Created
November 6, 2015 08:24
-
-
Save kidino/006dfc6e7143c4118b71 to your computer and use it in GitHub Desktop.
Find PHP scripts with eval() (potentially infected with malicious code)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| Plugin Name: php Malicious Code Scanner | |
| Plugin URI: http://www.mikestowe.com/phpmalcode | |
| Description: The php Malicious Code Scanner checks all files for one of the most common malicious code attacks, the eval( base64_decode() ) attack... | |
| Version: 1.3 alpha | |
| Author: Michael Stowe | |
| Author URI: http://www.mikestowe.com | |
| Credits: Based on the idea of Er. Rochak Chauhan (http://www.rochakchauhan.com/), rewritten for use with a cron job | |
| License: GPL-2 | |
| */ | |
| // Set to your email: | |
| define('SEND_EMAIL_ALERTS_TO','youremail@example.com'); | |
| ############################################ START CLASS | |
| class phpMalCodeScan { | |
| public $infected_files = array(); | |
| private $scanned_files = array(); | |
| function __construct() { | |
| $this->scan(dirname(__FILE__)); | |
| //$this->sendalert(); | |
| $this->showalert(); | |
| } | |
| function scan($dir) { | |
| $this->scanned_files[] = $dir; | |
| $files = scandir($dir); | |
| if(!is_array($files)) { | |
| throw new Exception('Unable to scan directory ' . $dir . '. Please make sure proper permissions have been set.'); | |
| } | |
| foreach($files as $file) { | |
| if(is_file($dir.'/'.$file) && !in_array($dir.'/'.$file,$this->scanned_files)) { | |
| $this->check(file_get_contents($dir.'/'.$file),$dir.'/'.$file); | |
| } elseif(is_dir($dir.'/'.$file) && substr($file,0,1) != '.') { | |
| $this->scan($dir.'/'.$file); | |
| } | |
| } | |
| } | |
| function check($contents,$file) { | |
| $this->scanned_files[] = $file; | |
| if(preg_match('/eval\ *\(/i',$contents)) { | |
| $this->infected_files[] = $file; | |
| } | |
| } | |
| function sendalert() { | |
| if(count($this->infected_files) != 0) { | |
| $message = "== MALICIOUS CODE FOUND == \n\n"; | |
| $message .= "The following files appear to be infected: \n"; | |
| foreach($this->infected_files as $inf) { | |
| $message .= " - $inf \n"; | |
| } | |
| mail(SEND_EMAIL_ALERTS_TO,'Malicious Code Found!',$message,'FROM:'); | |
| } | |
| } | |
| function showalert() { | |
| if(count($this->infected_files) != 0) { | |
| $message = "== MALICIOUS CODE FOUND == \n\n"; | |
| $message .= "The following files appear to be infected: \n"; | |
| foreach($this->infected_files as $inf) { | |
| $message .= " - $inf \n"; | |
| } | |
| //mail(SEND_EMAIL_ALERTS_TO,'Malicious Code Found!',$message,'FROM:'); | |
| echo $message; | |
| } | |
| } | |
| } | |
| ############################################ INITIATE CLASS | |
| ini_set('memory_limit', '-1'); ## Avoid memory errors (i.e in foreachloop) | |
| new phpMalCodeScan; | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment