Nettoyage de sites hackés : Différence entre versions

De Sn4kY
Aller à : navigation, rechercher
m (Sn4kY a déplacé la page Nettoyages de sites hackés vers Nettoyage de sites hackés)
 
(17 révisions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
 +
Nettoyage prestashop
 +
https://devcustom.net/public/scripts/cleaner.zip
 
Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa)
 
Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa)
  
Ligne 34 : Ligne 36 :
 
  find . -name "*.php" -print0 | xargs -0 grep -i "<script>var.*'?key=b64'" | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "<script>var.*'?key=b64'" | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = \$.*{.*} \. \$.*{.*} \. \$.*{.*}" | cut -d":" -f1 | uniq | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = \$.*{.*} \. \$.*{.*} \. \$.*{.*}" | cut -d":" -f1 | uniq | uniq
 +
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=.*;.*function .*\(\$.*, \$.*\){\$.*" | cut -d":" -f1 | uniq | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.* = \".*\";\$.* = \".*\";\$.* = \".*\";" | cut -d":" -f1
 
  find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.* = \".*\";\$.* = \".*\";\$.* = \".*\";" | cut -d":" -f1
 
  find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.*=\$.*\[.*\];.*eval(\$i" | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.*=\$.*\[.*\];.*eval(\$i" | cut -d":" -f1 | uniq
Ligne 42 : Ligne 45 :
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'if(!empty($this->.*))return $this->.*;' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'if(!empty($this->.*))return $this->.*;' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'if(move_uploaded_file($temp,$file)' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'if(move_uploaded_file($temp,$file)' | cut -d":" -f1 | uniq
 +
find . -name "*.php" -print0 | xargs -0 grep -i 'if (move_uploaded_file(\$_FILES' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'IndoXploit' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'IndoXploit' | cut -d":" -f1 | uniq
 +
find . -name "*.php" -print0 | xargs -0 grep -i "if(md5(\$_GET\['pwd'\]" | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'cPanel Cracker' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'cPanel Cracker' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'Gassrini' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'Gassrini' | cut -d":" -f1 | uniq
 +
find . -name "*.php" -print0 | xargs -0 grep -i "define('__SEC_VALUE__'" | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "base64_decode(\$_POST\['.*'\]); @eval" | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "base64_decode(\$_POST\['.*'\]); @eval" | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=base64_decode('.*').\$_GET" | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=base64_decode('.*').\$_GET" | cut -d":" -f1 | uniq
Ligne 50 : Ligne 56 :
 
  find . -name "*.php" -print0 | xargs -0 grep -iP 'eval\("\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -iP 'eval\("\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'eval (\$_POST\[' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'eval (\$_POST\[' | cut -d":" -f1 | uniq
  find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=.*str_replace(".","","s.*t.*r.*_.*r.*e.*p.*l.*a.*c.*e");' | cut -d":" -f1 | uniq
+
  find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=.*str_replace(".*","",".*s.*t.*r.*_.*r.*e.*p.*l.*a.*c.*e.*");' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=urldecode(.*);\$GLOBALS\[.*\]=\$.*{.*}\.\$' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=urldecode(.*);\$GLOBALS\[.*\]=\$.*{.*}\.\$' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'if(\$password!=\$config_password)' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i 'if(\$password!=\$config_password)' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i '\$rn=array_shift(\$.*);\$.*=array();foreach(\$.* as $.*){array_push(\$.*,(\$.*-\$.*));}\$.*=\$.*;' | cut -d":" -f1 | uniq
 
  find . -name "*.php" -print0 | xargs -0 grep -i '\$rn=array_shift(\$.*);\$.*=array();foreach(\$.* as $.*){array_push(\$.*,(\$.*-\$.*));}\$.*=\$.*;' | cut -d":" -f1 | uniq
  find . -name "*.php" -print0 | xargs -0 grep -i '\$.* = stripslashes(base64_decode(\$_POST\['.*'\]));' | cut -d":" -f1 | uniq
+
  find . -name "*.php" -print0 | xargs -0 grep -li '\$.* = stripslashes(base64_decode(\$_POST\['.*'\]));'
  find . -name "*.php" -print0 | xargs -0 grep -l '.\{1000\}' $i | cut -d":" -f1 | uniq
+
find . -name "*.php" -print0 | xargs -0 grep -li 'gzinflate.*\\x'
 +
find . -name "*.php" -print0 | xargs -0 grep -li 'gzinflate(str_rot13(base64_decode'
 +
find . -name "*.php" -print0 | xargs -0 grep -l 'GIF89a'
 +
find . -name "*.php" -print0 | xargs -0 grep -li 'b374k'
 +
find . -name "*.php" -print0 | xargs -0 grep -Pli 'Web Shell by oRb|WSO_VERSION'
 +
find . -name "*.php" -print0 | xargs -0 grep -li 'FoxAutoV4'
 +
find . -name "*.php" -print0 | xargs -0 grep -li '<title>MARIJUANA</title>'
 +
find . -name "*.php" -print0 | xargs -0 grep -i "encode(base64_decode" | cut -d":" -f1 | uniq
 +
 
