Mostrando entradas con la etiqueta Php5. Mostrar todas las entradas
Mostrando entradas con la etiqueta Php5. Mostrar todas las entradas

evomalware.sh

d
Nombre: evomalware.sh
autor: benpro@benpro.fr
Permite detectar virus, backdoors y malware especialmente en archivos PHP.
Visto en: evoforge

#!/bin/bash
# EvoMalware, script to detect infected websites.

# You can set aggressive to true to search for suspicions scripts.
aggressive=false
# Path to search for.
wwwpath=/home
# URL to download patterns and filenames.
databaseURL="http://antispam00.evolix.org/evomalware"
databasePATH=/var/lib/evomalware
# Tools.
find="ionice -c3 find -O3"
grep="nice -n 19 grep"
wc="nice -n 19 wc"
wget="wget -q -t 3"
md5sum="md5sum --status -c"
# Various.
fileslist=$(mktemp)
tmpPATH=/tmp/evomalware.tmp

trap "rm -rf $fileslist $tmpPATH" EXIT

usage() {
    cat< $fileslist 2>/dev/null
while read file; do
    # Search known filenames.
    if [[ "$file" =~ $filenames ]]; then
        echo "Known malware: $file"
    # Search .php files in WP's wp-content/uploads/
    elif [[ "$file" =~ "wp-content/uploads/" ]]; then
        echo "PHP file in a non-PHP folder detected: $file"
    # Count the length of the longest line and search if suspect php functions are used.
    elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then
        grep -q -E "$suspect" "$file"
        if [[ $? -eq 0 ]]; then
            echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
        fi
    else
        # Search for patterns.
        $grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
        if [[ $? -eq 0 ]]; then
            echo "Contains a known malware pattern: $file"
        fi
    fi
done < $fileslist

# Search for suspicious scripts... Only when in aggressive mode.
if ( $aggressive ); then
    cd $wwwpath
    $find . -name javascript.php
    $find . -name bp.pl
    $find . -name tn.php
    $find . -name tn.php3
    $find . -name tn.phtml
    $find . -name tn.txt
    $find . -name xm.php
    $find . -name logs.php
    $find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
    $find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
    $grep -r 'ini_set(chr' .
    $grep -r 'eval(base64_decode($_POST' .
    $grep -r 'eval(gzinflate(' .
    $grep -r 'ini_set(.mail.add_x_header' .
    $grep -r '@require' .
    $grep -r '@ini_set' .
    $grep -ri 'error_reporting(0' .
    $grep -r base64_decode .
    $grep -r codeeclipse .
    $grep -r 'eval(' .
    $grep -r '\x..\x..' .
    $grep -r 'chr(rand(' .
fi
Leer más...
Publicado por Snifer en 14:20 0 comentarios
Etiquetas: , , , ,

Webinstall.sh

d
Descripción: Shell Script to install dependencies for running PHP applications with mod_fcgi
Autor: Finn Hensner
Nombre: webinstall.sh




#!/bin/bash
# Shell script to install LAMP with dependencies for running PHP applications
# with mod_fcgi
# -------------------------------------------------------------------------
# Version 1.1 (August 18 2011)
# -------------------------------------------------------------------------
# Copyright (c) 2011 Finn Hensner 
# This script is licensed under GNU GPL version 2.0 or above
# -------------------------------------------------------------------------
apt-get update
aptitude install apache2 apache2-suexec libapache2-mod-fcgid php5-cgi
a2dismod php5
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod fcgid

apt-get install mysql-server
apt-get install php5-gd
apt-get install php5-common php5-mysql

sleep 1
echo "Adding extensions and fixes to custom ini"
cat > /etc/php5/conf.d/custom.ini << EOF
cgi.fix_pathinfo = 1
extension=gd2.so
extension=pdo.so
extension=pdo_mysql.so 
extension=php_pgsql.so
extension=php_pdo_pgsql.so
EOF

sleep 1
echo "Add server name to Apache config"
echo "ServerName 127.0.0.1" >> /etc/apache2/apache2.conf

