--- title: "Malcode Finder, Searches for Files Contains Dangerous Command" description: Fungsinya untuk mencari command berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan akses lebih dalam sebuah sistem. date: 2011-10-16T23:21:18+07:00 lastmod: draft: false noindex: false featured: false pinned: false # comments: false series: # - categories: - Programming - Security tags: - Python images: # - # menu: # main: # weight: 100 # params: # icon: # vendor: bs # name: book # color: '#e24d0e' authors: - ditatompel --- Berikut ini adalah **tool pertama saya yang ditulis menggunakan bahasa Python**. Fungsinya untuk mencari "command2" berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan "akses lebih" dalam sebuah sistem. Inspirasi dan beberapa line dari tools buatan **d3hydr8 darkc0de**. Sekalian kado ultah buat [Ketek](https://github.com/b374k/b374k) tanda terima kasih saya secara pribadi atas dedikasinya buat Indonesia. Nah langsung aja nih codenya : ```python #!/usr/bin/python """ ScriptFinder 1.1 < ditatompel [at] gmail [dot] com > Searches for file contains dangerous command Inspired from tools created by d3hydr8[at]gmail[dot]com greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-) PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p PF : ?? Oct ???? - ?? Oct 2011 """ import sys, re def halo(): print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >" print "\tSearches for file contains dangerous command" print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders," print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n" def usage(): print "\tUsage: python " + sys.argv[0] + " " print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n" sys.exit(1) #Original from d3hydr8[at]gmail[dot]com def Walk( root, recurse=0, pattern='*', return_folders=0 ): import fnmatch, os, string result = [] try: names = os.listdir(root) except os.error: return result pattern = pattern or '*' pat_list = string.splitfields( pattern , ';' ) for name in names: fullname = os.path.normpath(os.path.join(root, name)) for pat in pat_list: if fnmatch.fnmatch(name, pat): if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)): result.append(fullname) continue if recurse: if os.path.isdir(fullname) and not os.path.islink(fullname): result = result + Walk( fullname, recurse, pattern, return_folders ) return result def search(files, auto=0): if auto: searchstring = danger else: searchstring = specificstring print "\n[+] Searching:", len(files), "files" print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n" love.write("\n"+"-+-"*20) love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) ) love.write("-+-"*20+"\n") for file in files: num = 0 try: text = open(file, "r").readlines() for line in text: num +=1 if re.search(searchstring.lower(), line.lower()): print "[!] File:",file,"on Line:",num,"\n[!] Code:",line love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) ) except(IOError): pass print "[+] Done\n" halo() actions = [ "base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan. "exec", "eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan. "escapeshellarg", "escapeshellcmd", "fpaththru", "getmy", # getmypid, getmygid, getmyuid, etc "gzinflate", "gzuncompress", "ini_alter", "leak", "mDbl8VndvJj2", # encoded devshell.asp "php_uname", "posix_", # any posix_* function "proc_", # any proc_* function "popen", "passthru", "pcntl_exec", "socket_accept", "socket_bind", "socket_clear_error", "socket_close", "socket_connect", "set_time_limit", "shell_exec", "system", # may generate false positive result, remove this if necessary. Especially when using recursive scan. "show_source", "xrunexploit" # source function on devshell.* ] minus_r = 1 if len(sys.argv) < 2: usage() recdir = raw_input("Recursive ? ( Y/n ): ") mode = raw_input("Full scan Mode (Y/n): ") if mode.lower() != "y": specificstring = raw_input("String to search: ") ext = raw_input("Specific File extension to scan ( to scan all extension ) : ") filelog = raw_input("logfile ( default sf.log ): ") if filelog == "": filelog = "sf.log" if recdir.lower() != "y": minus_r = 0 love = open(filelog, "w") love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n") love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n") if mode.lower() == "y": print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1] print "[+] Logfile will be saved to: " + filelog love.write(""" [+] FULL SCAN MODE ENABLED... [+] %s danger commands loaded [+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) ) for danger in actions : if ext == "": files = Walk(sys.argv[1], minus_r, '*', 1) else: files = Walk(sys.argv[1], minus_r, '*.'+ext+';') search(files, 1) print "[+] Logfile saved to " + filelog else: print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring print "[+] Logfile will be saved to: " + filelog love.write(""" [+] Target Dir: %s [+] String to search %s\n""" % (sys.argv[1], specificstring ) ) if ext == "": files = Walk(sys.argv[1], minus_r, '*', 1) else: files = Walk(sys.argv[1], minus_r, '*.'+ext+';') search(files) print "[+] Logfile saved to " + filelog ``` [https://github.com/ditatompel/Malcode-Finder](https://github.com/ditatompel/Malcode-Finder) Cara penggunaannya: ```bash python sf-1.1.py /path/to/dir ``` Lalu nanti ada interaktif tanya jawab: * **Recursive**: untuk *scan* semua *sub-directory* dari direktori yang sudah ditentukan sebelumnya. * **Full scan Mode**: untuk *scan* semua *command* yang dianggap bahaya. Klo dijawab "`Y`", *command2* diambil dari *actions array*. Klo *full scan modenya* dijawab "`n`", nanti om bakalan ditanya buat tentuin *"command"* apa yang mau di *scan*. * **Specific File extension to scan**: tipe file yang ingin di *scan*. Misal `php` / `pl`, dll. Kalau kosong brati semua file ikut di *scan*, termasuk `jpg`, `gif`, dll. * **logfile**: tempat nyimpen hasil *scan*. Klo kosong nama filenya jadi `sf.log`.