├── Makefile ├── README.md ├── evomalware.filenames ├── evomalware.filenames.md5 ├── evomalware.patterns ├── evomalware.patterns.md5 ├── evomalware.sh ├── evomalware.suspect ├── evomalware.suspect.md5 ├── evomalware.whitelist └── evomalware.whitelist.md5 /Makefile: -------------------------------------------------------------------------------- 1 | TARGET = md5 2 | 3 | all: $(TARGET) 4 | 5 | md5: 6 | md5sum evomalware.filenames > evomalware.filenames.md5 7 | md5sum evomalware.patterns > evomalware.patterns.md5 8 | md5sum evomalware.whitelist > evomalware.whitelist.md5 9 | md5sum evomalware.suspect > evomalware.suspect.md5 10 | clean: 11 | rm *.md5 || exit 0 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Description 2 | =========== 3 | 4 | EvoMalware is a BASH script which permits to identify files (PHP only ATM) 5 | infected by malwares/virus/backdoor. 6 | The main goal is to be used in a cron job to generate reports, but it can be 7 | used in "one shot" mode. 8 | 9 | The script uses 3 flat text files as databases: 10 | 11 | * evomalware.filenames, known filenames. 12 | * evomalware.patterns, known patterns. 13 | * evomalware.whitelist, files to ignore. 14 | 15 | There is also an "aggresive" mode which permits to find suspect files using 16 | evomalware.suspect DB. 17 | At each run, the script downloads the last databases. 18 | 19 | Configuration/Tuning 20 | ==================== 21 | 22 | TODO 23 | 24 | Upstream 25 | ======== 26 | 27 | Upstream is at https://forge.evolix.org/projects/evomalware 28 | GitHub is a mirror. 29 | 30 | Interesting others projects 31 | =========================== 32 | 33 | * WPScan, http://wpscan.org/ 34 | * Plecost, https://github.com/iniqua/plecost 35 | -------------------------------------------------------------------------------- /evomalware.filenames: -------------------------------------------------------------------------------- 1 | 9dh1ke.php| 2 | logoffKa9.php| 3 | abookH2w.php| 4 | sslksZ.php| 5 | rzy2r4.php| 6 | 70ggd_shellscript.php| 7 | seo_hack_antipidersia.php| 8 | shellscript_pass_dezmond.php| 9 | china-ysh.php| 10 | b0x.phtml| 11 | jacob.php 12 | -------------------------------------------------------------------------------- /evomalware.filenames.md5: -------------------------------------------------------------------------------- 1 | 552f446de03867c8513de7b6beb19eb4 evomalware.filenames 2 | -------------------------------------------------------------------------------- /evomalware.patterns: -------------------------------------------------------------------------------- 1 | 91.239.15.61| 2 | _YM82iAN| 3 | XXRANDOMXX| 4 | _POST..n13e558| 5 | envir0nn@yahoo.com| 6 | \$bogel| 7 | r0nin| 8 | m0rtix| 9 | upl0ad| 10 | r57shell| 11 | c99shell| 12 | shellbot| 13 | void\.ru| 14 | phpremoteview| 15 | bash_history| 16 | cwings| 17 | bitchx| 18 | eggdrop| 19 | guardservices| 20 | psybnc| 21 | dalnet| 22 | undernet| 23 | vulnscan| 24 | spymeta| 25 | raslan58| 26 | Webshell| 27 | FilesMan| 28 | FilesTools| 29 | Web Shell| 30 | bckdrprm| 31 | hackmeplz| 32 | wrgggthhd| 33 | WSOsetcookie| 34 | Hmei7| 35 | Inbox Mass Mailer| 36 | HackTeam| 37 | Hackeado| 38 | Janissaries| 39 | Miyachung| 40 | ccteam| 41 | OOO000000| 42 | findsysfolder| 43 | makeret\.ru| 44 | c999sh_surl| 45 | xVebaPURjEzLc| 46 | AQSP| 47 | ANTIPIDERSIA| 48 | uzanc| 49 | xadpritox| 50 | blackboy007| 51 | nacomb13| 52 | Devilzc0de| 53 | 8a4bf282852bf4c49e17f0951f645e72| 54 | k2ll33d| 55 | tsxpwkpqbk| 56 | HackerBooty| 57 | JE8wMDBPME8wMD1mb3BlbigkT09PME8w| 58 | Rawckerhead| 59 | sPMQhNQMR9XM05Cvsbg1DTE5vRJiEnn| 60 | UnixCrew| 61 | HolaKo| 62 | 4xI0DHgMAmwFstDDeTdg26| 63 | fb0979fa651bb915d186ac0fddcd1bc6| 64 | b374k| 65 | fb621f5060b9f65acf8eb4232e3024140dea2b34| 66 | xunzhaocangjingkong| 67 | 123321| 68 | c999sh_surl| 69 | WwW.7jyewu.Cn| 70 | zbazszez64z_zdeczodze| 71 | nr9Sb1ehwpGJoIkcy5LEUxtRVxEzGglYpr5xIy| 72 | HaniXavi| 73 | k_i@outlook.com| 74 | hanikadi0@gmail.com| 75 | naruto@localhost.com| 76 | JSUlJSUlJbEk9J3NldF90aW1lX2xpbWl0Jzs| 77 | Dz93hR3fWlPVRtrH2txMf+DrmGvyq4tsaa 78 | -------------------------------------------------------------------------------- /evomalware.patterns.md5: -------------------------------------------------------------------------------- 1 | 369197733f556108b30cf6bdb4334a06 evomalware.patterns 2 | -------------------------------------------------------------------------------- /evomalware.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # EvoMalware, script to detect infected websites. 