Nettoyage de sites hackés : Différence entre versions

De Sn4kY
Aller à : navigation, rechercher
 
Ligne 1 : Ligne 1 :
 +
Nettoyage prestashop
 +
https://devcustom.net/public/scripts/cleaner.zip
 
Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa)
 
Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa)
  

Version actuelle datée du 20 décembre 2023 à 16:15

Nettoyage prestashop 

https://devcustom.net/public/scripts/cleaner.zip

Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa) 

find . -name "*.php" -print0 | xargs -0 grep -i "\$auth_pass = " | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$_passssword" | cut -d":" -f1 | sort --uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_replace(\"\/\.\*\/e\"" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "@preg_replace" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$____=" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "eval(.*(\$.*, \$.*));?>" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtoupper(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtolower(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtoupper(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtolower(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "echo 'You are forbidden\!';" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=".*";@eval(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i 'global\$' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '<\?php *\$GLOBALS\[' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$GLOBALS\[\$GLOBALS.*\.\$GLOBALS' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$_COOKIE\[.*\$_COOKIE\[.*\$_COOKIE' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(isset(\$_GET\['.*'\])){if(isset(\$_FILES\['.*'\]))" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$. = .*; assert(\$.('" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\$_COOKIE;" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@setcookie" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@move_uploaded_file" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*="base64_decode";return \$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'create_function.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "php eval(\$_POST\[.*\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php *\$.*?><?php" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iE "@system\(.*\.sh" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$s_.*shell" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '$GLOBALS.*packer.*shell.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$b64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\";" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = fwrite(\$.*, \$.*); fclose(\$.*); echo \$.*; exit()" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<script>var.*'?key=b64'" | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = \$.*{.*} \. \$.*{.*} \. \$.*{.*}" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=.*;.*function .*\(\$.*, \$.*\){\$.*" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.* = \".*\";\$.* = \".*\";\$.* = \".*\";" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.*=\$.*\[.*\];.*eval(\$i" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "$.*=urldecode(\".*\");\$.*=\$.*{.*}\.\$.*" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php  preg_replace(\".*\", \".*"\.".*('\".\$_REQUEST\['" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_match(\"/(bing|googlebot|bingbot|google|yahoo)/\"" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '@include "\\x' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(!empty($this->.*))return $this->.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(move_uploaded_file($temp,$file)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if (move_uploaded_file(\$_FILES' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'IndoXploit' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(md5(\$_GET\['pwd'\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'cPanel Cracker' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'Gassrini' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "define('__SEC_VALUE__'" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "base64_decode(\$_POST\['.*'\]); @eval" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=base64_decode('.*').\$_GET" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'payload_file' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iP 'eval\("\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval (\$_POST\[' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=.*str_replace(".*","",".*s.*t.*r.*_.*r.*e.*p.*l.*a.*c.*e.*");' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=urldecode(.*);\$GLOBALS\[.*\]=\$.*{.*}\.\$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(\$password!=\$config_password)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$rn=array_shift(\$.*);\$.*=array();foreach(\$.* as $.*){array_push(\$.*,(\$.*-\$.*));}\$.*=\$.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -li '\$.* = stripslashes(base64_decode(\$_POST\['.*'\]));'
find . -name "*.php" -print0 | xargs -0 grep -li 'gzinflate.*\\x'
find . -name "*.php" -print0 | xargs -0 grep -li 'gzinflate(str_rot13(base64_decode'
find . -name "*.php" -print0 | xargs -0 grep -l 'GIF89a'
find . -name "*.php" -print0 | xargs -0 grep -li 'b374k'
find . -name "*.php" -print0 | xargs -0 grep -Pli 'Web Shell by oRb|WSO_VERSION'
find . -name "*.php" -print0 | xargs -0 grep -li 'FoxAutoV4'
find . -name "*.php" -print0 | xargs -0 grep -li '<title>MARIJUANA</title>'
find . -name "*.php" -print0 | xargs -0 grep -i "encode(base64_decode" | cut -d":" -f1 | uniq

find . -name "*.php" -print0 | xargs -0 grep -li '.\{1000\}' $i | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -li 'error_reporting(0)'
find . -name "*.php" -print0 | xargs -0 grep -li 'leafmailer'



old_IFS=$IFS     # sauvegarde du searateur de champ
IFS=$'\n'     # nouveau separateur de champ, le caractere fin de ligne
for line in $(find . -type f -name "*.php" | xargs wc -l | egrep -v "*.total$")
do
	FILE=$(echo ${line} | awk {'print $2'})
	NBR=$(echo ${line} | awk {'print $1'})
	if [ $(ls -l $FILE | awk {'print $5'}) -gt 33 ]
	then
		if [ ${NBR} = 0 ]
		then
			if [ $(grep -c "You don't belong here" $FILE) = 0 ]
			then
				echo "$FILE"
			fi
		elif [ ${NBR} = 1 ]
		then
			echo "$FILE"
		elif [ ${NBR} = 2 ]
		then
			echo "$FILE"
		fi
	fi
done
IFS=$old_IFS
Récupérée de « https://wiki.sn4ky.net/index.php?title=Nettoyage_de_sites_hackés&oldid=80 »