 +
  find . -name "*.php" -print0 | xargs -0 grep -li '.\{1000\}' $i | cut -d":" -f1 | uniq
 +
find . -name "*.php" -print0 | xargs -0 grep -li 'error_reporting(0)'
 +
find . -name "*.php" -print0 | xargs -0 grep -li 'leafmailer'
 +
 
  
 
  old_IFS=$IFS    # sauvegarde du searateur de champ
 
  old_IFS=$IFS    # sauvegarde du searateur de champ

Version actuelle datée du 20 décembre 2023 à 16:15

Nettoyage prestashop 

https://devcustom.net/public/scripts/cleaner.zip

Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa) 

find . -name "*.php" -print0 | xargs -0 grep -i "\$auth_pass = " | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$_passssword" | cut -d":" -f1 | sort --uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_replace(\"\/\.\*\/e\"" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "@preg_replace" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$____=" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "eval(.*(\$.*, \$.*));?>" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtoupper(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtolower(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtoupper(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtolower(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "echo 'You are forbidden\!';" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=".*";@eval(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i 'global\$' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '<\?php *\$GLOBALS\[' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$GLOBALS\[\$GLOBALS.*\.\$GLOBALS' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$_COOKIE\[.*\$_COOKIE\[.*\$_COOKIE' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(isset(\$_GET\['.*'\])){if(isset(\$_FILES\['.*'\]))" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$. = .*; assert(\$.('" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\$_COOKIE;" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@setcookie" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@move_uploaded_file" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*="base64_decode";return \$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'create_function.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "php eval(\$_POST\[.*\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php *\$.*?><?php" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iE "@system\(.*\.sh" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$s_.*shell" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '$GLOBALS.*packer.*shell.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$b64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\";" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = fwrite(\$.*, \$.*); fclose(\$.*); echo \$.*; exit()" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<script>var.*'?key=b64'" | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = \$.*{.*} \. \$.*{.*} \. \$.*{.*}" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=.*;.*function .*\(\$.*, \$.*\){\$.*" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.* = \".*\";\$.* = \".*\";\$.* = \".*\";" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.*=\$.*\[.*\];.*eval(\$i" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "$.*=urldecode(\".*\");\$.*=\$.*{.*}\.\$.*" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php  preg_replace(\".*\", \".*"\.".*('\".\$_REQUEST\['" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_match(\"/(bing|googlebot|bingbot|google|yahoo)/\"" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '@include "\\x' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(!empty($this->.*))return $this->.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(move_uploaded_file($temp,$file)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if (move_uploaded_file(\$_FILES' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'IndoXploit' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(md5(\$_GET\['pwd'\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'cPanel Cracker' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'Gassrini' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "define('__SEC_VALUE__'" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "base64_decode(\$_POST\['.*'\]); @eval" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=base64_decode('.*').\$_GET" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'payload_file' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iP 'eval\("\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval (\$_POST\[' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=.*str_replace(".*","",".*s.*t.*r.*_.*r.*e.*p.*l.*a.*c.*e.*");' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=urldecode(.*);\$GLOBALS\[.*\]=\$.*{.*}\.\$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(\$password!=\$config_password)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$rn=array_shift(\$.*);\$.*=array();foreach(\$.* as $.*){array_push(\$.*,(\$.*-\$.*));}\$.*=\$.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -li '\$.* = stripslashes(base64_decode(\$_POST\['.*'\]));'
find . -name "*.php" -print0 | xargs -0 grep -li 'gzinflate.*\\x'
find . -name "*.php" -print0 | xargs -0 grep -li 'gzinflate(str_rot13(base64_decode'
find . -name "*.php" -print0 | xargs -0 grep -l 'GIF89a'
find . -name "*.php" -print0 | xargs -0 grep -li 'b374k'
find . -name "*.php" -print0 | xargs -0 grep -Pli 'Web Shell by oRb|WSO_VERSION'
find . -name "*.php" -print0 | xargs -0 grep -li 'FoxAutoV4'
find . -name "*.php" -print0 | xargs -0 grep -li '<title>MARIJUANA</title>'
find . -name "*.php" -print0 | xargs -0 grep -i "encode(base64_decode" | cut -d":" -f1 | uniq

find . -name "*.php" -print0 | xargs -0 grep -li '.\{1000\}' $i | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -li 'error_reporting(0)'
find . -name "*.php" -print0 | xargs -0 grep -li 'leafmailer'



old_IFS=$IFS     # sauvegarde du searateur de champ
IFS=$'\n'     # nouveau separateur de champ, le caractere fin de ligne
for line in $(find . -type f -name "*.php" | xargs wc -l | egrep -v "*.total$")
do
	FILE=$(echo ${line} | awk {'print $2'})
	NBR=$(echo ${line} | awk {'print $1'})
	if [ $(ls -l $FILE | awk {'print $5'}) -gt 33 ]
	then
		if [ ${NBR} = 0 ]
		then
			if [ $(grep -c "You don't belong here" $FILE) = 0 ]
			then
				echo "$FILE"
			fi
		elif [ ${NBR} = 1 ]
		then
			echo "$FILE"
		elif [ ${NBR} = 2 ]
		then
			echo "$FILE"
		fi
	fi
done
IFS=$old_IFS
Récupérée de « https://wiki.sn4ky.net/index.php?title=Nettoyage_de_sites_hackés&oldid=80 »