- #!/usr/bin/python
- # -*- coding: utf-8 -*-
- import os
- import sys
- import re
- rulelist = [
- '(\\$_(GET|POST|REQUEST)\\[.{0,15}\\]\\(\\$_(GET|POST|REQUEST)\\[.{0,15}\\]\\))',
- '(base64_decode\\([\\'"][\\w\\+/=]{200,}[\\'"]\\))',
- 'eval\\(base64_decode\\(',
- '(eval\\(\\$_(POST|GET|REQUEST)\\[.{0,15}\\]\\))',
- '(assert\\(\\$_(POST|GET|REQUEST)\\[.{0,15}\\]\\))',
- '(\\$[\\w_]{0,15}\\(\\$_(POST|GET|REQUEST)\\[.{0,15}\\]\\))',
- '(wscript\\.shell)',
- '(gethostbyname\\()',
- '(cmd\\.exe)',
- '(shell\\.application)',
- '(documents\\s+and\\s+settings)',
- '(system32)',
- '(serv-u)',
- '(提权)',
- '(phpspy)',
- '(后门)',
- '(webshell)',
- '(Program\\s+Files)'
- ]
- def Scan(path):
- for root,dirs,files in os.walk(path):
- for filespath in files:
- isover = False
- if '.' in filespath:
- ext = filespath[(filespath.rindex('.')+1):]
- if ext=='php':
- file= open(os.path.join(root,filespath))
- filestr = file.read()
- file.close()
- for rule in rulelist:
- result = re.compile(rule).findall(filestr)
- if result:
- print '文件:'+os.path.join(root,filespath)
- print '恶意代码:'+str(result[0])
- print '\\n\\n'
- break
- if os.path.lexists(sys.argv[1]):
- print('\\n\\n开始扫描:'+sys.argv[1])
- print(' 可疑文件 ')
- print('########################################')
- Scan(sys.argv[1])
- print('提示:扫描完成-- O(∩_∩)O哈哈~')
- else:
- print '提示:指定的扫描目录不存在--- 我靠( \\'o′)!!凸'
- //该片段来自于http://www.codesnippet.cn/detail/290920136210.html
来源: http://www.codesnippet.cn/detail/290920136210.html