Skip to content

Instantly share code, notes, and snippets.

@BLTSEC
Last active December 8, 2017 19:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save BLTSEC/3e8948d80b2a93ca2f10eec600b50c7c to your computer and use it in GitHub Desktop.
Save BLTSEC/3e8948d80b2a93ca2f10eec600b50c7c to your computer and use it in GitHub Desktop.
Checks for sites containing the malicious script loaded from the "cloudflare.solutions" domain. https://www.bleepingcomputer.com/news/security/keylogger-found-on-nearly-5-500-infected-wordpress-sites/
#!/usr/bin/env python3
# pip3 install beautifulsoup4
# pip3 install lxml
# pip install --upgrade certifi #SSL: CERTIFICATE_VERIFY_FAILED
# SELECT path FROM blogs WHERE deleted = 0 AND archived = 0;
# used https://github.com/Anorov/cloudflare-scrape to bypass Cloudflare's anti-bot page
from bs4 import BeautifulSoup as bs
import argparse
import cfscrape
import sys
scraper = cfscrape.create_scraper()
def check_site(site, malstr):
sources = []
html = scraper.get(site).content
bt = bs(html, "lxml")
for src in bt.find_all('script'):
s = src.get('src')
sources.append(s)
sources = list(filter(None.__ne__, sources))
results = list((x for x in sources if malstr in x))
with open('compromised-sites.txt', 'a') as f:
if len(results) > 0:
print(site.upper() + " may be compromised.")
f.write(site + '\n')
for i in results:
print('\t' + i)
print('\n')
else:
print(site + ' may not be compromised.\n')
if __name__ == '__main__':
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("--sites", help="csv file containing sites to check")
group.add_argument("--site", help="single site to check")
parser.add_argument("--malstr", help="malicious string to check for")
args = parser.parse_args()
site = args.site
sites = args.sites
malstr = args.malstr
if site and malstr:
check_site(site, malstr)
elif sites and malstr:
websites = (open(sites).read().replace('\n', ',').replace(', ', ',')).split(',')
for site in websites:
if site == '':
continue
check_site(site, malstr)
else:
parser.print_help()
sys.exit(1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment