mirror of
https://github.com/ditatompel/insights.git
synced 2025-01-08 03:12:06 +07:00
7.2 KiB
7.2 KiB
| title | description | date | lastmod | draft | noindex | featured | pinned | series | categories | tags | images | authors | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Malcode Finder, Searches for Files Contains Dangerous Command | Fungsinya untuk mencari command berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan akses lebih dalam sebuah sistem. | 2011-10-16T23:21:18+07:00 | false | false | false | false |
|
|
|
Berikut ini adalah tool pertama saya yang ditulis menggunakan bahasa Python. Fungsinya untuk mencari "command2" berbahaya yang mungkin bisa dimanfaatkan oleh attacker untuk mendapatkan "akses lebih" dalam sebuah sistem. Inspirasi dan beberapa line dari tools buatan d3hydr8 darkc0de.
Sekalian kado ultah buat Ketek tanda terima kasih saya secara pribadi atas dedikasinya buat Indonesia.
Nah langsung aja nih codenya :
#!/usr/bin/python
""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com >
Searches for file contains dangerous command
Inspired from tools created by d3hydr8[at]gmail[dot]com
greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org,
ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-)
PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p
PF : ?? Oct ???? - ?? Oct 2011 """
import sys, re
def halo():
print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >"
print "\tSearches for file contains dangerous command"
print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,"
print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n"
def usage():
print "\tUsage: python " + sys.argv[0] + " <dir>"
print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n"
sys.exit(1)
#Original from d3hydr8[at]gmail[dot]com
def Walk( root, recurse=0, pattern='*', return_folders=0 ):
import fnmatch, os, string
result = []
try:
names = os.listdir(root)
except os.error:
return result
pattern = pattern or '*'
pat_list = string.splitfields( pattern , ';' )
for name in names:
fullname = os.path.normpath(os.path.join(root, name))
for pat in pat_list:
if fnmatch.fnmatch(name, pat):
if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
result.append(fullname)
continue
if recurse:
if os.path.isdir(fullname) and not os.path.islink(fullname):
result = result + Walk( fullname, recurse, pattern, return_folders )
return result
def search(files, auto=0):
if auto:
searchstring = danger
else:
searchstring = specificstring
print "\n[+] Searching:", len(files), "files"
print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n"
love.write("\n"+"-+-"*20)
love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) )
love.write("-+-"*20+"\n")
for file in files:
num = 0
try:
text = open(file, "r").readlines()
for line in text:
num +=1
if re.search(searchstring.lower(), line.lower()):
print "[!] File:",file,"on Line:",num,"\n[!] Code:",line
love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) )
except(IOError):
pass
print "[+] Done\n"
halo()
actions = [
"base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan.
"exec",
"eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
"escapeshellarg",
"escapeshellcmd",
"fpaththru",
"getmy", # getmypid, getmygid, getmyuid, etc
"gzinflate",
"gzuncompress",
"ini_alter",
"leak",
"mDbl8VndvJj2", # encoded devshell.asp
"php_uname",
"posix_", # any posix_* function
"proc_", # any proc_* function
"popen",
"passthru",
"pcntl_exec",
"socket_accept",
"socket_bind",
"socket_clear_error",
"socket_close",
"socket_connect",
"set_time_limit",
"shell_exec",
"system", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
"show_source",
"xrunexploit" # source function on devshell.*
]
minus_r = 1
if len(sys.argv) < 2:
usage()
recdir = raw_input("Recursive ? ( Y/n ): ")
mode = raw_input("Full scan Mode (Y/n): ")
if mode.lower() != "y":
specificstring = raw_input("String to search: ")
ext = raw_input("Specific File extension to scan ( <return> to scan all extension ) : ")
filelog = raw_input("logfile ( default sf.log ): ")
if filelog == "":
filelog = "sf.log"
if recdir.lower() != "y":
minus_r = 0
love = open(filelog, "w")
love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n")
love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n")
if mode.lower() == "y":
print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1]
print "[+] Logfile will be saved to: " + filelog
love.write("""
[+] FULL SCAN MODE ENABLED...
[+] %s danger commands loaded
[+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) )
for danger in actions :
if ext == "":
files = Walk(sys.argv[1], minus_r, '*', 1)
else:
files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
search(files, 1)
print "[+] Logfile saved to " + filelog
else:
print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring
print "[+] Logfile will be saved to: " + filelog
love.write("""
[+] Target Dir: %s
[+] String to search %s\n""" % (sys.argv[1], specificstring ) )
if ext == "":
files = Walk(sys.argv[1], minus_r, '*', 1)
else:
files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
search(files)
print "[+] Logfile saved to " + filelog
https://github.com/ditatompel/Malcode-Finder
Cara penggunaannya:
python sf-1.1.py /path/to/dir
Lalu nanti ada interaktif tanya jawab:
- Recursive: untuk scan semua sub-directory dari direktori yang sudah ditentukan sebelumnya.
- Full scan Mode: untuk scan semua command yang dianggap bahaya. Klo dijawab "
Y", command2 diambil dari actions array. Klo full scan modenya dijawab "n", nanti om bakalan ditanya buat tentuin "command" apa yang mau di scan. - Specific File extension to scan: tipe file yang ingin di scan. Misal
php/pl, dll. Kalau kosong brati semua file ikut di scan, termasukjpg,gif, dll. - logfile: tempat nyimpen hasil scan. Klo kosong nama filenya jadi
sf.log.