Of Stack

PHP Web Trojan scanner code v1.0 security testing tool

  • 2020-05-10 17:54:10
  • OfStack
scanner.php 
 
<?php 
/**************PHP Web Trojan scanner ************************/ 
/* [+]  The author : alibaba */ 
/* [+] QQ: 1499281192 */ 
/* [+] MSN: weeming21@hotmail.com */ 
/* [+]  The starting : t00ls.net ,  Please indicate the reprint. t00ls */ 
/* [+]  version : v1.0 */ 
/* [+]  function : web version php Trojan scanning tool  */ 
/* [+]  Pay attention to :  The scanned file is not 1 Must be the back door. , */ 
/*  Please make your own judgment, review and compare the original documents.  */ 
/*  If you're not sure if the file you're scanning is a back door,  */ 
/*  You are welcome to send me the document for analysis.  */ 
/*******************************************************/ 
ob_start(); 
set_time_limit(0); 
$username = "t00ls"; // Set the username  
$password = "t00ls"; // Set the password  
$md5 = md5(md5($username).md5($password)); 
$version = "PHP Web Trojan scanner  v1.0"; 
$realpath = realpath('./'); 
$selfpath = $_SERVER['PHP_SELF']; 
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/')); 
define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath))))); 
define('MYFILE', basename(__FILE__)); 
define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/'); 
define('MYFULLPATH', str_replace('\\', '/', (__FILE__))); 
define('HOST', "http://".$_SERVER['HTTP_HOST']); 
?> 
<html> 
<head> 
<title><?php echo $version?></title> 
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> 
<style> 
body{margin:0px;} 
body,td{font: 12px Arial,Tahoma;line-height: 16px;} 
a {color: #00f;text-decoration:underline;} 
a:hover{color: #f00;text-decoration:none;} 
.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;} 
.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;} 
.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;} 
.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;} 
.head td span{font-weight:normal;} 
</style> 
</head> 
<body> 
<?php 
if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))) 
{ 
echo '<form id="frmlogin" name="frmlogin" method="post" action=""> The user name : <input type="text" name="username" id="username" />  password : <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value=" landing " /></form>'; 
} 
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)) 
{ 
setcookie("t00ls", $md5, time()+60*60*24*365,"/"); 
echo " Login successful! "; 
header( 'refresh: 1; url='.MYFILE.'?action=scan' ); 
exit(); 
} 
else 
{ 
setcookie("t00ls", $md5, time()+60*60*24*365,"/"); 
$setting = getSetting(); 
$action = isset($_GET['action'])?$_GET['action']:""; 
if($action=="logout") 
{ 
setcookie ("t00ls", "", time() - 3600); 
Header("Location: ".MYFILE); 
exit(); 
} 
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="") 
{ 
$file = $_GET['file']; 
ob_clean(); 
if (@file_exists($file)) { 
header("Content-type: application/octet-stream"); 
header("Content-Disposition: filename=\"".basename($file)."\""); 
echo file_get_contents($file); 
} 
exit(); 
} 
?> 
<table border="0" cellpadding="0" cellspacing="0" width="100%"> 
<tbody><tr class="head"> 
<td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td> 
</tr> 
<tr class="alt1"> 
<td><span style="float: right;"><?=date("Y-m-d H:i:s",mktime())?></span> 
<a href="?action=scan"> scanning </a> | 
<a href="?action=setting"> set </a> | 
<a href="?action=logout"> logout </a> 
</td> 
</tr> 
</tbody></table> 
<br> 
<?php 
if($action=="setting") 
{ 
if(isset($_POST['btnsetting'])) 
{ 
$Ssetting = array(); 
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml"; 
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0; 
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0; 
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/"); 
echo " Setup complete! "; 
header( 'refresh: 1; url='.MYFILE.'?action=setting' ); 
exit(); 
} 
?> 
<form name="frmSetting" method="post" action="?action=setting"> 
<FIELDSET style="width:400px"> 
<LEGEND> Set the scan </LEGEND> 
<table width="100%" border="0" cellspacing="0" cellpadding="0"> 
<tr> 
<td width="60"> The file suffix :</td> 
<td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td> 
</tr> 
<tr> 
<td><label for="checkall"> All the files </label></td> 
<td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td> 
</tr> 
<tr> 
<td><label for="checkhta"> Settings file </label></td> 
<td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td> 
</tr> 
<tr> 
<td> </td> 
<td> 
<input type="submit" name="btnsetting" id="btnsetting" value=" submit "> 
</td> 
</tr> 
</table> 
</fieldset> 
</form> 
<?php 
} 
else 
{ 
$dir = isset($_POST['path'])?$_POST['path']:MYPATH; 
$dir = substr($dir,-1)!="/"?$dir."/":$dir; 
?> 
<form name="frmScan" method="post" action=""> 
<table width="100%%" border="0" cellspacing="0" cellpadding="0"> 
<tr> 
<td width="35" style="vertical-align:middle; padding-left:5px;"> Scan path :</td> 
<td width="690"> 
<input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>"> 
  <input type="submit" name="btnScan" id="btnScan" value=" Start scanning "></td> 
</tr> 
</table> 
</form> 
<?php 
if(isset($_POST['btnScan'])) 
{ 
$start=mktime(); 
$is_user = array(); 
$is_ext = ""; 
$list = ""; 
if(trim($setting['user'])!="") 
{ 
$is_user = explode("|",$setting['user']); 
if(count($is_user)>0) 
{ 
foreach($is_user as $key=>$value) 
$is_user[$key]=trim(str_replace("?","(.)",$value)); 
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))"; 
} 
} 
if($setting['hta']==1) 
{ 
$is_hta=1; 
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext; 
$is_ext.="(^\.htaccess$)"; 
} 
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0)) 
{ 
$is_ext="(.+)"; 
} 
$php_code = getCode(); 
if(!is_readable($dir)) 
$dir = MYPATH; 
$count=$scanned=0; 
scan($dir,$is_ext); 
$end=mktime(); 
$spent = ($end - $start); 
