PHP Web Trojan scanner code v1.0 security testing tool
- 2020-05-10 17:54:10
- OfStack
scanner.php
A tool that scans php trojans in an php environment can currently scan the following feature codes
Lazy design, direct use of phpspy style
Note: the scanned file is not necessarily the back door. Please judge, review and compare the original file.
<?php
/**************PHP Web Trojan scanner ************************/
/* [+] The author : alibaba */
/* [+] QQ: 1499281192 */
/* [+] MSN: weeming21@hotmail.com */
/* [+] The starting : t00ls.net , Please indicate the reprint. t00ls */
/* [+] version : v1.0 */
/* [+] function : web version php Trojan scanning tool */
/* [+] Pay attention to : The scanned file is not 1 Must be the back door. , */
/* Please make your own judgment, review and compare the original documents. */
/* If you're not sure if the file you're scanning is a back door, */
/* You are welcome to send me the document for analysis. */
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; // Set the username
$password = "t00ls"; // Set the password
$md5 = md5(md5($username).md5($password));
$version = "PHP Web Trojan scanner v1.0";
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
?>
<html>
<head>
<title><?php echo $version?></title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<style>
body{margin:0px;}
body,td{font: 12px Arial,Tahoma;line-height: 16px;}
a {color: #00f;text-decoration:underline;}
a:hover{color: #f00;text-decoration:none;}
.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}
.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}
.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}
.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}
.head td span{font-weight:normal;}
</style>
</head>
<body>
<?php
if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo '<form id="frmlogin" name="frmlogin" method="post" action=""> The user name : <input type="text" name="username" id="username" /> password : <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value=" landing " /></form>';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo " Login successful! ";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
}
?>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr class="head">
<td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td>
</tr>
<tr class="alt1">
<td><span style="float: right;"><?=date("Y-m-d H:i:s",mktime())?></span>
<a href="?action=scan"> scanning </a> |
<a href="?action=setting"> set </a> |
<a href="?action=logout"> logout </a>
</td>
</tr>
</tbody></table>
<br>
<?php
if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo " Setup complete! ";
header( 'refresh: 1; url='.MYFILE.'?action=setting' );
exit();
}
?>
<form name="frmSetting" method="post" action="?action=setting">
<FIELDSET style="width:400px">
<LEGEND> Set the scan </LEGEND>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="60"> The file suffix :</td>
<td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>
</tr>
<tr>
<td><label for="checkall"> All the files </label></td>
<td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>
</tr>
<tr>
<td><label for="checkhta"> Settings file </label></td>
<td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>
</tr>
<tr>
<td> </td>
<td>
<input type="submit" name="btnsetting" id="btnsetting" value=" submit ">
</td>
</tr>
</table>
</fieldset>
</form>
<?php
}
else
{
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>
<form name="frmScan" method="post" action="">
<table width="100%%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="35" style="vertical-align:middle; padding-left:5px;"> Scan path :</td>
<td width="690">
<input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>">
<input type="submit" name="btnScan" id="btnScan" value=" Start scanning "></td>
</tr>
</table>
</form>
<?php
if(isset($_POST['btnScan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^\.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);
?>
<div style="padding:10px; background-color:#ccc"> scanning : <?php echo $scanned?> file | found : <?php echo $count?> Suspicious files | Time consuming : <?php echo $spent?> seconds </div>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr class="head">
<td width="15" align="center">No.</td>
<td width="48%"> file </td>
<td width="12%"> Update time </td>
<td width="10%"> why </td>
<td width="20%"> Characteristics of the </td>
<td> action </td>
</tr>
<?php echo $list?>
</table>
<?php
}
}
}
ob_flush();
?>
</body>
</html>
<?php
function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","\n","\r","\t");
$dh = @opendir( $path );
while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$content=file_get_contents($current);
$content= str_replace($replace,"",$content);
foreach($php_code as $key => $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('Y-m-d H:i:s',filemtime($current));
$reason = explode("->",$key);
$url = str_replace(REALPATH,HOST,$current);
preg_match("/$value/i",$content,$arr);
$list.="
<tr class='alt$j' onmouseover='this.className=\"focus\";' onmouseout='this.className=\"alt$j\";'>
<td>$count</td>
<td><a href='$url' target='_blank'>$current</a></td>
<td>$filetime</td>
<td><font color=red>$reason[0]</font></td>
<td><font color=#090>$reason[1]</font></td>
<td><a href='?action=download&file=$current' target='_blank'> download </a></td>
</tr>";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";
//echo $path . $file ."<br />";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
' Characteristics of the back door ->cha88.cn'=>'cha88\.cn',
