[sasaka]

cara ke tiga simpel tp sip

Code:

root@bt:~# grep -RPl --include=*.{php,txt,pl,jpg,html,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readf​ile) *\(" /root/Desktop/h/

HASIL

Code:

/root/Desktop/h/a.html
/root/Desktop/h/b374k.jpg
/root/Desktop/h/b374k.php
/root/Desktop/h/pass,romantis.php
/root/Desktop/h/c99.php

[shendo]

yang di website dong kk ara scan nya sekalian...

[THJC]

wah keren... ternyata caranya bisa ya yang di desktop..


@shendo

|STUNSHELL| <<<<< recodingan anak phreaker...wkwkwkwkwkwkwkwk...

Bagi dong Share dimari...

[nasa$]

share jg ah.. scan backdoor versi php...

Code:

<?php
/*    lookforbadguys.php     3-10-2011
--Purpose: iterate through server files looking for hacker code snippets, backdoor scripts,
.htaccess redirects, and suspicious file names.
-- Caveats: Not all things it finds are hacks. Not all hacks are found.
--You should look also for weird files (such as .php files) in your image directories, especially
if your .htaccess has redirects or was made executable.
--Some searches are commented out because they can give too many false positives.
--This script should work the same on a Linux or Windows server.
It runs fast in Linux/Apache/PHP, and very slowly in Windows/Apache/PHP.

*/
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Language" content="en-us">
<title>Looking for bad guys</title>
</head>

<body>
<p>Looking for bad guys. </p>
<p>This script looks for traces of malicious code including code injections,
modified .htaccess that makes images executable, and so on.</p>
<p>

<?php
// SET MAXIMUM EXECUTION TIME TO UNLIMITED (0) BECAUSE THE SCRIPT CAN TAKE A WHILE.
// YOU COULD USE A MORE CONSERVATIVE TIME LIMIT SUCH AS 1 HOUR (3600 SECONDS), JUST IN CASE.
// THESE HAVE NO EFFECT IF YOU RUN PHP IN "SAFE MODE" (SAFE MODE IS USUALLY UNDESIRABLE ANYWAY).
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');

// --------------------------------------------------------------------------------
// UTILITY FUNCTIONS.
// OUTPUT TEXT IN SPECIFIED COLOR, CLEANING IT WITH HTMLENTITIES().
function CleanColorText($text, $color)
{
$outputcolor = 'black';
$color = trim($color);
if(preg_match('/^(red|blue|green|black)$/i', $color))
$outputcolor = $color;
return '<span style="color:' . $outputcolor . ';">' . htmlentities($text, ENT_QUOTES) . '</span>';
}

// --------------------------------------------------------------------------------
// THIS FUNCTION RECURSIVELY FINDS FILES AND PROCESSES THEM THROUGH THE SPECIFIED CALLBACK FUNCTION.
// DIFFERENT TYPES OF FILES NEED TO BE HANDLED BY DIFFERENT CALLBACK FUNCTIONS.

function find_files($path, $pattern, $callback)
{
// CHANGE BACKSLASHES TO FORWARD, WHICH IS OK IN PHP, EVEN IN WINDOWS.
// REMOVE ANY TRAILING SLASHES, THEN ADD EXACTLY ONE.
$path = rtrim(str_replace("\\", "/", $path), '/') . '/';
if(!is_readable($path))
{
echo "Warning: Unable to open and enter directory " . CleanColorText($path, 'blue') .
". Check its owner/group permissions.<br>";
return;
}
$dir = dir($path);
$entries = array();
while(($entry = $dir->read()) !== FALSE)
$entries[] = $entry;
$dir->close();
foreach($entries as $entry)
{
$fullname = $path . $entry;
if(($entry !== '.') && ($entry !== '..') && is_dir($fullname))
find_files($fullname, $pattern, $callback);
else
if(is_file($fullname) && preg_match($pattern, $entry))
call_user_func($callback, $fullname);
}
}

// --------------------------------------------------------------------------------
// CALLBACK FUNCTIONS.
// CALLBACK FUNCTION TO LOOK FOR MALICIOUS CODE - YOU COULD ADD ANY OTHER MALICIOUS CODE SNIPPETS YOU KNOW OF.
function maliciouscodesnippets($filename)
{
if(stripos($filename, "lookforbadguys.php")) // DON'T FLAG THIS FILE WHICH I CALLED lookforbadguys.php
return;

if(!is_readable($filename))
{
echo "Warning: Unable to read " . CleanColorText($filename, 'blue') .
". Check it manually and check its access permissions.<br>";
return;
}
$file = file_get_contents($filename); //READ THE FILE