?> 
<div style="padding:10px; background-color:#ccc"> scanning : <?php echo $scanned?>  file  |  found : <?php echo $count?>  Suspicious files  |  Time consuming : <?php echo $spent?>  seconds </div> 
<table width="100%" border="0" cellspacing="0" cellpadding="0"> 
<tr class="head"> 
<td width="15" align="center">No.</td> 
<td width="48%"> file </td> 
<td width="12%"> Update time </td> 
<td width="10%"> why </td> 
<td width="20%"> Characteristics of the </td> 
<td> action </td> 
</tr> 
<?php echo $list?> 
</table> 
<?php 
} 
} 
} 
ob_flush(); 
?> 
</body> 
</html> 
<?php 
function scan($path = '.',$is_ext){ 
global $php_code,$count,$scanned,$list; 
$ignore = array('.', '..' ); 
$replace=array(" ","\n","\r","\t"); 
$dh = @opendir( $path ); 
while(false!==($file=readdir($dh))){ 
if( !in_array( $file, $ignore ) ){ 
if( is_dir( "$path$file" ) ){ 
scan("$path$file/",$is_ext); 
} else { 
$current = $path.$file; 
if(MYFULLPATH==$current) continue; 
if(!preg_match("/$is_ext/i",$file)) continue; 
if(is_readable($current)) 
{ 
$scanned++; 
$content=file_get_contents($current); 
$content= str_replace($replace,"",$content); 
foreach($php_code as $key => $value) 
{ 
if(preg_match("/$value/i",$content)) 
{ 
$count++; 
$j = $count % 2 + 1; 
$filetime = date('Y-m-d H:i:s',filemtime($current)); 
$reason = explode("->",$key); 
$url = str_replace(REALPATH,HOST,$current); 
preg_match("/$value/i",$content,$arr); 
$list.=" 
<tr class='alt$j' onmouseover='this.className=\"focus\";' onmouseout='this.className=\"alt$j\";'> 
<td>$count</td> 
<td><a href='$url' target='_blank'>$current</a></td> 
<td>$filetime</td> 
<td><font color=red>$reason[0]</font></td> 
<td><font color=#090>$reason[1]</font></td> 
<td><a href='?action=download&file=$current' target='_blank'> download </a></td> 
</tr>"; 
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />"; 
//echo $path . $file ."<br />"; 
break; 
} 
} 
} 
} 
} 
} 
closedir( $dh ); 
} 
function getSetting() 
{ 
$Ssetting = array(); 
if(isset($_COOKIE['t00ls_s'])) 
{ 
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s'])); 
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml"; 
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0; 
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1; 
} 
else 
{ 
$Ssetting['user']="php | php? | phtml | shtml"; 
$Ssetting['all']=0; 
$Ssetting['hta']=1; 
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/"); 
} 
return $Ssetting; 
} 
function getCode() 
{ 
return array( 
' Characteristics of the back door ->cha88.cn'=>'cha88\.cn', 
' Characteristics of the back door ->c99shell'=>'c99shell', 
' Characteristics of the back door ->phpspy'=>'phpspy', 
' Characteristics of the back door ->Scanners'=>'Scanners', 
' Characteristics of the back door ->cmd.php'=>'cmd\.php', 
' Characteristics of the back door ->str_rot13'=>'str_rot13', 
' Characteristics of the back door ->webshell'=>'webshell', 
' Characteristics of the back door ->EgY_SpIdEr'=>'EgY_SpIdEr', 
' Characteristics of the back door ->tools88.com'=>'tools88\.com', 
' Characteristics of the back door ->SECFORCE'=>'SECFORCE', 
' Characteristics of the back door ->eval("?>'=>'eval\((\'|")\?>', 
' Suspect code feature ->system('=>'system\(', 
' Suspect code feature ->passthru('=>'passthru\(', 
' Suspect code feature ->shell_exec('=>'shell_exec\(', 
' Suspect code feature ->exec('=>'exec\(', 
' Suspect code feature ->popen('=>'popen\(', 
' Suspect code feature ->proc_open'=>'proc_open', 
' Suspect code feature ->eval($'=>'eval\((\'|"|\s*)\\$', 
' Suspect code feature ->assert($'=>'assert\((\'|"|\s*)\\$', 
' dangerous MYSQL code ->returns string soname'=>'returnsstringsoname', 
' dangerous MYSQL code ->into outfile'=>'intooutfile', 
' dangerous MYSQL code ->load_file'=>'select(\s+)(.*)load_file', 
' Encryption back door feature ->eval(gzinflate('=>'eval\(gzinflate\(', 
' Encryption back door feature ->eval(base64_decode('=>'eval\(base64_decode\(', 
' Encryption back door feature ->eval(gzuncompress('=>'eval\(gzuncompress\(', 
' Encryption back door feature ->eval(gzdecode('=>'eval\(gzdecode\(', 
' Encryption back door feature ->eval(str_rot13('=>'eval\(str_rot13\(', 
' Encryption back door feature ->gzuncompress(base64_decode('=>'gzuncompress\(base64_decode\(', 
' Encryption back door feature ->base64_decode(gzuncompress('=>'base64_decode\(gzuncompress\(', 
'1 Sentence back door features ->eval($_'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
'1 Sentence back door features ->assert($_'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
'1 Sentence back door features ->require($_'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
'1 Sentence back door features ->require_once($_'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
'1 Sentence back door features ->include($_'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
'1 Sentence back door features ->include_once($_'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
'1 Sentence back door features ->call_user_func("assert"'=>'call_user_func\(("|\')assert("|\')', 
'1 Sentence back door features ->call_user_func($_'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
'1 Sentence back door features ->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[', 
'1 Sentence back door features ->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
' Upload back door features ->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
' Upload back door features ->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[', 
'.htaccess Put the horse characteristics ->SetHandler application/x-httpd-php'=>'SetHandlerapplication\/x-httpd-php', 
'.htaccess Put the horse characteristics ->php_value auto_prepend_file'=>'php_valueauto_prepend_file', 
'.htaccess Put the horse characteristics ->php_value auto_append_file'=>'php_valueauto_append_file' 
); 
} 
?>

