode.lower() != "y":
+    specificstring = raw_input("String to search: ")
+
+ext = raw_input("Specific File extension to scan ( <return> to scan all extension ) : ")
+filelog = raw_input("logfile ( default sf.log ): ")
+
+if filelog == "":
+    filelog = "sf.log"
+
+if recdir.lower() != "y":
+    minus_r = 0
+
+love = open(filelog, "w")
+love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n")
+love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n")
+
+if mode.lower() == "y":
+    print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1]
+    print "[+] Logfile will be saved to: " + filelog
+    love.write("""
+    [+] FULL SCAN MODE ENABLED...
+    [+] %s danger commands loaded
+    [+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) )
+    for danger in actions :
+        if ext == "":
+            files = Walk(sys.argv[1], minus_r, '*', 1)
+        else:
+            files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
+        search(files, 1)
+    print "[+] Logfile saved to " + filelog
+
+else:
+    print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring
+    print "[+] Logfile will be saved to: " + filelog
+    love.write("""
+    [+] Target Dir: %s
+    [+] String to search %s\n""" % (sys.argv[1], specificstring ) )
+    if ext == "":
+        files = Walk(sys.argv[1], minus_r, '*', 1)
+    else:
+        files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
+    search(files)
+    print "[+] Logfile saved to " + filelog
+```
+
+[https://github.com/ditatompel/Malcode-Finder](https://github.com/ditatompel/Malcode-Finder)
+
+Cara penggunaannya:
+```bash
+python sf-1.1.py /path/to/dir
+```
+
+Lalu nanti ada interaktif tanya jawab:
+
+* **Recursive**: untuk *scan* semua *sub-directory* dari direktori yang sudah ditentukan sebelumnya.
+* **Full scan Mode**: untuk *scan* semua *command* yang dianggap bahaya. Klo dijawab "`Y`", *command2* diambil dari *actions array*. Klo *full scan modenya* dijawab "`n`", nanti om bakalan ditanya buat tentuin *"command"* apa yang mau di *scan*.
+* **Specific File extension to scan**: tipe file yang ingin di *scan*. Misal `php` / `pl`, dll. Kalau kosong brati semua file ikut di *scan*, termasuk `jpg`, `gif`, dll.
+* **logfile**: tempat nyimpen hasil *scan*. Klo kosong nama filenya jadi `sf.log`.