// PRINTING EVERY FILENAME GENERATES A LOT OF OUTPUT.
//echo CleanColorText($filename, 'green') . " is being examined.<br>";

// TEXT FILES WILL BE SEARCHED FOR THESE SNIPPETS OF SUSPICIOUS TEXT.
// THESE ARE REGULAR EXPRESSIONS WITH THE REQUIRED /DELIMITERS/ AND WITH SPECIAL CHARACTERS ESCAPED.
// /i AT THE END MEANS CASE INSENSITIVE.
$SuspiciousSnippets = array
(
// POTENTIALLY SUSPICIOUS PHP CODE
'/edoced_46esab/i',
'/passthru *\(/i',
'/shell_exec *\(/i',
'/document\.write *\(unescape *\(/i',

// THESE CAN GIVE MANY FALSE POSITIVES WHEN CHECKING WORDPRESS AND OTHER CMS.
// NONETHELESS, THEY CAN BE IMPORTANT TO FIND, ESPECIALLY BASE64_DECODE.
'/base64_decode *\(/i',
'/system *\(/i',    
'/`.+`/',     // BACKTICK OPERATOR INVOKES SYSTEM FUNCTIONS, SAME AS system()
//     '/phpinfo *\(/i',
//     '/chmod *\(/i',
//     '/mkdir *\(/i',
//     '/fopen *\(/i',
//     '/fclose *\(/i',
//     '/readfile *\(/i',

// SUSPICIOUS NAMES. SOME HACKERS SIGN THEIR SCRIPTS. MANY NAMES COULD GO HERE,
// HERE IS A GENERIC EXAMPLE. YOU CAN FILL IN WHATEVER NAMES YOU WANT.
'/hacked by /i',

// OTHER SUSPICIOUS TEXT STRINGS
'/web[\s-]*shell/i',    // TO FIND BACKDOOR WEB SHELL SCRIPTS.
'/c99/i',     // THE NAMES OF TWO POPULAR WEB SHELLS.
'/r57/i',

// YOU COULD ADD IN THE SPACE BELOW SOME REGULAR EXPRESSIONS TO MATCH THE NAMES OF MALICIOUS DOMAINS
// AND IP ADDRESSES MENTIONED IN YOUR GOOGLE SAFEBROWSING DIAGNOSTIC REPORT. SOME EXAMPLES:
'/gumblar\.cn/i',
'/martuz\.cn/i',
'/beladen\.net/i',
'/gooqle/i',     // NOTE THIS HAS A Q IN IT.

// THESE 2 ARE THE WORDPRESS CODE INJECTION IN FRONT OF EVERY INDEX.PHP AND SOME OTHERS
'/_analist/i',
'/anaiytics/i'     // THE LAST ENTRY IN THE LIST MUST HAVE NO COMMA AFTER IT.
);

foreach($SuspiciousSnippets as $i)
{
// STRPOS/STRIPOS WERE A LITTLE FASTER BUT LESS FLEXIBLE
if(preg_match($i, $file))    
echo CleanColorText($filename, 'blue') . ' MATCHES REGEX: ' . CleanColorText($i, 'red') . '<br>';
}

if(!strpos($filename,"network.php") && !strpos($filename,"rewrite.php") && stripos($file,"RewriteRule"))
echo CleanColorText($filename, 'blue') . " contains " . CleanColorText("RewriteRule", 'red') .
" - check it manually for malicious redirects.<br>";