A tool that scans php trojans in an php environment can currently scan the following feature codes 
 
 Signature:  
 Characteristics of the back door ->cha88.cn 
 Characteristics of the back door ->c99shell 
 Characteristics of the back door ->phpspy 
 Characteristics of the back door ->Scanners 
 Characteristics of the back door ->cmd.php 
 Characteristics of the back door ->str_rot13 
 Characteristics of the back door ->webshell 
 Characteristics of the back door ->EgY_SpIdEr 
 Characteristics of the back door ->tools88.com 
 Characteristics of the back door ->SECFORCE 
 Characteristics of the back door ->eval("?> 
 Suspect code feature ->system( 
 Suspect code feature ->passthru( 
 Suspect code feature ->shell_exec( 
 Suspect code feature ->exec( 
 Suspect code feature ->popen( 
 Suspect code feature ->proc_open 
 Suspect code feature ->eval($ 
 Suspect code feature ->assert($ 
 dangerous MYSQL code ->returns string soname 
 dangerous MYSQL code ->into outfile 
 dangerous MYSQL code ->load_file 
 Encryption back door feature ->eval(gzinflate( 
 Encryption back door feature ->eval(base64_decode( 
 Encryption back door feature ->eval(gzuncompress( 
 Encryption back door feature ->gzuncompress(base64_decode( 
 Encryption back door feature ->base64_decode(gzuncompress( 
1 Sentence back door features ->eval($_ 
1 Sentence back door features ->assert($_ 
1 Sentence back door features ->require($_ 
1 Sentence back door features ->require_once($_ 
1 Sentence back door features ->include($_ 
1 Sentence back door features ->include_once($_ 
1 Sentence back door features ->call_user_func("assert" 
1 Sentence back door features ->call_user_func($_ 
1 Sentence back door features ->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?] 
1 Sentence back door features ->echo(file_get_contents($_POST/GET/REQUEST/COOKIE 
 Upload back door features ->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE 
 Upload back door features ->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[ 
.htaccess Put the horse characteristics ->SetHandler application/x-httpd-php 
.htaccess Put the horse characteristics ->php_value auto_prepend_file 
.htaccess Put the horse characteristics ->php_value auto_append_file

Lazy design, direct use of phpspy style
Note: the scanned file is not necessarily the back door. Please judge, review and compare the original file.
Related articles: