-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmalware_scanner.sh
141 lines (121 loc) · 3.48 KB
/
malware_scanner.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash
# Set initial variables
time_start=$(date +%s)
filename="malware_scanner.sh"
verbose=0
perms=0
total=0
declare -a found_files
if [[ $# -eq 0 || "$1" == "-h" || "$1" == "--help" ]]; then
echo "Usage: ./malware_scanner.sh [--perms, -p] [--verbose, -v] [--help, -h]"
echo ""
echo "Options:"
echo "--perms, -p Fix file permissions"
echo "--verbose, -v Enable interactive reporting"
echo "--help, -h Display this help message"
echo " "
exit 0
fi
while [[ $# -gt 0 ]]; do
case $1 in
--perms | -p)
perms=1
;;
--verbose | -v)
verbose=1
;;
*)
echo "Invalid option: $1"
exit 1
;;
esac
shift
done
if [[ $verbose -eq 1 ]]; then
echo "[X] Verbose mode"
else
echo "[ ] Verbose mode"
fi
if [[ $perms -eq 1 ]]; then
echo "[X] Fix file permissions"
else
echo "[ ] Fix file permissions"
fi
scan_and_process_files() {
local directory="$(pwd)"
echo "Scanning for malware patterns..."
echo " "
check_malware_patterns "$directory"
if [[ $verbose -eq 0 ]]; then
send_security_report
fi
}
check_malware_patterns() {
local directory="$1"
local temp_file=$(mktemp)
find "$directory" -type f \( -name "*.php" -o -name "*.js" \) -print0 >"$temp_file"
while IFS= read -r -d '' file; do
((total++))
line_number=0
current_filename=$(basename "$file")
if [[ $current_filename != "$filename" ]]; then
while IFS= read -r line; do
((line_number++))
if grep -qE 'base64_decode|eval\(|VpT32' <<<"$line" ||
[[ $line =~ ('[a-z0-9]')\=\>(''[a-z0-9]'') ||
$line =~ "source=base64_decode" ||
$line =~ "POST.*execgate" ||
$line =~ "touch(\"wp-optionstmp.php\"" ||
$line =~ "file_put_contents.*wp-options" ||
$line =~ "touch.*wp-options\.php" ||
$line =~ "code_inject_sape" ||
$line =~ "xmlrpc.php\".*mktime\(" ||
$line =~ "jquery.php\".*mktime\(" ||
$line =~ "exec\(\"find\ " ||
$line =~ "exec\(\'find\ " ||
$line =~ "assert\((\"|\')e(\"|\')\.(\"|\')v(\"|\')" ||
$line =~ "\(gzinflate\(str_rot13\(base64_decode" ||
$line =~ "preg_replace\((\"|\')\/\.\*\/e(\"|\')\,(\"|\')" ||
$line =~ "\\\x[0-9a-fA-F][0-9a-fA-F]" ]]; then
interact "$line" "$directory" "$file" "$line_number"
fi
done <"$file"
fi
done <"$temp_file"
rm "$temp_file"
}
interact() {
local line="$1"
local directory="$2"
local file="$3"
local line_number="$4"
found_files+=("$file:$line_number:$line")
if [[ $perms -eq 1 ]]; then
chmod 644 "$file"
fi
}
send_security_report() {
local date=$(date)
local msg="Scan complete ($total Files) - Security Report on $date"
local body="Suspicious activity detected. Please review the security report for detailed information."
body+="\n\n"
body+=$(printf '%s\n' "${alarms[@]}")
echo -e "$body" | mail -s "Security Report" "$email"
}
scan_and_process_files "$PWD"
if [[ $verbose -eq 1 ]]; then
echo "###################################################################################################################################"
echo "Suspicious content detected in the following files:"
for entry in "${found_files[@]}"; do
IFS=":" read -r file line_number line <<<"$entry"
echo "File: $file"
echo "Line Number: $line_number"
echo "Content: $line"
echo "###################################################################################################################################"
done
fi
time_end=$(date +%s)
execution_time=$((time_end - time_start))
echo "Total Execution Time: $execution_time seconds"
msg="Scan complete ($total Files)"
echo "$msg"