/*
// THIS FINDS ALL JAVASCRIPT CODE. IF ENABLED, IT WILL GIVE *MANY* FALSE POSITIVES IN MOST WEBSITES.
if($p = stripos($file, "<script "))
echo CleanColorText($filename, 'blue') . ' contains SCRIPT:<br>' .
CleanColorText(substr($file, $p, 100), 'red') . '<br><br>';
*/
/*
// THIS FINDS ALL IFRAMES. IF ENABLED, IT CAN GIVE MANY FALSE POSITIVES IN SOME WEBSITES.
if($p = stripos($file, "<iframe "))
echo CleanColorText($filename, 'blue') . ' contains IFRAME:<br>' .
CleanColorText(substr($file, $p, 100), 'red') . '<br><br>';
*/

if(stripos($file, "AddHandler"))
{
// THIS IS HOW THEY MAKE THE IMAGE FILES EXECUTABLE.
echo CleanColorText($filename, 'blue') . " contains " . CleanColorText('AddHandler', 'red') .
" - make sure it does not make ordinary files like images executable.<br>";
// IF YOU FIND NINE ZILLION OF THESE, UNCOMMENT IT BECAUSE IT IS A PAIN TO DELETE THEM BY HAND.
// BUT CHECK THE LIST CAREFULLY FIRST TO MAKE SURE YOU REALLY WANT TO DELETE
// ALL THE FILES AND NONE OF THEM ARE FALSE POSITIVES.
//unlink($filename); // THIS DELETES THE FILE WITHOUT GIVING YOU THE OPTION OF EXAMINING IT!
}
}

// CALLBACK FUNCTION TO REPORT PHARMA LINK HACKS.
function pharma($filename)
{
echo CleanColorText($filename, 'blue') . " is most likely a " . CleanColorText('pharma hack', 'red') . ".<br>";
}

// CALLBACK FUNCTION TO REPORT FILES WHOSE NAMES ARE SUSPICIOUS.
function badnames($filename)
{
echo CleanColorText($filename, 'blue') . " is a " . CleanColorText('suspicious file name', 'red') . ".<br>";
}

// --------------------------------------------------------------------------------
// SET UP THE SEARCH CRITERIA.

// SEARCHES WILL BE DONE IN THIS DIRECTORY AND ALL DIRS INSIDE IT.
// './' MEANS CURRENT DIRECTORY, WHERE THIS SCRIPT IS NOW.
// THUS, TO SEARCH EVERYTHING INSIDE PUBLIC_HTML, THAT'S WHERE THIS FILE SHOULD BE PUT.
// TO SEARCH OUTSIDE PUBLIC_HTML, OR TO SEARCH A FOLDER OTHER THAN WHERE THIS SCRIPT IS STORED,
// CHANGE THIS TO THE FULL PATHNAME, SUCH AS /home/userid/ OR /home/userid/public_html/somefolder/
// USE FORWARD SLASHES FOR PATH. WINDOWS EXAMPLE: C:/wamp/apache2/htdocs/test/
$StartPath = './';

// ENTRIES IN THE FOLLOWING 3 ARRAYS ARE REGULAR EXPRESSIONS, WHICH IS THE REASON FOR THE /DELIMITERS/.
// FILES WHOSE NAMES MATCH THESE REGEXES WILL HAVE THEIR TEXT SEARCHED FOR MALICIOUS CODE.
$FiletypesToSearch = array
(
'/\.htaccess$/i',
'/\.php[45]?$/i',
'/\.html?$/i',
'/\.aspx?$/i',
'/\.inc$/i',
'/\.cfm$/i',
'/\.js$/i',
'/\.css$/i'
);

// FILES OR FOLDERS WITH THESE STRINGS IN THEIR *NAMES* WILL BE REPORTED AS SUSPICIOUS.
$SuspiciousFileAndPathNames = array
(
//    '/root/i',
//    '/kit/i',
'/c99/i',
'/r57/i',
'/gifimg/i'
);

// FILENAMES RELATED TO WORDPRESS PHARMA HACK, USING THE NAMING CONVENTIONS
// DESCRIBED AT http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
// FILES MATCHING THESE NAMES WILL BE REPORTED AS POSSIBLE PHARMA HACK FILES.
$PharmaFilenames = array
(
'/^\..*(cache|bak|old)\.php/i',    // HIDDEN FILES WITH PSEUDO-EXTENSIONS IN THE MIDDLE OF THE FILENAME
'/^db-.*\.php/i',

// PERMIT THE STANDARD WORDPRESS FILES THAT START WITH CLASS-, BUT FLAG ALL OTHERS AS SUSPICIOUS.
// THE (?!) IS CALLED A NEGATIVE LOOKAHEAD ASSERTION. IT MEANS "NOT FOLLOWED BY..."