3 | 4 | # You can set aggressive to true to search for suspicions scripts. 5 | aggressive=false 6 | # Path to search for. 7 | wwwpath=/home 8 | # URL to download patterns and filenames. 9 | databaseURL="http://antispam00.evolix.org/evomalware" 10 | databasePATH=/var/lib/evomalware 11 | # Tools. 12 | find="ionice -c3 find -O3" 13 | grep="nice -n 19 grep" 14 | wc="nice -n 19 wc" 15 | wget="wget -q -t 3" 16 | md5sum="md5sum --status -c" 17 | # Various. 18 | fileslist=$(mktemp) 19 | tmpPATH=/tmp/evomalware.tmp 20 | 21 | trap "rm -rf $fileslist $tmpPATH" EXIT 22 | 23 | usage() { 24 | cat< $fileslist 2>/dev/null 60 | while read file; do 61 | # Search known filenames. 62 | if [[ "$file" =~ $filenames ]]; then 63 | echo "Known malware: $file" 64 | # Search .php files in WP's wp-content/uploads/ 65 | elif [[ "$file" =~ "wp-content/uploads/" ]]; then 66 | echo "PHP file in a non-PHP folder detected: $file" 67 | # Count the length of the longest line and search if suspect php functions are used. 68 | elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then 69 | grep -q -E "$suspect" "$file" 70 | if [[ $? -eq 0 ]]; then 71 | echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file." 72 | fi 73 | else 74 | # Search for patterns. 75 | $grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null 76 | if [[ $? -eq 0 ]]; then 77 | echo "Contains a known malware pattern: $file" 78 | fi 79 | fi 80 | done < $fileslist 81 | 82 | # Search for suspicious scripts... Only when in aggressive mode. 83 | if ( $aggressive ); then 84 | cd $wwwpath 85 | $find . -name javascript.php 86 | $find . -name bp.pl 87 | $find . -name tn.php 88 | $find . -name tn.php3 89 | $find . -name tn.phtml 90 | $find . -name tn.txt 91 | $find . -name xm.php 92 | $find . -name logs.php 93 | $find . -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10 94 | $find . -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10 95 | $grep -r 'ini_set(chr' . 96 | $grep -r 'eval(base64_decode($_POST' . 97 | $grep -r 'eval(gzinflate(' . 98 | $grep -r 'ini_set(.mail.add_x_header' . 99 | $grep -r '@require' . 100 | $grep -r '@ini_set' . 101 | $grep -ri 'error_reporting(0' . 102 | $grep -r base64_decode . 103 | $grep -r codeeclipse . 104 | $grep -r 'eval(' . 105 | $grep -r '\x..\x..' . 106 | $grep -r 'chr(rand(' . 107 | fi 108 | -------------------------------------------------------------------------------- /evomalware.suspect: -------------------------------------------------------------------------------- 1 | base64\(| 2 | gzinflate\(| 3 | eval\(| 4 | \\x..\\x..| 5 | chr\(rand\( -------------------------------------------------------------------------------- /evomalware.suspect.md5: -------------------------------------------------------------------------------- 1 | fe651e7aee7ff103d0f2bc01778275e5 evomalware.suspect 2 | -------------------------------------------------------------------------------- /evomalware.whitelist: -------------------------------------------------------------------------------- 1 | com_flippingbook| 2 | evobackup| 3 | smile_fonts| 4 | gettext-compiled.php| 5 | sucuri| 6 | class-prebuilt-templates.php| 7 | mainwp/backup/index.php| 8 | mainwp/index.php| 9 | dynamic_avia/index.php| 10 | slp/saved-icons/index.php| 11 | plugins/wordfence/tmp/configCache.php| 12 | pickinglist/MPDF54| 13 | wp-content/uploads/cache/langwitch2| 14 | wp-content/uploads/index.php| 15 | wp-content/uploads/presets/richgrid| 16 | slidedeck-pro-for-wordpress| 17 | wp-content/uploads/profiles/index.php| 18 | wp-content/uploads/zingiri-web-shop| 19 | uploads/wpsc/theme_backup| 20 | wp-content/uploads/users_csv/index.php| 21 | wp-migrate-db/index.php| 22 | tmp/meta_cache.php| 23 | wp-content/uploads/.*__MACOSX.*| 24 | mpdf/patterns/.*php| 25 | newsletter_edlc/www/includes/functions.php| 26 | newsletter_edlc/.*www.*install.*| 27 | wp-content/plugins/magicmembers/core/libs/classes/mgm_auth.php| 28 | include/utils/mvc_utils.php| 29 | wp-content/uploads/sl-uploads/index.php| 30 | wp-content/uploads/sl-uploads/addons/index.php| 31 | wp-content/uploads/sl-uploads/addons/dummy.php| 32 | wp-content/uploads/sl-uploads/themes/dummy.php| 33 | modules/multipleimageupload/upload_image.php| 34 | scripts_migration/array_imported_.php 35 | -------------------------------------------------------------------------------- /evomalware.whitelist.md5: -------------------------------------------------------------------------------- 1 | e24e489335b030bfd00dab85134f9773 evomalware.whitelist 2 | --------------------------------------------------------------------------------