Nettoyage de sites hackés

De Sn4kY
Aller à : navigation, rechercher

Nettoyage prestashop

https://devcustom.net/public/scripts/cleaner.zip

Quelques commandes utiles pour trouver rapidement des fichiers d'un site web qui contiennent du code malicieux (frauduleux, toussa toussa)

find . -name "*.php" -print0 | xargs -0 grep -i "\$auth_pass = " | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$_passssword" | cut -d":" -f1 | sort --uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_replace(\"\/\.\*\/e\"" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "@preg_replace" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$____=" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "eval(.*(\$.*, \$.*));?>" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtoupper(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\"stop_\";\$.*=strtolower(" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtoupper(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '$.*=".*_";$.*=strtolower(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "echo 'You are forbidden\!';" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=".*";@eval(' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i 'global\$' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '<\?php *\$GLOBALS\[' | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i '\$GLOBALS\[\$GLOBALS.*\.\$GLOBALS' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$_COOKIE\[.*\$_COOKIE\[.*\$_COOKIE' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(isset(\$_GET\['.*'\])){if(isset(\$_FILES\['.*'\]))" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$. = .*; assert(\$.('" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=\$_COOKIE;" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@setcookie" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "@move_uploaded_file" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*="base64_decode";return \$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'create_function.*base64_decode' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "php eval(\$_POST\[.*\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php *\$.*?><?php" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iE "@system\(.*\.sh" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$s_.*shell" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '$GLOBALS.*packer.*shell.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$b64 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\";" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = fwrite(\$.*, \$.*); fclose(\$.*); echo \$.*; exit()" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<script>var.*'?key=b64'" | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.* = \$.*{.*} \. \$.*{.*} \. \$.*{.*}" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=.*;.*function .*\(\$.*, \$.*\){\$.*" | cut -d":" -f1 | uniq | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.* = \".*\";\$.* = \".*\";\$.* = \".*\";" | cut -d":" -f1
find . -name "*.php" -print0 | xargs -0 grep -i "<\?php \$.*=\$.*\[.*\];.*eval(\$i" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "$.*=urldecode(\".*\");\$.*=\$.*{.*}\.\$.*" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "<?php  preg_replace(\".*\", \".*"\.".*('\".\$_REQUEST\['" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "preg_match(\"/(bing|googlebot|bingbot|google|yahoo)/\"" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '@include "\\x' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(!empty($this->.*))return $this->.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(move_uploaded_file($temp,$file)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if (move_uploaded_file(\$_FILES' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'IndoXploit' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "if(md5(\$_GET\['pwd'\]" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'cPanel Cracker' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'Gassrini' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "define('__SEC_VALUE__'" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "base64_decode(\$_POST\['.*'\]); @eval" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i "\$.*=base64_decode('.*').\$_GET" | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'payload_file' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -iP 'eval\("\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*\\x.*' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'eval (\$_POST\[' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=.*str_replace(".*","",".*s.*t.*r.*_.*r.*e.*p.*l.*a.*c.*e.*");' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$.*=urldecode(.*);\$GLOBALS\[.*\]=\$.*{.*}\.\$' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i 'if(\$password!=\$config_password)' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -i '\$rn=array_shift(\$.*);\$.*=array();foreach(\$.* as $.*){array_push(\$.*,(\$.*-\$.*));}\$.*=\$.*;' | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -li '\$.* = stripslashes(base64_decode(\$_POST\['.*'\]));'
find . -name "*.php" -print0 | xargs -0 grep -li 'gzinflate.*\\x'
find . -name "*.php" -print0 | xargs -0 grep -Pli 'GIF89a|b374k|Web Shell by oRb|WSO_VERSION|FoxAutoV4|<title>MARIJUANA</title>|leafmailer|encode\(base64_decode|md5\(implode|base64_decode\(md5|"base64";return|gzinflate\(str_rot13\(base64_decode'
find . -name "*.php" -print0 | xargs -0 grep -li '.\{1000\}' $i | cut -d":" -f1 | uniq
find . -name "*.php" -print0 | xargs -0 grep -li 'error_reporting(0)'


old_IFS=$IFS     # sauvegarde du searateur de champ
IFS=$'\n'     # nouveau separateur de champ, le caractere fin de ligne
for line in $(find . -type f -name "*.php" | xargs wc -l | egrep -v "*.total$")
do
	FILE=$(echo ${line} | awk {'print $2'})
	NBR=$(echo ${line} | awk {'print $1'})
	if [ $(ls -l $FILE | awk {'print $5'}) -gt 33 ]
	then
		if [ ${NBR} = 0 ]
		then
			if [ $(grep -c "You don't belong here" $FILE) = 0 ]
			then
				echo "$FILE"
			fi
		elif [ ${NBR} = 1 ]
		then
			echo "$FILE"
		elif [ ${NBR} = 2 ]
		then
			echo "$FILE"
		fi
	fi
done
IFS=$old_IFS