'/^class-(?!snoopy|smtp|feed|pop3|IXR|phpmailer|json|simplepie|phpass|http|oembed|ftp-pure|wp-filesystem-ssh2|wp-filesystem-ftpsockets|ftp|wp-filesystem-ftpext|pclzip|wp-importer|wp-upgrader|wp-filesystem-base|ftp-sockets|wp-filesystem-direct)\.php/i'
);

// --------------------------------------------------------------------------------
// FINALLY, DO THE SEARCHES, USING THE ABOVE ARRAYS AS THE STRING DATA SOURCES.

// REPORT FILES WITH SUSPICIOUS NAMES
foreach($SuspiciousFileAndPathNames as $i)
find_files($StartPath, $i, 'badnames');

// REPORT FILES WITH SUSPICIOUS PHARMA-RELATED NAMES
foreach($PharmaFilenames as $i)
find_files($StartPath, $i, 'pharma');

// REPORT FILES CONTAINING SUSPICIOUS CODE OR TEXT
foreach($FiletypesToSearch as $i)
find_files($StartPath, $i, 'maliciouscodesnippets');

echo "<br>Done<br>";

?>

</p>
</body>
</html>

upload trus jalanin, save pake nama loookforbadguys.php kl nmanya lain ntar discan script ini bakal muncul sbgai backdoor.. kl mau save dengan nama lain edit dulu di baris:

Code:

if(stripos($filename, "lookforbadguys.php"))

edit "lookforbadguys.php" jadi nama_file_kamu.php...

[shadowsmaker$]

wah boleh share backdoor ya?
Share deh, koleksi backdoor ane...

Polymorphic
http://pastie.org/private/x9jupde2sapttqyza0ydg

b374k
http://pastie.org/private/odnvziidmooh62aszjtcq

404
http://paste.org/pastebin/view/40677

r57
http://pastie.org/private/mygzayref3heoufjmelpsa

c99
http://paste.org/pastebin/view/40678

locus
http://ribitsity.org/locus.txt

BD idup'a ada ga oms
simpenan ane ilang semua gara2 ke format PC ane
mau nyari lagi PR bangett oms

[THJC]

W

wah boleh share backdoor ya?
Share deh, koleksi backdoor ane...

Polymorphic
http://pastie.org/private/x9jupde2sapttqyza0ydg

b374k
http://pastie.org/private/odnvziidmooh62aszjtcq

404
http://paste.org/pastebin/view/40677

r57
http://pastie.org/private/mygzayref3heoufjmelpsa

c99
http://paste.org/pastebin/view/40678

locus
http://ribitsity.org/locus.txt

BD idup'a ada ga oms
simpenan ane ilang semua gara2 ke format PC ane
mau nyari lagi PR bangett oms

Waduh, kebetulan ane gak ada tuh om
Search by dork saja

[xsan-lahci]

agar kita bisa berinteraksi dan benar2 berbagi .. ane mau berbagi mengenai beberapa script scann backdoor .... nah tugas teman2 adalah mencari poc nya alias melakukan tester pada berbagai jenis backdoor ...baik backdoor aplikasi, php, exe ,dll

kita bentuk team pentester ...sip

script-scriptnya antara lain

findshell.pl

Code:

#!/usr/bin/perl -w
# findshell v1.0 == code taken/modified from traps.darkmindz.com
#usage: ./findshell.pl <sensitivity 1-50> <directory to scan>
use strict;
use File::Find;
my $sens = shift  || 10;
my $folder = shift || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       open (my $IN,"<$_") || die "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = grep (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = grep(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       print "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       close $IN;
  }elsif((/\.(jpg|jpeg|gif|png|tar|zip|gz|rar|pdf)/)){
       open (my $IN,"<$_") || (print "can not open datei $File::Find::name: $!" && next);
       print "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if grep /(\<\?php|include(\ |\())/i, <$IN>;
       close $IN;
  }
}

2. neopi.py

Code:

#!/usr/bin/python
# Name: neopi.py
# Description: Utility to scan a file path for encrypted and obfuscated files
# Authors: Ben Hagen ([email protected])
# Scott Behrens ([email protected])
#
# Date: 11/4/2010
#
# pep-0008 - Is stupid. TABS FO'EVER!

