Created
December 15, 2014 10:49
-
-
Save coderoffortune/62e68b955adba4ebd027 to your computer and use it in GitHub Desktop.
A simple script to cleanse injected code in php files, it can use a tweak or two in performances but it does the job.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/perl | |
use Cwd; | |
use File::Find; | |
use Getopt::Long; | |
use strict; | |
use warnings; | |
my $dir = cwd() . "/"; | |
# Virus strings definitions -- START | |
# An array of regular expressions to identify injected code | |
#************************************************************************ | |
my @virus_strings = ('^<\?php if\(!isset\(\$GLOBALS\[.*=1; } \?>', | |
'^<\?php \$[a-z]{10} \= .*-1; \?>', | |
'<\?php \$.* = .*; preg_replace\(\".*\"\); \?>'); | |
#************************************************************************ | |
# Loads the command line options -- START | |
#************************************************************************ | |
my $match = ''; | |
my $verbose = ''; | |
my $test_run = ''; | |
my $show_help = ''; | |
my $delete_lic = ''; | |
GetOptions ('match=s' => \$match, | |
'verbose' => \$verbose, | |
'deletelic' => \$delete_lic, | |
'test' => \$test_run, | |
'help' => \$show_help); | |
if($show_help) { | |
print "Usage: \n\n"; | |
print "./cleanup.pl --match <regex> --verbose --deletelic --test --help \n\n"; | |
print " --match <regex> Adds a new matching string to virus definitions \n"; | |
print " --verbose Prints all the matching files and lines based on verbosity level \n"; | |
print " --deletelic Deletes the license.php files found, otherwise it will only report how many are found \n"; | |
print " --test Runs the script in test mode, only results are print \n"; | |
print " --help Show this guide \n\n"; | |
exit 0; | |
} | |
if($match) { | |
push @virus_strings, $match; | |
} | |
#************************************************************************ | |
# Stats vars initializations | |
#************************************************************************ | |
my $file_count = 0; | |
my $infected_file_count = 0; | |
my $license_file_count = 0; | |
my $license_file_removed_count = 0; | |
print "\n"; | |
print STDOUT "Iterating through the directory looking for infected php files...\n"; | |
print STDOUT "*****************************************************************\n"; | |
print STDOUT "* THIS IS A TEST RUN *\n" if $test_run; | |
print STDOUT "*****************************************************************\n" if $test_run; | |
#************************************************************************ | |
# Loop through the directories | |
#************************************************************************ | |
find( \&parse, $dir); | |
#************************************************************************ | |
# Parse the files and test for matchings against virus strings | |
#************************************************************************ | |
sub parse { | |
if (-f $File::Find::name) { | |
if (m/\.php$/) { | |
my $file_status = 'CLEAN - '; | |
my $file_status_code = 0; | |
my $file_report = ''; | |
my $count_once = ''; | |
if (m/license\.php$/i) { | |
$license_file_count++; | |
if($delete_lic) { | |
if(unlink == 0) { | |
$license_file_removed_count++; | |
} | |
} | |
} | |
$file_count++; | |
local @ARGV = "$_"; | |
local $^I = ''; | |
while(<>) { | |
foreach my $virus_string (@virus_strings) { | |
if ((m/$virus_string/) && !$count_once) { | |
$infected_file_count++; | |
$count_once = '1'; | |
$file_report .= "\t\t" . $_ . "\n"; | |
$file_status = 'INFECTED - '; | |
$file_status_code = 1; | |
} | |
s/$virus_string//g if !$test_run; | |
} | |
print; | |
} | |
if(($verbose eq 'clean' && $file_status_code == 0) || ($verbose eq 'infected' && $file_status_code == 1) || $verbose) { | |
print STDOUT $file_status . "$File::Find::name \n"; | |
print STDOUT $file_report if $file_report; | |
} | |
} | |
} | |
return; | |
} | |
#************************************************************************ | |
# Prints out stats | |
#************************************************************************ | |
print STDOUT "\n"; | |
print STDOUT "Php files: " . $file_count . "\n"; | |
print STDOUT "Infected php files: " . $infected_file_count; | |
print STDOUT " (" . $license_file_count . " license.php found, " . $license_file_removed_count . " deleted)" if $license_file_count; | |
print STDOUT "\n\n"; | |
#************************************************************************ | |
exit 0; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment