标签:
写了一个py脚本,用来找服务器被人留下的webshell。
之前是递归列举文件,现在用walk函数,快了些。
改动最大的就是正则了,看上去像样不少。
( '[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}', '[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}', '[mM][mM] {,20}= {,3}[\'\"]{1,4}.{,33}', '[mM][iI][mM][aA] {,20}= {,3}[\'\"]{1,4}.{,33}', '<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]' )
地址,路过的一定要star哦:
https://github.com/donghouhe/find_horse_finished/blob/master/horse.py
#!/usr/bin/env python # encoding: utf-8 # 2015-2-5 ''' ___ ___ ___ ___ /\ \ /\ \ /\__\ /\ \ /::\ \ /::\ \ /::| | /::\ \ /:/\:\ \ /:/\:\ \ /:|:| | /:/\:\ \ /:/ \:\__\ /:/ \:\ \ /:/|:| |__ /:/ \:\ \ /:/__/ \:|__| /:/__/ \:\__\ /:/ |:| /\__\ /:/__/_\:\__ \:\ \ /:/ / \:\ \ /:/ / \/__|:|/:/ / \:\ /\ \/__/ \:\ /:/ / \:\ /:/ / |:/:/ / \:\ \:\__\ \:\/:/ / \:\/:/ / |::/ / \:\/:/ / \::/__/ \::/ / /:/ / \::/ / ~~ \/__/ \/__/ \/__/ ''' import os import sys import re import time rulelist = ( '[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}', '[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}', '[mM][mM] {,20}= {,3}[\'\"]{1,4}.{,33}', '[mM][iI][mM][aA] {,20}= {,3}[\'\"]{1,4}.{,33}', '<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]' ) def scan(path): for root,dirs,files in os.walk(path): for filespath in files: realfile = os.path.join(root,filespath) if os.path.getsize(realfile) < 1024 * 1024 and all(map(lambda x: not realfile.endswith(x), ('.java', '.jar', '.css', '.class', '.bin', '.exe', '.jpg', '.png', '.pdf', '.doc', '.JPG', 'gif'))): filen = open(realfile) filestr = filen.read() filen.close() for rule in rulelist[:]: result = re.compile(rule).search(filestr) if result: print 'File: ', os.path.join(root,filespath ), result.group(0) print ('Modifed time: ', time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(os.path.getmtime(realfile)))) break if __name__=='__main__': if len(sys.argv)!=2: print "Usage:", sys.argv[0], '/dir' sys.exit(1) if not os.path.lexists(sys.argv[1]): print "wrong path" sys.exit(1) print "going" scan(sys.argv[1])
标签:
原文地址:http://blog.csdn.net/u010211892/article/details/43534813