# Try catch regular expressions/bad path/bad filename/bad regex/

# Library imports
import math
import sys
import os
import re
import csv
import zlib
import time
from collections import defaultdict
from optparse import OptionParser

class LanguageIC:
"""Class that calculates a file's Index of Coincidence as
as well as a a subset of files average Index of Coincidence.
"""
def __init__(self):
"""Initialize results arrays as well as character counters."""
self.char_count = defaultdict(int)
self.total_char_count = 0
self.results = []
self.ic_total_results = ""

def calculate_char_count(self,data):
"""Method to calculate character counts for a particular data file."""
if not data:
return 0
for x in range(256):
char = chr(x)
charcount = data.count(char)
self.char_count[char] += charcount
self.total_char_count += charcount
return

def calculate_IC(self):
"""Calculate the Index of Coincidence for the self variables"""
total = 0
for val in self.char_count.values():

if val == 0:
continue
total += val * (val-1)

try:
ic_total = float(total)/(self.total_char_count * (self.total_char_count - 1))
except:
ic_total = 0
self.ic_total_results = ic_total
return

def calculate(self,data,filename):
"""Calculate the Index of Coincidence for a file and append to self.ic_results array"""
if not data:
return 0
char_count = 0
total_char_count = 0

for x in range(256):
char = chr(x)
charcount = data.count(char)
char_count += charcount * (charcount - 1)
total_char_count += charcount

ic = float(char_count)/(total_char_count * (total_char_count - 1))
self.results.append({"filename":filename, "value":ic})
# Call method to calculate_char_count and append to total_char_count
self.calculate_char_count(data)
return ic

def sort(self):
self.results.sort(key=lambda item: item["value"])
self.results = resultsAddRank(self.results)

def printer(self, count):
"""Print the top signature count match files for a given search"""
# Calculate the Total IC for a Search
self.calculate_IC()
print "\n[[ Average IC for Search ]]"
print self.ic_total_results
print "\n[[ Top %i lowest IC files ]]" % (count)
if (count > len(self.results)): count = len(self.results)
for x in range(count):
print ' {0:>7.4f} {1}'.format(self.results[x]["value"], self.results[x]["filename"])
return

class Entropy:
"""Class that calculates a file's Entropy."""

def __init__(self):
"""Instantiate the entropy_results array."""
self.results = []

def calculate(self,data,filename):
"""Calculate the entropy for 'data' and append result to entropy_results array."""

if not data:
return 0
entropy = 0
for x in range(256):
p_x = float(data.count(chr(x)))/len(data)
if p_x > 0:
entropy += - p_x * math.log(p_x, 2)
self.results.append({"filename":filename, "value":entropy})
return entropy

def sort(self):
self.results.sort(key=lambda item: item["value"])
self.results.reverse()
self.results = resultsAddRank(self.results)

def printer(self, count):
"""Print the top signature count match files for a given search"""
print "\n[[ Top %i entropic files for a given search ]]" % (count)
if (count > len(self.results)): count = len(self.results)
for x in range(count):
print ' {0:>7.4f} {1}'.format(self.results[x]["value"], self.results[x]["filename"])
return

class LongestWord:
"""Class that determines the longest word for a particular file."""
def __init__(self):
"""Instantiate the longestword_results array."""
self.results = []

def calculate(self,data,filename):
"""Find the longest word in a string and append to longestword_results array"""
if not data:
return "", 0
longest = 0
longest_word = ""
words = re.split("[\s,\n,\r]", data)
if words:
for word in words:
length = len(word)
if length > longest:
longest = length
longest_word = word
self.results.append({"filename":filename, "value":longest})
return longest

def sort(self):
self.results.sort(key=lambda item: item["value"])
self.results.reverse()
self.results = resultsAddRank(self.results)

def printer(self, count):
"""Print the top signature count match files for a given search"""
print "\n[[ Top %i longest word files ]]" % (count)
if (count > len(self.results)): count = len(self.results)
for x in range(count):
print ' {0:>7} {1}'.format(self.results[x]["value"], self.results[x]["filename"])
return

class SignatureNasty:
"""Generator that searches a given file for nasty expressions"""

def __init__(self):
"""Instantiate the longestword_results array."""
self.results = []

def calculate(self, data, filename):
if not data:
return "", 0
# Lots taken from the wonderful post at http://stackoverflow.com/questions/3115559/exploitable-php-functions
valid_regex = re.compile('(eval\(|base64_decode|python_eval|exec\(|passthru|popen|proc_open|pcntl|assert\(|system\(|shell)', re.I)
matches = re.findall(valid_regex, data)
self.results.append({"filename":filename, "value":len(matches)})
return len(matches)

