Nettoyage de sites hackés

De Sn4kY
Révision datée du 28 septembre 2018 à 11:07 par Sn4kY (discussion | contributions)
Aller à : navigation, rechercher

Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa)

find . -name "*.php" -print0 | xargs -0 grep -i "\$auth_pass = " | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$_passssword" | cut -d":" -f1 | sort --uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_replace(\"\/\.\*\/e\"" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "@preg_replace" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$____=" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "eval(.*(\$.*, \$.*));?>" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtoupper(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtolower(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtoupper(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtolower(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "echo 'You are forbidden\!';" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=".*";@eval(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i 'global\$' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '<\?php *\$GLOBALS\[' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$GLOBALS\[\$GLOBALS.*\.\$GLOBALS' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$_COOKIE\[.*\$_COOKIE\[.*\$_COOKIE' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(isset(\$_GET\['.*'\])){if(isset(\$_FILES\['.*'\]))" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$. = .*; assert(\$.('" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\$_COOKIE;" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@setcookie" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@move_uploaded_file" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*="base64_decode";return \$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'create_function.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "php eval(\$_POST\[.*\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php *\$.*?><?php" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iE "@system\(.*\.sh" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$s_.*shell" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '$GLOBALS.*packer.*shell.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$b64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\";" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = fwrite(\$.*, \$.*); fclose(\$.*); echo \$.*; exit()" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<script>var.*'?key=b64'" | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = \$.*{.*} \. \$.*{.*} \. \$.*{.*}" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=.*;.*function .*\(\$.*, \$.*\){\$.*" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.* = \".*\";\$.* = \".*\";\$.* = \".*\";" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.*=\$.*\[.*\];.*eval(\$i" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "$.*=urldecode(\".*\");\$.*=\$.*{.*}\.\$.*" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php  preg_replace(\".*\", \".*"\.".*('\".\$_REQUEST\['" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_match(\"/(bing|googlebot|bingbot|google|yahoo)/\"" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '@include "\\x' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(!empty($this->.*))return $this->.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(move_uploaded_file($temp,$file)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if (move_uploaded_file(\$_FILES' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'IndoXploit' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(md5(\$_GET\['pwd'\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'cPanel Cracker' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'Gassrini' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "define('__SEC_VALUE__'" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "base64_decode(\$_POST\['.*'\]); @eval" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=base64_decode('.*').\$_GET" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'payload_file' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iP 'eval\("\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval (\$_POST\[' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=.*str_replace(".*","",".*s.*t.*r.*_.*r.*e.*p.*l.*a.*c.*e.*");' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=urldecode(.*);\$GLOBALS\[.*\]=\$.*{.*}\.\$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(\$password!=\$config_password)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$rn=array_shift(\$.*);\$.*=array();foreach(\$.* as $.*){array_push(\$.*,(\$.*-\$.*));}\$.*=\$.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.* = stripslashes(base64_decode(\$_POST\['.*'\]));' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -l 'gzinflate.*\\x'
find . -name "*.php" -print0 | xargs -0 grep -l '.\{1000\}' $i | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -l 'error_reporting(0)'
find . -name "*.php" -print0 | xargs -0 grep -l 'leafmailer'
old_IFS=$IFS     # sauvegarde du searateur de champ
IFS=$'\n'     # nouveau separateur de champ, le caractere fin de ligne
for line in $(find . -type f -name "*.php" | xargs wc -l | egrep -v "*.total$")
do
	FILE=$(echo ${line} | awk {'print $2'})
	NBR=$(echo ${line} | awk {'print $1'})
	if [ $(ls -l $FILE | awk {'print $5'}) -gt 33 ]
	then
		if [ ${NBR} = 0 ]
		then
			if [ $(grep -c "You don't belong here" $FILE) = 0 ]
			then
				echo "$FILE"
			fi
		elif [ ${NBR} = 1 ]
		then
			echo "$FILE"
		elif [ ${NBR} = 2 ]
		then
			echo "$FILE"
		fi
	fi
done
IFS=$old_IFS