-
Notifications
You must be signed in to change notification settings - Fork 1
/
phpmalware
85 lines (77 loc) · 2.72 KB
/
phpmalware
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/bin/bash
# Name: PHPMalware
# Version: 2017-10-20
# Description: Check for malwares within PHP code based on POST requests and PHP files content.
# Developer: Robin Labadie
# Websites: haisoft.fr | lrob.fr | terageek.org
## Directories
siteslocation="/var/www/vhosts"
# Log location
siteslogdirs="/var/www/vhosts/system"
siteslogs="logs/access_log"
siteslogs_ssl="logs/access_ssl_log"
# Exclude from log detection
excludelogs="303
404
503
403
index.php
admin-ajax.php
wp-cron.php
wp-login.php
wp-comment.php"
##############
### Script ###
##############
## Misc Vars
selfname="PHPMalware"
currdate="$(LC_ALL=en_GB.UTF8 date +'%d/%b/%Y')"
# Download bash API
if [ ! -f "ultimate-bash-api.sh" ]; then
wget https://raw.githubusercontent.com/UltimateByte/ultimate-bash-api/master/ultimate-bash-api.sh
chmod +x ultimate-bash-api.sh
fi
source ultimate-bash-api.sh
# List all domains and subdomains and their rootdirs
domainlist="$(echo "SELECT dom.name, h.www_root FROM domains dom LEFT JOIN DomainServices d ON (dom.id = d.dom_id AND d.type = 'web') LEFT JOIN hosting h ON h.dom_id = dom.id" | plesk db | tail -n +2 | grep -v "NULL")"
# Scan logs looking for unusual POST requests
fn_detect_logs(){
while read -r domaininfo; do
domainname="$(echo "${domaininfo}" | awk '{print $1}')"
domainpath="$(echo "${domaininfo}" | awk '{print $2}')"
currsitelog="${siteslogdirs}/${domainname}/${siteslogs}"
currsitelog_ssl="${siteslogdirs}/${domainname}/${siteslogs_ssl}"
# If HTTP log is found, for the given domain, search into it
if [ -f "${currsitelog}" ]; then
postdetect="$(grep "POST" "${currsitelog}" | grep "${currdate}:" | grep ".php" | grep -Fv -e "${excludelogs}" | cut -d " " -f 7 | uniq;)"
else
unset postdetect
fn_logecho "[WARNING] log ${currsitelog} not found"
fi
# If HTTPS log is found, for the given domain, search into itn
if [ -f "${currsitelog_ssl}" ]; then
postdetect_ssl="$(grep "POST" "${currsitelog_ssl}" | grep "${currdate}:" | grep ".php" | grep -Fv -e "${excludelogs}" | cut -d " " -f 7 | uniq;)"
else
unset postdetect_ssl
fn_log "[WARNING] log ${currsitelog} not found"
fi
# If malicious POST are found in HTTP requests
if [ -n "${postdetect}" ]; then
fn_logecho "# ${domainname} HTTP POST"
for maliciouspost in ${postdetect}; do
fn_logecho "HTTP POST - ${domainname} - ${domainpath}${maliciouspost}"
done
fi
# If malicious POST are found in HTTPS requests
if [ -n "${postdetect_ssl}" ]; then
for maliciouspostssl in ${postdetect_ssl}; do
fn_log "HTTPS POST - ${domainname} - ${domainpath}${maliciouspostssl}"
done
fi
if [ -z "${postdetect}" ]&&[ -z "${postdetect_ssl}" ]; then
fn_log "# ${domainname} is clean"
fi
done <<< "${domainlist}"
}
fn_detect_logs
fn_duration