phpAV is a script designed to work as antivirus for malicious PHP scripts. It will search a given directory and related files for dangerous functions and provide a report.
52ba58c54f23247b703f406196191b4b06961a14a63f73da8e5e630962be128a#!/usr/bin/php
<?php
ini_set("max_execution_time", 0);
/**
* Title: phpAV
* Version: 1.0
* Author: Milos Zivanovic
* Email: milosz.security@gmail.com
* Date: January 2010.
*
* About: PHP script designed to work as antivirus for malicious
php scripts. phpAV search
* given directory an search in files with predefined
extension for dangerous
* functions such as system() and others. phpAV is
designed so it can be easily
* configured and look in more file types in search for
more functions.
*
* Usage: phpAV.php /var/www/
* file called Log.txt will appear in the same dir as
phpAV.php IF dangerous functions
* are found, else the file won't be there.
*
* Configuring: Array functions is used for storing functions you want
script to search in files.
* Array file_types is used for storing file types you
want phpAV to scan (it will
* only open files with those extensions).
* log_file is variable used for storing file name where
logs will be saved (script
* will create that file and write logs in it).
*
* Thanks: Special thanks to Teo Manojlovic, idea for this
originated in his mind.
* Note: Script tested on linux (ubuntu karmic koala (9.10))
**/
// CONFIGURATION SECTION
$functions = array('shell_exec', 'system', 'passthru', 'exec', 'eval',
'ftp_connect');
$file_types = array('php', 'php3', 'php4', 'php5', 'phps', 'ph3',
'ph4', 'html', 'htm', 'phtml');
$log_file = "Log.txt";
// END OF CONFIGURATION SECTION
$dir = $argv[1];
if($argc != 1) {
echo "Usage: ".$argv[0]." [DIR PATH]";
exit();
}
if(substr($dir, -1) != "/") $dir .= "/";
search_dir($dir);
function search_dir($path) {
if ($dh = opendir($path)) {
while (($file = readdir($dh)) !== false) {
if($file != "." && $file != "..") {
if(is_dir($path.$file))
search_dir($path.$file."/");
else if(is_readable($path.$file) && is_file_ext($path.$file))
search_in_file($path.$file);
}
}
}
}
function is_file_ext($file) {
global $file_types;
for($i=0;$i<count($file_types);$i++)
if(substr($file, -strlen($file_types[$i])) == $file_types[$i])
return 1;
return 0;
}
function search_in_file($file) {
global $functions;
$lines = array();
$found_str = array();
$found_line = array();
$content = file_get_contents($file);
$lines = explode("\n", $content);
for($i=0;$i<count($functions);$i++) {
for($j=0;$j<count($lines);$j++) {
if(strstr($lines[$j], " ".$functions[$i]."(") ||
strstr($lines[$j], "(".$functions[$i]."(") ||
strstr($lines[$j], ".".$functions[$i]."(") ||
strstr($lines[$j], "=".$functions[$i]."(") ||
strstr($lines[$j], "{".$functions[$i]."(") ||
strstr($lines[$j], ">".$functions[$i]."(") ||
strstr($lines[$j], "\t".$functions[$i]."(") ||
strstr($lines[$j], " ".$functions[$i]." (") ||
strstr($lines[$j], "=".$functions[$i]." (") ||
strstr($lines[$j], "{".$functions[$i]." (") ||
strstr($lines[$j], ".".$functions[$i]." (") ||
strstr($lines[$j], "(".$functions[$i]." (") ||
strstr($lines[$j], ">".$functions[$i]." (") ||
strstr($lines[$j], "\t".$functions[$i]." (") ||
substr($lines[$j], 0, strlen($functions[$i])) ==
$functions[$i]) {
$found_str[] = $lines[$j];
$found_line[] = $j+1;
}
}
}
if(!empty($found_str)) _log($file, $found_str, $found_line);
}
function _log($path, $line, $linenum) {
global $log_file;
file_put_contents($log_file, "File: ".$path."\n", FILE_APPEND);
for($i=0;$i<count($line);$i++) {
file_put_contents($log_file, "Line: ".$linenum[$i]." |
".$line[$i]."\n", FILE_APPEND);
}
}
?>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed