From 71a34f643b135fc8d0d1fad26029fdbdfefe0f64 Mon Sep 17 00:00:00 2001
From: shaddai
Date: Mon, 4 Jan 2016 16:48:19 +0100
Subject: one_line_trick function

The newly added function allows to check for files containing oneliners webshells, these files are mostly composed of one or two very long lines---
 phpmalwarefinder | 51 +++++++++++++++++++++++++++++++++------------------
 1 file changed, 33 insertions(+), 18 deletions(-)

diff --git a/phpmalwarefinder b/phpmalwarefinder
index 354ab91..20d3cee 100755
--- a/phpmalwarefinder
+++ b/phpmalwarefinder
@@ -7,39 +7,55 @@ NICE_BIN=$(type -P nice)
 
 if [ ! -f "$YARA" ]
 then
-	YARA='./yara'
+    YARA='./yara'
 fi
 
 if [ ! -f "$CONFIG_PATH" ]
 then
-	CONFIG_PATH='./malwares.yara'
+    CONFIG_PATH='./malwares.yara'
 fi
 
 if [ -f "${IONICE_BIN}" ]
 then
-	NICE=${IONICE_BIN}
-	NICE_OPTS="-c 3"
+    NICE=${IONICE_BIN}
+    NICE_OPTS="-c 3"
 else
-	if [ -f "${NICE_BIN}" ]
-	then
-		NICE=${NICE_BIN}
-		NICE_OPTS="-n 20"
-	fi
+    if [ -f "${NICE_BIN}" ]
+    then
+        NICE=${NICE_BIN}
+        NICE_OPTS="-n 20"
+    fi
 fi
 
+# before starting yara, check if the file
+one_line_trick() {
+
+  for file in $(find $@ -type f); do
+    line_num=$(wc -l $file | cut -d' ' -f1)
+    char_num=$(wc -c $file | cut -d' ' -f1)
+
+    if [ "$line_num" -le "2" ]; then
+        # humm, 2 lines long file ?
+        if [ "$char_num" -ge "300" ]; then
+            echo TooShort $file
+        fi;
+    fi;
+  done;
+
+}
+
 show_help() {
     cat << EOF
 Usage ${0##*/} [-cfhw] <file|folder> ...
     -c  Optional path to a configuration file
     -f  Fast mode
     -h  Show this help message
-    -t  Specify the number of threads to use (8 by default)
     -v  Verbose mode
 EOF
 }
 
 OPTIND=1
-while getopts "c:fht:v" opt; do
+while getopts "c:fhv" opt; do
     case "$opt" in
         h)
             show_help
@@ -51,9 +67,6 @@ while getopts "c:fht:v" opt; do
         c)
             CONFIG_PATH=${OPTARG}
             ;;
-        t)
-            OPTS="${OPTS} --threads=${OPTARG}"
-            ;;
         v)
             OPTS="${OPTS} -s"
             ;;
@@ -79,16 +92,18 @@ fi
 
 if [ -z $@ ]
 then
-	show_help
-	exit 1
+    show_help
+    exit 1
 fi
 
 if [ ! -e ${NICE} ]
 then
-	echo "No nice program available. Please install ionice or nice."
-	exit 1
+    echo "No nice program available. Please install ionice or nice."
+    exit 1
 fi
 
 OPTS="${OPTS} -r ${CONFIG_PATH}"
 
+one_line_trick $@
+
 ${NICE} ${NICE_OPTS} $YARA $OPTS $@
-- 
cgit v1.3