def sort(self):
self.results.sort(key=lambda item: item["value"])
self.results.reverse()
self.results = resultsAddRank(self.results)

def printer(self, count):
"""Print the top signature count match files for a given search"""
print "\n[[ Top %i signature match counts ]]" % (count)
if (count > len(self.results)): count = len(self.results)
for x in range(count):
print ' {0:>7} {1}'.format(self.results[x]["value"], self.results[x]["filename"])
return

class Compression:
"""Generator finds compression ratio"""

def __init__(self):
"""Instantiate the results array."""
self.results = []

def calculate(self, data, filename):
if not data:
return "", 0
compressed = zlib.compress(data)
ratio = float(len(compressed)) / float(len(data))
self.results.append({"filename":filename, "value":ratio})
return ratio

def sort(self):
self.results.sort(key=lambda item: item["value"])
self.results.reverse()
self.results = resultsAddRank(self.results)

def printer(self, count):
"""Print the top files for a given search"""
print "\n[[ Top %i compression match counts ]]" % (count)
if (count > len(self.results)): count = len(self.results)
for x in range(count):
print ' {0:>7.4f} {1}'.format(self.results[x]["value"], self.results[x]["filename"])
return

def resultsAddRank(results):
rank = 1
offset = 1
previousValue = False
newList = []
for file in results:
if (previousValue and previousValue != file["value"]):
rank = offset
file["rank"] = rank
newList.append(file)
previousValue = file["value"]
offset = offset + 1
return newList

class SearchFile:
"""Generator that searches a given filepath with an optional regular
expression and returns the filepath and filename"""
def search_file_path(self, args, valid_regex):
for root, dirs, files in os.walk(args[0]):
for file in files:
filename = os.path.join(root, file)
if (valid_regex.search(file) and os.path.getsize(filename) > 60):
try:
data = open(root + "/" + file, 'rb').read()
except:
data = False
print "Could not read file :: %s/%s" % (root, file)
yield data, filename

if __name__ == "__main__":
"""Parse all the options"""

timeStart = time.clock()

print """
) ( (
( /( )\ ))\ )
)\()) ( (()/(()/(
((_)\ ))\ ( /(_))(_))
_((_)/((_))\(_))(_))
| \| (_)) ((_) _ \_ _|
| .` / -_) _ \ _/| |
|_|\_\___\___/_| |___| Ver. *.USEGIT
"""

parser = OptionParser(usage="usage: %prog [options] <start directory> <OPTIONAL: filename regex>",
version="%prog 1.0")
parser.add_option("-c", "--csv",
action="store",
dest="is_csv",
default=False,
help="generate CSV outfile",
metavar="FILECSV")
parser.add_option("-a", "--all",
action="store_true",
dest="is_all",
default=False,
help="Run all (useful) tests [Entropy, Longest Word, IC, Signature]",)
parser.add_option("-z", "--zlib",
action="store_true",
dest="is_zlib",
default=False,
help="Run compression Test",)
parser.add_option("-e", "--entropy",
action="store_true",
dest="is_entropy",
default=False,
help="Run entropy Test",)
parser.add_option("-l", "--longestword",
action="store_true",
dest="is_longest",
default=False,
help="Run longest word test",)
parser.add_option("-i", "--ic",
action="store_true",
dest="is_ic",
default=False,
help="Run IC test",)
parser.add_option("-s", "--signature",
action="store_true",
dest="is_signature",
default=False,
help="Run signature test",)
parser.add_option("-A", "--auto",
action="store_true",
dest="is_auto",
default=False,
help="Run auto file extension tests",)
parser.add_option("-u", "--unicode",
action="store_true",
dest="ignore_unicode",
default=False,
help="Skip over unicode-y/UTF'y files",)

(options, args) = parser.parse_args()

