PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB` #!/usr/bin/perl # The above line may need to be changed to point at your version of Perl # Very simple web malware detection module. # Author: CBL Team # Version 0.01 # List of access-control files to check my $access = '(\.htaccess)'; # Patterns to look for in access-control files my $accesspat = '(RewriteRule)'; my $MAXLINES = 50; # List of files to check my $scripts = '\.(php|pl|cgi)$'; # Patterns to look for my $scriptpat = '(r57|c99|web shell|passthru|shell_exec|phpinfo|base64_decode|edoced_46esab|PHPShell)'; for my $dir (@ARGV) { &recursion($dir, $access, $accesspat); &recursion($dir, $scripts, $scriptpat); } sub recursion { my ($dir, $filepat, $patterns) = @_; my (@list); opendir(I, "$dir") || die "Can't open $dir: $!"; @list = readdir(I); closedir(I); for my $file (@list) { next if $file =~ /^\.\.?$/; # skip . and .. my $currentfile = "$dir/$file"; if (-d $currentfile) { &recursion($currentfile, $filepat, $patterns); } elsif ($currentfile =~ /$filepat/) { #print $currentfile, "\n"; open(I, "<$currentfile") || next; my $linecount = 1; while() { chomp; if ($_ =~ /$patterns/) { my $pat = $1; my $string = $_; if ($string =~ /^(.*)$pat(.*)$/) { $string = substr($1, length($1)-10, 10) . $pat . substr($2, 0, 10); } #$string =~ s/^.*(.{,10}$pat.{,10}).*$/... $1 .../; print "$currentfile: Suspicious($pat): $string\n"; last; } last if $linecount++ > $MAXLINES; } close(I); #print $currentfile, "\n"; } } }