-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathxploitscanner.sh
326 lines (295 loc) · 12.1 KB
/
xploitscanner.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
#!/bin/bash
####################################################################################################################################################
# #
# Finds those pesky base64 injections and can chmod 000, rm, or just tell us about the files, what commands they contain, etc... #
# After dealing with the file itself, the script goes on to attemp to find the origin of it, or at least let us know what was going on #
# around the time that it was first seen. Far from perfect, but hopefully usable. --Mathew #
# #
#####################################################################################################################################################
#get options
usage=`cat<<'END'
findbase64 -- Searches files for a common php exploit, creates a report and will optionally chmod to 000 the files that are found
Usage findbase64 [-a] [-m] [-d 'directory']
options: -s Remove any symlinks that point to a directory outside of the user's home
-S Same as -s, but also removes all broken symlinks
-a Check all public_html directories
-u [user] Start in specific directory
-m chmod to 000 any files that are a definite matches
-h Show this help file
END
`
while getopts "Ssamu:" option
do
case "${option}"
in
S) NUKESYM=true
;;
s) SYMS=true
;;
a) HTML=true
;;
u) USER=${OPTARG}
;;
m) MOD=true
;;
h) printf "$usage"
exit
;;
?)printf "$usage"
exit
;;
esac
done
if [[ $SYMS ]] && [[ $NUKESYM ]]
then
echo -e "Invalid combination of options (-s and -S). Please select one, the other, or none at all or -h for help"
exit
fi
if [[ ! $USER ]] && [[ ! $HTML ]]
then
echo "Missing required options. Use -h for complete list of options"
exit
fi
############################################################################################################
# Functions that we need #
############################################################################################################
#Remove everything in a user's tmp directory
clean_tmp(){
echo -e "Cleaning out temp directories.........."
echo -e "\nCleaning out temp directories.........." >> exploitscanner.log
if [[ $HTML == true ]]
then
for user in $(cat /etc/trueuserowners|cut -d \: -f1|grep -v '#')
do
sudo rm -r "/home/$user/tmp/*" 2>/dev/null
if [[ $? == 0 ]]
then
echo "Cleaned /home/$user/tmp"
echo "Cleaned /home/$user/tmp" >> exploitscanner.log
elif [[ $? != 0 ]]
then
echo "/home/$user/tmp was empty."
echo "/home/$user/tmp was empty." >> exploitscanner.log
fi
done
else
return
fi
echo -e "Done Cleaning ..... \n"
echo -e "Done Cleaning ..... \n" >> exploitscanner.log
}
#look for evil symlinks an remove them
killit(){
#remove broken symlinks
if [[ ! -e $(readlink 2>/dev/null "$1") ]]
then
echo -e "WARNING: $1 is a broken symlink to $(readlink 2>/dev/null "$1") and has been removed."
echo -e "WARNING: $1 is a broken symlink to $(readlink 2>/dev/null "$1") and has been removed." >> exploitscanner.log
rm -f "$1" 2>/dev/null
continue
fi
#if the link points to a system dir delete it
username=$(echo $(readlink 2>/dev/null $line)|cut -d '/' -f3)
if [[ $(echo $1 | grep -E 'root|etc|dev|bin|usr|lib|home|boot|media|opt|proc|sbin|selinux|srv|sys|var') ]]
then
echo -e "WARNING: $1 is a symlink to system directory $(readlink 2>/dev/null "$1") and has been removed."
echo -e "WARNING: $1 is a symlink to system directory $(readlink 2>/dev/null "$1") and has been removed." >> exploitscanner.log
rm -f "$1" 2>/dev/null
continue
fi
}
nuke_syms(){
export -f killit
if [[ $SYMS != true ]] && [[ $NUKESYM != true ]]
then
return
fi
if [[ $HTML == true ]]
then
echo -e "\nLooking for evil symlinks that point to system directories. We will attempt to remove any that are found........."
echo -e "\nLooking for evil symlinks that point to system directories. We will attempt to remove any that are found.........." >>exploitscanner.log
for user in $(cat /etc/trueuserowners|cut -d \: -f1|grep -v '#')
do
find /home/*/public_html -type l |while read line
do
killit "$line"
done
done
echo -e "Done looking for symlinks...\n" >>exploitscanner.log
echo -e "Done looking for symlinks...\n"
fi
}
grepdirs(){
echo "Grepping -Rl "$1"\n";
grep -Rl 'eval(base64_decode(' "$1" >>exploitscanner.tmp
}
print_dirs(){
echo -e "Making a list of files that contain eval(base64_decode())..........">>exploitscanner.log
echo -e "Making a list of files that contain eval(base64_decode()).........."