# Error on invalid number of arguements
if len(args) < 1:
parser.print_help()
print ""
sys.exit()

# Error on an invalid path
if os.path.exists(args[0]) == False:
parser.error("Invalid path")

valid_regex = ""
if (len(args) == 2 and options.is_auto is False):
try:
valid_regex = re.compile(args[1])
except:
parser.error("Invalid regular expression")
else:
valid_regex = re.compile('.*')
tests = []

if options.is_auto:
valid_regex = re.compile('(\.php|\.asp|\.aspx|\.scath|\.bash|\.zsh|\.csh|\.tsch|\.pl|\.py|\.txt|\.cgi|\.cfm|\.htaccess)$')

if options.is_all:
tests.append(LanguageIC())
tests.append(Entropy())
tests.append(LongestWord())
tests.append(SignatureNasty())
else:
if options.is_entropy:
tests.append(Entropy())
if options.is_longest:
tests.append(LongestWord())
if options.is_ic:
tests.append(LanguageIC())
if options.is_signature:
tests.append(SignatureNasty())
if options.is_zlib:
tests.append(Compression())

# Instantiate the Generator Class used for searching, opening, and reading files
locator = SearchFile()

# CSV file output array
csv_array = []
csv_header = ["filename"]

# Grab the file and calculate each test against file
fileCount = 0
fileIgnoreCount = 0
for data, filename in locator.search_file_path(args, valid_regex):
if data:
# a row array for the CSV
csv_row = []
csv_row.append(filename)

if options.ignore_unicode:
asciiHighCount = 0
for character in data:
if ord(character) > 127:
asciiHighCount = asciiHighCount + 1

fileAsciiHighRatio = float(asciiHighCount) / float(len(data))

if (options.ignore_unicode == False or fileAsciiHighRatio < .1):
for test in tests:
calculated_value = test.calculate(data, filename)
# Make the header row if it hasn't been fully populated, +1 here to account for filename column
if len(csv_header) < len(tests) + 1:
csv_header.append(test.__class__.__name__)
csv_row.append(calculated_value)
fileCount = fileCount + 1
csv_array.append(csv_row)
else:
fileIgnoreCount = fileIgnoreCount + 1

if options.is_csv:
csv_array.insert(0,csv_header)
fileOutput = csv.writer(open(options.is_csv, "wb"))
fileOutput.writerows(csv_array)

timeFinish = time.clock()

# Print some stats
print "\n[[ Total files scanned: %i ]]" % (fileCount)
print "[[ Total files ignored: %i ]]" % (fileIgnoreCount)
print "[[ Scan Time: %f seconds ]]" % (timeFinish - timeStart)

# Print top rank lists
rank_list = {}
for test in tests:
test.sort()
test.printer(10)
for file in test.results:
rank_list[file["filename"]] = rank_list.setdefault(file["filename"], 0) + file["rank"]

rank_sorted = sorted(rank_list.items(), key=lambda x: x[1])

print "\n[[ Top cumulative ranked files ]]"
count = 10
if (count > len(rank_sorted)): count = len(rank_sorted)
for x in range(count):
print ' {0:>7} {1}'.format(rank_sorted[x][1], rank_sorted[x][0])

atau dengan menggunakan perintah manual pada console :

Code:

grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/

bagi teman2 yang hendak berpartisipasi replylah dengan cara seperti ini

reply :
findshell.py
tested R57 = worked ------------> kalo memang worked ( berhasil di deteksi )
tested c99 = not worked --------> klo memang gk bisa di deteksi

ingat kudu satu-satu per tools yah .. jenis backdoor yang sudah di tes mohon jgn di tes lagi oleh reply berikutnya !

kemudian klo memang ada tambahan fungsi2 shell yang memungkinkan file tersebut mendapatkan akses silahkan juga teman2 monggo di tambahkan

ok ane tunggu ya

om mohon pencerahannya nih,kalo misalnya scan backdoornya pake
chkrootkit -x atau
rkhunter -c
beda yah? setau ane itu scan langsng ampe ke akarnya hehe

[cassaprodigy]

beda lagi bro .. ane udah test dengan chkrootkit atau rkhunter masih belum mendeteksi shell php yang telah di enskrip

[xsan-lahci]

beda lagi bro .. ane udah test dengan chkrootkit atau rkhunter masih belum mendeteksi shell php yang telah di enskrip

ogitu om hehe terimaksih jawabnnya

[Clound_Carbelius]

wah boleh share backdoor ya?
Share deh, koleksi backdoor ane...

Polymorphic
/private/x9jupde2sapttqyza0ydg

b374k
/private/odnvziidmooh62aszjtcq

404
/pastebin/view/40677

r57
/private/mygzayref3heoufjmelpsa

c99
/pastebin/view/40678

locus
/locus.txt

Backdoor :-bd
nyicip ah om ... :d