diff options
| -rw-r--r-- | php-malware-finder/docroot-check.sh | 39 |
1 files changed, 0 insertions, 39 deletions
diff --git a/php-malware-finder/docroot-check.sh b/php-malware-finder/docroot-check.sh deleted file mode 100644 index 11aa4f9..0000000 --- a/php-malware-finder/docroot-check.sh +++ /dev/null | |||
| @@ -1,39 +0,0 @@ | |||
| 1 | #!/usr/bin/env bash | ||
| 2 | |||
| 3 | PATH=/usr/bin:/bin:/sbin:/usr/sbin | ||
| 4 | apache_confdir="/etc/apache2/sites-available" | ||
| 5 | pmf_conf="/etc/phpmalwarefinder/php.yar" | ||
| 6 | pmf_cachedir="/tmp" | ||
| 7 | |||
| 8 | # grab the different document roots to scan each and everyone of them | ||
| 9 | for docroot in $(grep -o 'DocumentRoot.*' $apache_confdir/* | \ | ||
| 10 | awk '{if ($2 ~ "/data/www/*") print $2}') ; do | ||
| 11 | |||
| 12 | vhost_outdir=$(echo $docroot |egrep -o '[^/]*/[^/]*$') | ||
| 13 | mkdir -p $pmf_cachedir/$vhost_outdir | ||
| 14 | pmf_sha1=$pmf_cachedir/$vhost_outdir/sha1sum.$(date +"%d-%m-%Y") | ||
| 15 | last_pmf_sha1=$pmf_cachedir/$vhost_outdir/sha1sum.$(date +"%d-%m-%Y" --date="7 days ago") | ||
| 16 | |||
| 17 | # compute PHP files sha1sum and compare them to last report to reduce the | ||
| 18 | # amout of files yara has to scan | ||
| 19 | find $docroot -type f -iname "*php" -exec sha1sum {} \; > $pmf_sha1 | ||
| 20 | |||
| 21 | if [ -f $last_pmf_sha1 ] ; then | ||
| 22 | diff -u $pmf_sha1 $last_pmf_sha1 | grep ^+[A-Z] | sed -e 's/^+[^\ ]*//g' > \ | ||
| 23 | /tmp/diff.txt | ||
| 24 | for file in $(cat /tmp/diff.txt); do | ||
| 25 | yara $pmf_conf >> $pmf_cachedir/$vhost_outdir/cron.out 2>&1 | ||
| 26 | done | ||
| 27 | else | ||
| 28 | # first scan or last scan result is missing | ||
| 29 | SAVEIFS=$IFS | ||
| 30 | IFS=$(echo -en "\n\b") | ||
| 31 | find $docroot -type f -iname "*php" -exec yara $pmf_conf {} > \ | ||
| 32 | $pmf_cachedir/$vhost_outdir/cron.out 2>&1 \; | ||
| 33 | fi; | ||
| 34 | |||
| 35 | if [ -s $pmf_cachedir/$vhost_outdir/cron.out ]; then | ||
| 36 | cat $pmf_cachedir/$vhost_outdir/cron.out | \ | ||
| 37 | mail -s "PMF REPORT:$(uname -n) DocumentRoot $docroot" jre@nbs-system.com | ||
| 38 | fi; | ||
| 39 | done | ||