' Characteristics of the back door ->c99shell'=>'c99shell',
' Characteristics of the back door ->phpspy'=>'phpspy',
' Characteristics of the back door ->Scanners'=>'Scanners',
' Characteristics of the back door ->cmd.php'=>'cmd\.php',
' Characteristics of the back door ->str_rot13'=>'str_rot13',
' Characteristics of the back door ->webshell'=>'webshell',
' Characteristics of the back door ->EgY_SpIdEr'=>'EgY_SpIdEr',
' Characteristics of the back door ->tools88.com'=>'tools88\.com',
' Characteristics of the back door ->SECFORCE'=>'SECFORCE',
' Characteristics of the back door ->eval("?>'=>'eval\((\'|")\?>',
' Suspect code feature ->system('=>'system\(',
' Suspect code feature ->passthru('=>'passthru\(',
' Suspect code feature ->shell_exec('=>'shell_exec\(',
' Suspect code feature ->exec('=>'exec\(',
' Suspect code feature ->popen('=>'popen\(',
' Suspect code feature ->proc_open'=>'proc_open',
' Suspect code feature ->eval($'=>'eval\((\'|"|\s*)\\$',
' Suspect code feature ->assert($'=>'assert\((\'|"|\s*)\\$',
' dangerous MYSQL code ->returns string soname'=>'returnsstringsoname',
' dangerous MYSQL code ->into outfile'=>'intooutfile',
' dangerous MYSQL code ->load_file'=>'select(\s+)(.*)load_file',
' Encryption back door feature ->eval(gzinflate('=>'eval\(gzinflate\(',
' Encryption back door feature ->eval(base64_decode('=>'eval\(base64_decode\(',
' Encryption back door feature ->eval(gzuncompress('=>'eval\(gzuncompress\(',
' Encryption back door feature ->eval(gzdecode('=>'eval\(gzdecode\(',
' Encryption back door feature ->eval(str_rot13('=>'eval\(str_rot13\(',
' Encryption back door feature ->gzuncompress(base64_decode('=>'gzuncompress\(base64_decode\(',
' Encryption back door feature ->base64_decode(gzuncompress('=>'base64_decode\(gzuncompress\(',
'1 Sentence back door features ->eval($_'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'1 Sentence back door features ->assert($_'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'1 Sentence back door features ->require($_'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'1 Sentence back door features ->require_once($_'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'1 Sentence back door features ->include($_'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'1 Sentence back door features ->include_once($_'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'1 Sentence back door features ->call_user_func("assert"'=>'call_user_func\(("|\')assert("|\')',
'1 Sentence back door features ->call_user_func($_'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
'1 Sentence back door features ->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
'1 Sentence back door features ->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' Upload back door features ->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
' Upload back door features ->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
'.htaccess Put the horse characteristics ->SetHandler application/x-httpd-php'=>'SetHandlerapplication\/x-httpd-php',
'.htaccess Put the horse characteristics ->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess Put the horse characteristics ->php_value auto_append_file'=>'php_valueauto_append_file'
);
}
?>
A tool that scans php trojans in an php environment can currently scan the following feature codes
Signature:
Characteristics of the back door ->cha88.cn
Characteristics of the back door ->c99shell
Characteristics of the back door ->phpspy
Characteristics of the back door ->Scanners
Characteristics of the back door ->cmd.php
Characteristics of the back door ->str_rot13
Characteristics of the back door ->webshell
Characteristics of the back door ->EgY_SpIdEr
Characteristics of the back door ->tools88.com
Characteristics of the back door ->SECFORCE
Characteristics of the back door ->eval("?>
Suspect code feature ->system(
Suspect code feature ->passthru(
Suspect code feature ->shell_exec(
Suspect code feature ->exec(
Suspect code feature ->popen(
Suspect code feature ->proc_open
Suspect code feature ->eval($
Suspect code feature ->assert($
dangerous MYSQL code ->returns string soname
dangerous MYSQL code ->into outfile
dangerous MYSQL code ->load_file
Encryption back door feature ->eval(gzinflate(
Encryption back door feature ->eval(base64_decode(
Encryption back door feature ->eval(gzuncompress(
Encryption back door feature ->gzuncompress(base64_decode(
Encryption back door feature ->base64_decode(gzuncompress(
1 Sentence back door features ->eval($_
1 Sentence back door features ->assert($_
1 Sentence back door features ->require($_
1 Sentence back door features ->require_once($_
1 Sentence back door features ->include($_
1 Sentence back door features ->include_once($_
1 Sentence back door features ->call_user_func("assert"
1 Sentence back door features ->call_user_func($_
1 Sentence back door features ->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]
1 Sentence back door features ->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
Upload back door features ->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE
Upload back door features ->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[
.htaccess Put the horse characteristics ->SetHandler application/x-httpd-php
.htaccess Put the horse characteristics ->php_value auto_prepend_file
.htaccess Put the horse characteristics ->php_value auto_append_file
Lazy design, direct use of phpspy style
Note: the scanned file is not necessarily the back door. Please judge, review and compare the original file.