while read line
do
echo FOUND: $line
echo FOUND: $line>>exploitscanner.log
done< exploitscanner.tmp
echo -e "End of List...\n">>exploitscanner.log;
echo -e "End of List...\n"
}
#set the directories to scan
get_dirs(){
if [[ -e '/etc/trueuserowners' ]]
then
if [[ $HTML == true ]]
then
for username in $(cat /etc/trueuserowners|cut -d \: -f1|grep -v '#');
do
echo "found user $username";
grepdirs "/home/$username/public_html"
done;
elif [[ $USER ]]
then
grepdirs "/home/$USER/public_html"
else
echo "No directory specified. You must specify -a for scanning all user's home directories, or -u [username] for a specific user"
exit;
fi
fi
if [[ -e /usr/local/psa/version ]]
then
if [[ $HTML == true ]]
then
for username in $(ls '/var/www/vhosts'|grep -v 'chroot');
do
echo "found user $username";
grepdirs "/var/www/vhosts/$username"
done;
elif [[ $USER ]]
then
grepdirs "/var/www/vhosts/$USER"
else
echo "No directory specified. You must specify -a for scanning all user's home directories, or -u [username] for a specific user"
exit;
fi
fi
}
#find base64 commands
find_base(){
if [[ $(echo $(file $1)|egrep 'tar|binary|executable') ]]
then
echo -e "$1 is a tarball,binary, or some other file that cannot be searched with grep\n"
echo -e "$1 is a tarball,binary, or some other file that cannot be searched with grep\n">>exploitscanner.log
fi
file=$(echo $( < $1 )|sed 's/\s\|\n\|\ //g'|sed 's/;/;\n/g')
#find_shell $file $1
for line in $file
do
is_var=false
is_shell=false
string=$(echo "$line"|grep -n 'eval(base64_decode')
code=${string##*base64_decode\(};
#this is the finished product, the actual string in the base64() function
code=$(echo ${code%%\)*} | sed 's/"//g' | sed "s/'//g");
shell=$(echo "$code"|base64 -d 2>/dev/null)
#sort out the huge blocks of code
if [[ `echo ${#code}|awk '{print length}'` > 300 ]]
then
echo -e "$1 ;contains base64 code that is too long to show here. You sould look at this manually." >>exploitscanner.log
echo -e "$1 contains base64 code that is too long to show here. You sould look at this manually."
is_long=true
fi
if [[ `echo ${#code}|awk '{print length}'` < 300 ]]
then
#look for functions that have a variable instead of a static string passed to it;
if [[ ${code:0:1} == $ ]] && [[ $is_long != true ]]
then
echo -e "POSSIBLE MATCH:; $1 ;contains an eval(base64()) command that has the variable $code passed to it." >> exploitscanner.log
echo -e "POSSIBLE MATCH: $1 contains an eval(base64()) command that has the variable $code passed to it."
is_var=true
fi
#look for shell commands executed with php functions
if [[ $(echo "$shell" | grep 2>/dev/null -E 'wget|passthru|shell_exec|exec|system|sudo') ]] && [[ $is_var != true ]] && [[ $is_long != true ]]
then
echo -e "DEFINITE MATCH:; $1 ;contains a shell command $shell">>exploitscanner.log
echo -e "DEFINITE MATCH: $1 contains a shell command $shell"
is_shell=true
fi
if [[ ! $is_long ]] && [[ ! $is_var ]] && [[ ! $is_shell ]] && [[ -n $shell ]]
then
echo -e "POSSIBLE MATCH:; $1 ;contains base64 code that translates into $shell" >>exploitscanner.log
echo -e "POSSIBLE MATCH: $1 contains base64 code that translates into $shell"
fi
fi
done
}
#find shell a shell
find_shell(){
if [[ $1 == "*404.php" ]] && [[ $(grep -E 'session|ini_get|ini_set|password' "$1") != '' ]]
then
shell=true
fi
if [[ $1 == "*.htaccess" ]] && [[ $(grep 'fuck' "$1") ]]
then
shell=true
fi
if [[ $(grep -E 'hacked|fuck_v(B|b)ulletin|fuck_joomla|hacked\ by|fuck_w0rdPress|fuck_wordpress|fuck_j|Lagripe|(H|h)acker-man|Priv8\ Php|(D|d)amane2011|abdou2010new\@hotmail.fr|(S|s)yrian\ shell|(S|s)yrianshell' $1) ]]
then
$shell=true;
fi
if [[ $shell == true ]]
then
echo -e "DEFINITE MATCH:; "$1" ;Is a shell."
fi
}
# Start reading the list and get the actual code from the files in the list then print them to a log
find_badstuff(){
echo -e " \nFinding Dirty Files..........">>exploitscanner.log
echo -e " \nFinding Dirty Files.........."
while read line;
do
find_base "$line"
done<exploitscanner.tmp
echo -e "End of File List...\n">>exploitscanner.log
echo -e "End of File List...\n"
}
#Chmod all of the definite matches
chmoddem(){
if [[ $MOD != true ]]
then
return;
fi
echo -e "\nCreating a list of definite matches that have been chmodded to 000 for safety.........." >>exploitscanner.log
echo -e "\nCreating a list of definite matches that have been chmodded to 000 for safety.........."
while read line
do
file=$(echo $line|grep 'DEFINITE'|cut -d \; -f2)
if [[ $(echo $line|grep 'DEFINITE'|awk '{print $1}') == 'DEFINITE' ]] && [[ $(echo $(ls -l $file)|cut -d \. -f1) != '----------' ]]
then
chmod 000 "$file"
if [[ $? == 0 ]]
then
echo "$(ls -l $file)" >>exploitscanner.log
else
echo "$file ;could ;not ;be ;chmodded. ;Maybe ;it\'s ;chattered???">>exploitscanner.log
fi
fi
done<exploitscanner.log
echo -e "\nDone Chmodding...\n">>exploitscanner.log
echo -e "\nDone Chmodding...\n"
}
#######################################################################################################################
# End of Functions #
#######################################################################################################################
rm exploitscanner.log 2>/dev/null
rm exploitscanner.tmp 2>/dev/null
echo -e "###################################################################\nKnownHost exploit scanner run on `date` \n###################################################################"
echo -e "###################################################################\nKnownHost exploit scanner run on `date` \n###################################################################">>exploitscanner.log
clean_tmp
nuke_syms
get_dirs
print_dirs
find_badstuff
chmoddem
sed -i 's/\;//g' exploitscanner.log
echo "Scan completed. Results are printed to exploitscanner.log ."
rm exploitscanner.tmp 2>/dev/null
rm $0 2>/dev/null
exit 0;