sleep 1
echo "Installing ProFTPd server"
apt-get purge proftpd
apt-get install proftpd
#jail users in their home directory
echo -e "\nDefaultRoot ~\n" >> /etc/proftpd/proftpd.conf

sleep 1
echo "Removing default virtual host."
rm /etc/apache2/sites-available/default
rm /etc/apache2/sites-enabled/default-000

sleep 1
echo "Restarting apache2 and proftpd"
service apache2 restart
service proftpd restart
Leer más...
Publicado por Snifer en 11:32 0 comentarios
Etiquetas: , , , , ,

findshell.pl

d
Nombre: findshell.pl
Autor: traps.darkmindz.com
Descripción: Script que permite detectar shells php
Hace uso del módulo File::Find
Visto en: ketan.lithiumfox.com 
#!/usr/bin/perl -w
# findshell v1.0 == code taken/modified from traps.darkmindz.com
#usage: ./findshell.pl [ sensitivity 1-50 ] [ directory to scan ]
use strict;
use File::Find;
my $sens = shift  || 10;
my $folder = shift || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       open (my $IN,"<$_") || die "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = grep (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = grep(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       print "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       close $IN;
  }elsif((/\.(jpg|jpeg|gif|png|tar|zip|gz|rar|pdf)/)){
       open (my $IN,"<$_") || (print "can not open datei $File::Find::name: $!" && next);
       print "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if grep /(\<\?php|include(\ |\())/i, <$IN>;
       close $IN;
  }
}

Permisos: chmod 700 findshell.pl 

Ejecución: ./findhsell.pl [ sensibilidad del escaneo 1-50 ] [ directorio a escanear ]
Leer más...
Publicado por Unknown en 10:00 0 comentarios
Etiquetas: , , , , , , ,

Script to Install and Secure Apache2 PHP5 MySQL5 in Ubuntu/Debian

d
Autor: @Desconocido
Descripción: Script que permite instalar de manera automática, y configurar Apache2 PHP y Mysql 

MYSQL_PASS="YOUR_PASSWORD_HERE";

echo "+Updating apt-get..."
apt-get update

echo "+Installing SSH..."
apt-get install -q -y ssh

echo "+Changing default SSH port..."
sed -i 's/Port 22/Port 28/' /etc/ssh/sshd_config
/etc/init.d/ssh restart

echo "+Installing Apache2..."
apt-get install -q -y apache2
sed -i 's/ServerTokens Full/ServerTokens Prod/' /etc/apache2/conf.d/security
sed -i 's/ServerSignature On/ServerSignature Off/' /etc/apache2/conf.d/security
sed -i 's/TraceEnable On/TraceEnable Off/' /etc/apache2/conf.d/security
/etc/init.d/apache2 reload
a2enmod rewrite
/etc/init.d/apache2 restart

echo "+Installing PHP5..."
apt-get install -q -y php5
echo "+Securing PHP.ini file..."
sed -i 's/disable_functions =/disable_functions = show_source, system, exec/' /etc/php5/apache2/php.ini
sed -i 's/expose_php = On/expose_php = Off/' /etc/php5/apache2/php.ini
sed -i 's/display_errors = On/display_errors = Off/' /etc/php5/apache2/php.ini
sed -i 's/log_errors = Off/log_errors = On/' /etc/php5/apache2/php.ini
sed -i 's/allow_url_fopen = On/allow_url_fopen = Off/' /etc/php5/apache2/php.ini

echo "+Installing MySQL Server..."
DEBIAN_FRONTEND='noninteractive' apt-get install -q -y mysql-server
mysqladmin -u root password $MYSQL_PASS
apt-get install -q -y php5-mysql
mysql_secure_installation

history -c

echo "+Installation Completed!"

Fuente: Unixmen
Leer más...
Publicado por Snifer en 17:54 0 comentarios
Etiquetas: , , , , , , , ,
Suscribirse a: Comentarios (Atom)