Nettoyage de sites hackés
Révision datée du 24 avril 2018 à 09:49 par Sn4kY (discussion | contributions) (Sn4kY a déplacé la page Nettoyages de sites hackés vers Nettoyage de sites hackés)
Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa)
find . -name "*.php" -print0 | xargs -0 grep -i "\$auth_pass = " | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "\$_passssword" | cut -d":" -f1 | sort --uniq find . -name "*.php" -print0 | xargs -0 grep -i "preg_replace(\"\/\.\*\/e\"" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "@preg_replace" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "\$____=" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "eval(.*(\$.*, \$.*));?>" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtoupper(" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtolower(" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtoupper(' | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtolower(' | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "echo 'You are forbidden\!';" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=".*";@eval(' | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i 'global\$' | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i '<\?php *\$GLOBALS\[' | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i '\$GLOBALS\[\$GLOBALS.*\.\$GLOBALS' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '\$_COOKIE\[.*\$_COOKIE\[.*\$_COOKIE' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "if(isset(\$_GET\['.*'\])){if(isset(\$_FILES\['.*'\]))" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "\$. = .*; assert(\$.('" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\$_COOKIE;" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "@setcookie" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "@move_uploaded_file" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '\$.*="base64_decode";return \$' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'eval.*base64_decode' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'create_function.*base64_decode' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "php eval(\$_POST\[.*\]" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "<?php *\$.*?><?php" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -iE "@system\(.*\.sh" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "\$s_.*shell" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '$GLOBALS.*packer.*shell.*;' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "\$b64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\";" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = fwrite(\$.*, \$.*); fclose(\$.*); echo \$.*; exit()" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "<script>var.*'?key=b64'" | uniq find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = \$.*{.*} \. \$.*{.*} \. \$.*{.*}" | cut -d":" -f1 | uniq | uniq find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.* = \".*\";\$.* = \".*\";\$.* = \".*\";" | cut -d":" -f1 find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.*=\$.*\[.*\];.*eval(\$i" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "$.*=urldecode(\".*\");\$.*=\$.*{.*}\.\$.*" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "<?php preg_replace(\".*\", \".*"\.".*('\".\$_REQUEST\['" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "preg_match(\"/(bing|googlebot|bingbot|google|yahoo)/\"" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '@include "\\x' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'if(!empty($this->.*))return $this->.*;' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'if(move_uploaded_file($temp,$file)' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'IndoXploit' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'cPanel Cracker' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'Gassrini' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "base64_decode(\$_POST\['.*'\]); @eval" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=base64_decode('.*').\$_GET" | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'payload_file' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -iP 'eval\("\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'eval (\$_POST\[' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=.*str_replace(".","","s.*t.*r.*_.*r.*e.*p.*l.*a.*c.*e");' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=urldecode(.*);\$GLOBALS\[.*\]=\$.*{.*}\.\$' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i 'if(\$password!=\$config_password)' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '\$rn=array_shift(\$.*);\$.*=array();foreach(\$.* as $.*){array_push(\$.*,(\$.*-\$.*));}\$.*=\$.*;' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -i '\$.* = stripslashes(base64_decode(\$_POST\['.*'\]));' | cut -d":" -f1 | uniq find . -name "*.php" -print0 | xargs -0 grep -l '.\{1000\}' $i | cut -d":" -f1 | uniq
old_IFS=$IFS # sauvegarde du searateur de champ IFS=$'\n' # nouveau separateur de champ, le caractere fin de ligne for line in $(find . -type f -name "*.php" | xargs wc -l | egrep -v "*.total$") do FILE=$(echo ${line} | awk {'print $2'}) NBR=$(echo ${line} | awk {'print $1'}) if [ $(ls -l $FILE | awk {'print $5'}) -gt 33 ] then if [ ${NBR} = 0 ] then if [ $(grep -c "You don't belong here" $FILE) = 0 ] then echo "$FILE" fi elif [ ${NBR} = 1 ] then echo "$FILE" elif [ ${NBR} = 2 ] then echo "$FILE" fi fi done IFS=$old_IFS