diff options
| author | shaddai | 2016-01-04 16:48:19 +0100 |
|---|---|---|
| committer | shaddai | 2016-01-04 16:48:19 +0100 |
| commit | 71a34f643b135fc8d0d1fad26029fdbdfefe0f64 (patch) | |
| tree | d7b22a6edbdcfe9cf95e6257132064998d8816af /phpmalwarefinder | |
| parent | de3e79edacea28320170bec145dbaf28cc31064c (diff) | |
one_line_trick function
The newly added function allows to check for files containing oneliners webshells, these files are mostly composed of one or two very long lines
Diffstat (limited to 'phpmalwarefinder')
| -rwxr-xr-x | phpmalwarefinder | 51 |
1 files changed, 33 insertions, 18 deletions
diff --git a/phpmalwarefinder b/phpmalwarefinder index 354ab91..20d3cee 100755 --- a/phpmalwarefinder +++ b/phpmalwarefinder | |||
| @@ -7,39 +7,55 @@ NICE_BIN=$(type -P nice) | |||
| 7 | 7 | ||
| 8 | if [ ! -f "$YARA" ] | 8 | if [ ! -f "$YARA" ] |
| 9 | then | 9 | then |
| 10 | YARA='./yara' | 10 | YARA='./yara' |
| 11 | fi | 11 | fi |
| 12 | 12 | ||
| 13 | if [ ! -f "$CONFIG_PATH" ] | 13 | if [ ! -f "$CONFIG_PATH" ] |
| 14 | then | 14 | then |
| 15 | CONFIG_PATH='./malwares.yara' | 15 | CONFIG_PATH='./malwares.yara' |
| 16 | fi | 16 | fi |
| 17 | 17 | ||
| 18 | if [ -f "${IONICE_BIN}" ] | 18 | if [ -f "${IONICE_BIN}" ] |
| 19 | then | 19 | then |
| 20 | NICE=${IONICE_BIN} | 20 | NICE=${IONICE_BIN} |
| 21 | NICE_OPTS="-c 3" | 21 | NICE_OPTS="-c 3" |
| 22 | else | 22 | else |
| 23 | if [ -f "${NICE_BIN}" ] | 23 | if [ -f "${NICE_BIN}" ] |
| 24 | then | 24 | then |
| 25 | NICE=${NICE_BIN} | 25 | NICE=${NICE_BIN} |
| 26 | NICE_OPTS="-n 20" | 26 | NICE_OPTS="-n 20" |
| 27 | fi | 27 | fi |
| 28 | fi | 28 | fi |
| 29 | 29 | ||
| 30 | # before starting yara, check if the file | ||
| 31 | one_line_trick() { | ||
| 32 | |||
| 33 | for file in $(find $@ -type f); do | ||
| 34 | line_num=$(wc -l $file | cut -d' ' -f1) | ||
| 35 | char_num=$(wc -c $file | cut -d' ' -f1) | ||
| 36 | |||
| 37 | if [ "$line_num" -le "2" ]; then | ||
| 38 | # humm, 2 lines long file ? | ||
| 39 | if [ "$char_num" -ge "300" ]; then | ||
| 40 | echo TooShort $file | ||
| 41 | fi; | ||
| 42 | fi; | ||
| 43 | done; | ||
| 44 | |||
| 45 | } | ||
| 46 | |||
| 30 | show_help() { | 47 | show_help() { |
| 31 | cat << EOF | 48 | cat << EOF |
| 32 | Usage ${0##*/} [-cfhw] <file|folder> ... | 49 | Usage ${0##*/} [-cfhw] <file|folder> ... |
| 33 | -c Optional path to a configuration file | 50 | -c Optional path to a configuration file |
| 34 | -f Fast mode | 51 | -f Fast mode |
| 35 | -h Show this help message | 52 | -h Show this help message |
| 36 | -t Specify the number of threads to use (8 by default) | ||
| 37 | -v Verbose mode | 53 | -v Verbose mode |
| 38 | EOF | 54 | EOF |
| 39 | } | 55 | } |
| 40 | 56 | ||
| 41 | OPTIND=1 | 57 | OPTIND=1 |
| 42 | while getopts "c:fht:v" opt; do | 58 | while getopts "c:fhv" opt; do |
| 43 | case "$opt" in | 59 | case "$opt" in |
| 44 | h) | 60 | h) |
| 45 | show_help | 61 | show_help |
| @@ -51,9 +67,6 @@ while getopts "c:fht:v" opt; do | |||
| 51 | c) | 67 | c) |
| 52 | CONFIG_PATH=${OPTARG} | 68 | CONFIG_PATH=${OPTARG} |
| 53 | ;; | 69 | ;; |
| 54 | t) | ||
| 55 | OPTS="${OPTS} --threads=${OPTARG}" | ||
| 56 | ;; | ||
| 57 | v) | 70 | v) |
| 58 | OPTS="${OPTS} -s" | 71 | OPTS="${OPTS} -s" |
| 59 | ;; | 72 | ;; |
| @@ -79,16 +92,18 @@ fi | |||
| 79 | 92 | ||
| 80 | if [ -z $@ ] | 93 | if [ -z $@ ] |
| 81 | then | 94 | then |
| 82 | show_help | 95 | show_help |
| 83 | exit 1 | 96 | exit 1 |
| 84 | fi | 97 | fi |
| 85 | 98 | ||
| 86 | if [ ! -e ${NICE} ] | 99 | if [ ! -e ${NICE} ] |
| 87 | then | 100 | then |
| 88 | echo "No nice program available. Please install ionice or nice." | 101 | echo "No nice program available. Please install ionice or nice." |
| 89 | exit 1 | 102 | exit 1 |
| 90 | fi | 103 | fi |
| 91 | 104 | ||
| 92 | OPTS="${OPTS} -r ${CONFIG_PATH}" | 105 | OPTS="${OPTS} -r ${CONFIG_PATH}" |
| 93 | 106 | ||
| 107 | one_line_trick $@ | ||
| 108 | |||
| 94 | ${NICE} ${NICE_OPTS} $YARA $OPTS $@ | 109 | ${NICE} ${NICE_OPTS} $YARA $OPTS $@ |