[Python] Script MalFinder
Jalan - jalan... di forum sebelah..
Nemu script yang bagus...

Coba share dimari deh...

""" ScriptFinder 1.1 < ditatompel [at] gmail [dot] com >
Searches for file contains dangerous command

Inspired from tools created by d3hydr8[at]gmail[dot]com
greetz to d3hydr8, 5ynL0rd all members of devilzc0de.org,
ex darkc0de.com, all Indonesian c0ders, and all GNU Generation ;-)

PS : Happy Birthday ketek, Revres Tanur or whatever nickname gonna be :p
PF : ?? Oct ???? - ?? Oct 2011 """

import sys, re

def halo():
    print "\n" + "-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >"
    print "\tSearches for file contains dangerous command"
    print "\tGreetz to all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,"
    print "\tand all GNU Generation ;-)\n" + "-+-"*30+"\n"

def usage():
    print "\tUsage: python " + sys.argv[0] + " <dir>"
    print "\tExample: python " + sys.argv[0] + " /home/ditatompel/public_html\n"

#Original from d3hydr8[at]gmail[dot]com
def Walk( root, recurse=0, pattern='*', return_folders=0 ):
    import fnmatch, os, string

    result = []

        names = os.listdir(root)
    except os.error:
        return result

    pattern = pattern or '*'
    pat_list = string.splitfields( pattern , ';' )

    for name in names:
        fullname = os.path.normpath(os.path.join(root, name))

        for pat in pat_list:
            if fnmatch.fnmatch(name, pat):
                if os.path.isfile(fullname) or (return_folders and os.path.isdir(fullname)):
        if recurse:
            if os.path.isdir(fullname) and not os.path.islink(fullname):
                result = result + Walk( fullname, recurse, pattern, return_folders )
    return result

def search(files, auto=0):
    if auto:
        searchstring = danger
        searchstring = specificstring
    print "\n[+] Searching:", len(files), "files"
    print "\n" + "-+-"*20 + "\n[+] files containing '" + searchstring + "' under " + sys.argv[1] + "\n"+"-+-"*20+"\n"
    love.write("\n[+] files containing '%s' under '%s' \n" % (searchstring, sys.argv[1]) )
    for file in files:
        num = 0
            text = open(file, "r").readlines()
            for line in text:
                num +=1
                if re.search(searchstring.lower(), line.lower()):
                    print "[!] File:",file,"on Line:",num,"\n[!] Code:",line
                    love.write("""[!] File: %s on Line %s \n[!] Code: %s \n""" % (file, num, line.replace("\t","")) )
    print "[+] Done\n"


actions = [
    "base64_decode", # many php shell use this but may generate false positive result, remove this if necessary. Especially when using recursive scan.
    "eval", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
    "getmy", # getmypid, getmygid, getmyuid, etc
    "mDbl8VndvJj2", # encoded devshell.asp
    "posix_", # any posix_* function
    "proc_", # any proc_* function
    "system", # may generate false positive result, remove this if necessary. Especially when using recursive scan.
    "xrunexploit" # source function on devshell.*

minus_r = 1

if len(sys.argv) < 2:

recdir = raw_input("Recursive ? ( Y/n ): ")
mode = raw_input("Full scan Mode (Y/n): ")

if mode.lower() != "y":
    specificstring = raw_input("String to search: ")

ext = raw_input("Specific File extension to scan ( <return> to scan all extension ) : ")
filelog = raw_input("logfile ( default sf.log ): ")

if filelog == "":
    filelog = "sf.log"

if recdir.lower() != "y":
    minus_r = 0

love = open(filelog, "w")
love.write("-+-"*30 + "\n\tScriptFinder 1.1 < ditatompel [at] gmail [dot] com >\n")
love.write("\tGreetz for all members of devilzc0de.org, ex darkc0de.com, all Indonesian c0ders,\n\tand all GNU Generation ;-)\n"+"-+-"*30+"\n")

if mode.lower() == "y":
    print "\n[+] FULL SCAN MODE ENABLED...\n[+]", len(actions),"dangerous commands loaded\n[+] Target Dir:",sys.argv[1]
    print "[+] Logfile will be saved to: " + filelog
    [+] %s danger commands loaded
    [+] Target Dir: %s\n""" % (len(actions), sys.argv[1]) )
    for danger in actions :
        if ext == "":
            files = Walk(sys.argv[1], minus_r, '*', 1)
            files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
        search(files, 1)
    print "[+] Logfile saved to " + filelog

    print "\n[+] Target Dir: " + sys.argv[1] + "\n[+] String to search: " + specificstring
    print "[+] Logfile will be saved to: " + filelog
    [+] Target Dir: %s
    [+] String to search %s\n""" % (sys.argv[1], specificstring ) )
    if ext == "":
        files = Walk(sys.argv[1], minus_r, '*', 1)
        files = Walk(sys.argv[1], minus_r, '*.'+ext+';')
    print "[+] Logfile saved to " + filelog

Jadi fungsinya mencari barisan perintah2 jahat di komputer kita...
Quote:./sf.py path/dir/

Contoh dari perintah jahat yang di linux apa om?

(08-06-2013, 09:35 PM)brianfahmi Wrote: gunanya apa ya? hehehehehehehehehehe

Gunanya itu untuk nyari2 perintah2 jahat .. contoh perintah2 pada shellcode, dll ..

(08-07-2013, 06:02 AM)Doel Wrote: Contoh dari perintah jahat yang di linux apa om?

penggunaan perintah2 yang biasa di backdoor berbasis bahasa PHP .. contohnya ..

apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only

