Last active
December 8, 2017 19:55
-
-
Save BLTSEC/3e8948d80b2a93ca2f10eec600b50c7c to your computer and use it in GitHub Desktop.
Checks for sites containing the malicious script loaded from the "cloudflare.solutions" domain. https://www.bleepingcomputer.com/news/security/keylogger-found-on-nearly-5-500-infected-wordpress-sites/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# pip3 install beautifulsoup4 | |
# pip3 install lxml | |
# pip install --upgrade certifi #SSL: CERTIFICATE_VERIFY_FAILED | |
# SELECT path FROM blogs WHERE deleted = 0 AND archived = 0; | |
# used https://github.com/Anorov/cloudflare-scrape to bypass Cloudflare's anti-bot page | |
from bs4 import BeautifulSoup as bs | |
import argparse | |
import cfscrape | |
import sys | |
scraper = cfscrape.create_scraper() | |
def check_site(site, malstr): | |
sources = [] | |
html = scraper.get(site).content | |
bt = bs(html, "lxml") | |
for src in bt.find_all('script'): | |
s = src.get('src') | |
sources.append(s) | |
sources = list(filter(None.__ne__, sources)) | |
results = list((x for x in sources if malstr in x)) | |
with open('compromised-sites.txt', 'a') as f: | |
if len(results) > 0: | |
print(site.upper() + " may be compromised.") | |
f.write(site + '\n') | |
for i in results: | |
print('\t' + i) | |
print('\n') | |
else: | |
print(site + ' may not be compromised.\n') | |
if __name__ == '__main__': | |
parser = argparse.ArgumentParser() | |
group = parser.add_mutually_exclusive_group(required=True) | |
group.add_argument("--sites", help="csv file containing sites to check") | |
group.add_argument("--site", help="single site to check") | |
parser.add_argument("--malstr", help="malicious string to check for") | |
args = parser.parse_args() | |
site = args.site | |
sites = args.sites | |
malstr = args.malstr | |
if site and malstr: | |
check_site(site, malstr) | |
elif sites and malstr: | |
websites = (open(sites).read().replace('\n', ',').replace(', ', ',')).split(',') | |
for site in websites: | |
if site == '': | |
continue | |
check_site(site, malstr) | |
else: | |
parser.print_help() | |
sys.exit(1) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment