Last active
October 3, 2017 23:41
-
-
Save hugokernel/599dbf52d901c7874980 to your computer and use it in GitHub Desktop.
Python scanner for first line eval() based infection on php script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Python scanner for first line eval() based infection on php script (ex: Wordpress infection) | |
| Information: http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/ | |
| hugokernel, 09/2014 | |
| Usage: | |
| python scan.py directory | |
| ''' | |
| import sys | |
| import os | |
| VARIANT = 'PCT4BA6ODSE' | |
| # Remove file if empty after patch | |
| REMOVE_IF_EMPTY = True | |
| def patch(filename): | |
| with open(filename, 'r+') as f: | |
| lines = f.readlines() | |
| lines[0] = '<?php' | |
| f.seek(0) | |
| f.write(str(''.join(lines)).strip()) | |
| f.truncate() | |
| def scan(directory): | |
| for item in os.listdir(directory): | |
| line = os.path.join(directory, item) | |
| if os.path.isdir(line): | |
| scan(line) | |
| else: | |
| if item.split('.')[-1] == 'php': | |
| with open(line, "rb") as f: | |
| first = f.readline() | |
| if 'eval' in first: | |
| print 'Found in %s' % line, | |
| if VARIANT: | |
| if VARIANT in first: | |
| print 'variant ok !', | |
| else: | |
| raise Exception('Bad variant !') | |
| else: | |
| print 'no variant', | |
| print ', patching', | |
| patch(line) | |
| print 'ok !', | |
| if REMOVE_IF_EMPTY and os.path.getsize(line) == 0: | |
| os.remove(line) | |
| print 'empty file ! Removed !', | |
| if __name__ == '__main__': | |
| scan(sys.argv[1]) | |
| #patch(sys.argv[1]) |
@llribas have you fixed it?
I lost all starting <?php code after applying this script :(
I update script : Add <?php on first line when patched !
Hello,
This helped a lot, it cleaned my files.
The only problem is that on some files, I still got <?php<?php
Unfortunately I am 0 at python. How can you modify the patch function so it also replaces <?php<?php with <?php
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
great script!
I noticed that you can lose some code of infected file when you scan it. It's when the infected file has some original code in the same last line of malicious code, like:
[all the malicious code...] if(isset($s22)){eval($s21($s22));}?>
in cases like this, you will lose the first line of the original file: