标签:
写了一个py脚本,用来找服务器被人留下的webshell。
之前是递归列举文件,现在用walk函数,快了些。
改动最大的就是正则了,看上去像样不少。
(
'[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
'[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
'[mM][mM] {,20}= {,3}[\'\"]{1,4}.{,33}',
'[mM][iI][mM][aA] {,20}= {,3}[\'\"]{1,4}.{,33}',
'<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]'
)
地址,路过的一定要star哦:
https://github.com/donghouhe/find_horse_finished/blob/master/horse.py
#!/usr/bin/env python
# encoding: utf-8
# 2015-2-5
'''
___ ___ ___ ___
/\ \ /\ \ /\__\ /\ \
/::\ \ /::\ \ /::| | /::\ \
/:/\:\ \ /:/\:\ \ /:|:| | /:/\:\ \
/:/ \:\__\ /:/ \:\ \ /:/|:| |__ /:/ \:\ \
/:/__/ \:|__| /:/__/ \:\__\ /:/ |:| /\__\ /:/__/_\:\__ \:\ \ /:/ / \:\ \ /:/ / \/__|:|/:/ / \:\ /\ \/__/
\:\ /:/ / \:\ /:/ / |:/:/ / \:\ \:\__\
\:\/:/ / \:\/:/ / |::/ / \:\/:/ /
\::/__/ \::/ / /:/ / \::/ /
~~ \/__/ \/__/ \/__/
'''
import os
import sys
import re
import time
rulelist = (
'[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
'[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
'[mM][mM] {,20}= {,3}[\'\"]{1,4}.{,33}',
'[mM][iI][mM][aA] {,20}= {,3}[\'\"]{1,4}.{,33}',
'<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]'
)
def scan(path):
for root,dirs,files in os.walk(path):
for filespath in files:
realfile = os.path.join(root,filespath)
if os.path.getsize(realfile) < 1024 * 1024 and all(map(lambda x: not realfile.endswith(x), ('.java', '.jar', '.css', '.class', '.bin', '.exe', '.jpg', '.png', '.pdf', '.doc', '.JPG', 'gif'))):
filen = open(realfile)
filestr = filen.read()
filen.close()
for rule in rulelist[:]:
result = re.compile(rule).search(filestr)
if result:
print 'File: ', os.path.join(root,filespath ), result.group(0)
print ('Modifed time: ', time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(os.path.getmtime(realfile))))
break
if __name__=='__main__':
if len(sys.argv)!=2:
print "Usage:", sys.argv[0], '/dir'
sys.exit(1)
if not os.path.lexists(sys.argv[1]):
print "wrong path"
sys.exit(1)
print "going"
scan(sys.argv[1])
标签:
原文地址:http://blog.csdn.net/u010211892/article/details/43534813
