php后门简单检测脚本

# coding:utf-8

import os
import sys
import re

rulelist = [
    ‘(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))‘,
    ‘(base64_decode\([\‘"][\w\+/=]{200,}[\‘"]\))‘,
    ‘eval\(base64_decode\(‘,
    ‘(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))‘,
    ‘(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))‘,
    ‘(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))‘,
    ‘(wscript\.shell)‘,
    ‘(gethostbyname\()‘,
    ‘(cmd\.exe)‘,
    ‘(shell\.application)‘,
    ‘(documents\s+and\s+settings)‘,
    ‘(system32)‘,
    ‘(serv-u)‘,
    ‘(提权)‘,
    ‘(phpspy)‘,
    ‘(后门)‘,
    ‘(webshell)‘,
    ‘(Program\s+Files)‘
]

def Scan(path):
    for root,dirs,files in os.walk(path):
        for filespath in files:
            isover = False
            if ‘.‘ in filespath:
                ext = filespath[(filespath.rindex(‘.‘)+1):]
                if ext==‘php‘:
                    file= open(os.path.join(root,filespath))
                    filestr = file.read()
                    file.close()
                    for rule in rulelist:
                        result = re.compile(rule).findall(filestr)
                        if result:
                            print ‘文件：‘+os.path.join(root,filespath)
                            print ‘恶意代码：‘+str(result[0])
                            print ‘\n\n‘
                            break

if os.path.lexists(sys.argv[1]):
    print(‘\n\n开始扫描：‘+sys.argv[1])
    print(‘               可疑文件                 ‘)
    print(‘########################################‘)
    Scan(sys.argv[1])
    print(‘提示：扫描完成-- O(∩_∩)O哈哈~‘)
else:
    print ‘提示：指定的扫描目录不存在---  我靠( \‘o′)！！凸‘