barryirwin/testsample.php

## testsample.php
<?php
phpinfo();
php?>

## testsample2.php

eval(gunzip(base64_decode("Hello"));
"gzinflate(base64_decode("
";eval(


## yarascan.sh
#!/bin/sh

# Script scans system using yara
# (c) 2023 bvi at moria.org
# v0.1

#check required files are present
if [ ! -f /usr/bin/yara ];  then
	echo ERROR
	echo clamscan binary not found: /usr/bin/yara
	echo Please check Yara is installed and paths are correct
	exit 1
fi

if [ ! -f /usr/bin/ssmtp ]; then
	echo ERROR
	echo ssmtp not found: /usr/bsbin/ssmtp
	echo Unable to send email, please check smtp is correclty installed and configured
	exit 1
fi

logfile=/var/log/yarascan.log
# Who to send email to
target=your@email.domain
#directory where yara rules are
rulesdir=/root/yararules
targetdir=/var/www
# How many days worth of logs to keep
maxlogdays=15 #notimplemented

## no further configuration below here
date=$(date  '+%Y%M%d')
yesterday=$(date -d yesterday   '+%Y%M%d')
host=$(hostname)
rfcdate=$(date -R)
#
# --infected            -i             Only print infected files
# --suppress-ok-results -o             Skip printing OK files
# --stdout                             Write to stdout instead of stderr. Does not affect 'debug' messages.
# --log=FILE            -l FILE        Save scan report to FILE

# make sure that logs are named properly
if [ -f $logfile ]; then
	mv $logfile $logfile.yesterday
fi
# delete any logs older than $maxlogdays
#find $logfile.* -ctime $maxlogdays -del {}
#run Yara
#
/usr/bin/yara -r $rulesdir/*.yar $targetdir > $logfile

#catch the returncode from clamav
result=$?

#Yara only seems to return 0

status=""
case $result in
0)
	status="[Success]" # all good
	;;
*)
	status="[Unknown Case]" #something very odd happended
	;;

esac


## construct and send email
echo -n "Date: $rfcdate" >  /tmp/yarascanemail.$$
#date -R >>  >  /tmp/yarascanemail.$$
echo "From: YARA  Scanner <postmaster@localhost>" >>    /tmp/yarascanemail.$$
echo "To: $target"  >> /tmp/yarascanemail.$$
echo "Subject: [$host] Yara Scan $status" >>    /tmp/yarascanemail.$$

if [ $result -eq 1 ]  # MALWARE found so hilight it.
then
	echo "=-=-=-=-=-  MALWARE FOUND -=-=-=-=-="  >>    /tmp/yarascanemail.$$
	grep "FOUND$" $logfile >>     /tmp/yarascanemail.$$
        echo "=-=-=-=-=-  MALWARE FOUND -=-=-=-=-="  >>    /tmp/yarascanemail.$$
fi


#tail -12 $logfile >>  /tmp/yarascanemail.$$
cat $logfile >> /tmp/yarascanemail.$$
echo "\nFurther details:\n============================\n" >>    /tmp/yarascanemail.$$
cat $logfile | grep -v "Empty file"  | grep -v "Symbolic link" | grep -v "FOUND$"| head -n 11 >>    /tmp/yarascanemail.$$


## send email
cat /tmp/yarascanemail.$$ | /usr/sbin/ssmtp $target

if [ $? -eq 0 ];
then
	rm  /tmp/yarascanemail.$$
	mv $logfile $logfile.$date
	exit
else
	echo An error may have occured sending email.
	echo Manual inspection of log files should take place
	echo see:  /tmp/yarascanemail.$$ and $logfile and/or $logfile.$date
	exit 1
fi

	eval(gunzip(base64_decode("Hello"));
	"gzinflate(base64_decode("
	";eval(
	#!/bin/sh

	# Script scans system using yara
	# (c) 2023 bvi at moria.org
	# v0.1

	#check required files are present
	if [ ! -f /usr/bin/yara ]; then
	echo ERROR
	echo clamscan binary not found: /usr/bin/yara
	echo Please check Yara is installed and paths are correct
	exit 1
	fi

	if [ ! -f /usr/bin/ssmtp ]; then
	echo ERROR
	echo ssmtp not found: /usr/bsbin/ssmtp
	echo Unable to send email, please check smtp is correclty installed and configured
	exit 1
	fi

	logfile=/var/log/yarascan.log
	# Who to send email to
	target=your@email.domain
	#directory where yara rules are
	rulesdir=/root/yararules
	targetdir=/var/www
	# How many days worth of logs to keep
	maxlogdays=15 #notimplemented

	## no further configuration below here
	date=$(date '+%Y%M%d')
	yesterday=$(date -d yesterday '+%Y%M%d')
	host=$(hostname)
	rfcdate=$(date -R)
	#
	# --infected -i Only print infected files
	# --suppress-ok-results -o Skip printing OK files
	# --stdout Write to stdout instead of stderr. Does not affect 'debug' messages.
	# --log=FILE -l FILE Save scan report to FILE

	# make sure that logs are named properly
	if [ -f $logfile ]; then
	mv $logfile $logfile.yesterday
	fi
	# delete any logs older than $maxlogdays
	#find $logfile.* -ctime $maxlogdays -del {}
	#run Yara
	#
	/usr/bin/yara -r $rulesdir/*.yar $targetdir > $logfile

	#catch the returncode from clamav
	result=$?

	#Yara only seems to return 0

	status=""
	case $result in
	0)
	status="[Success]" # all good
	;;
	*)
	status="[Unknown Case]" #something very odd happended
	;;

	esac


	## construct and send email
	echo -n "Date: $rfcdate" > /tmp/yarascanemail.$$
	#date -R >> > /tmp/yarascanemail.$$
	echo "From: YARA Scanner <postmaster@localhost>" >> /tmp/yarascanemail.$$
	echo "To: $target" >> /tmp/yarascanemail.$$
	echo "Subject: [$host] Yara Scan $status" >> /tmp/yarascanemail.$$

	if [ $result -eq 1 ] # MALWARE found so hilight it.
	then
	echo "=-=-=-=-=- MALWARE FOUND -=-=-=-=-=" >> /tmp/yarascanemail.$$
	grep "FOUND$" $logfile >> /tmp/yarascanemail.$$
	echo "=-=-=-=-=- MALWARE FOUND -=-=-=-=-=" >> /tmp/yarascanemail.$$
	fi


	#tail -12 $logfile >> /tmp/yarascanemail.$$
	cat $logfile >> /tmp/yarascanemail.$$
	echo "\nFurther details:\n============================\n" >> /tmp/yarascanemail.$$
	cat $logfile \| grep -v "Empty file" \| grep -v "Symbolic link" \| grep -v "FOUND$"\| head -n 11 >> /tmp/yarascanemail.$$


	## send email
	cat /tmp/yarascanemail.$$ \| /usr/sbin/ssmtp $target

	if [ $? -eq 0 ];
	then
	rm /tmp/yarascanemail.$$
	mv $logfile $logfile.$date
	exit
	else
	echo An error may have occured sending email.
	echo Manual inspection of log files should take place
	echo see: /tmp/yarascanemail.$$ and $logfile and/or $logfile.$date
	exit 1
	fi