berhubung hosting untuk experimen kode mau habis, bikin backup kodenya aja disini. Syaang kalo hilang, capek nyarinya.
Versi 1 : pake pw
<?php
/**
* Web Shell Detector v1.66
* Web Shell Detector is released under the MIT License <http://www.opensource.org/licenses/mit-license.php>
* https://github.com/emposha/PHP-Shell-Detector
*/
set_time_limit(0);
//own error handler
set_error_handler(array("shellDetector", "error_handler"));
// set the default timezone to use.
date_default_timezone_set('GMT');
$params = array('extension' => array('php', 'txt'));
if (is_file('shelldetect.ini')) {
$params = parse_ini_file('shelldetect.ini');
}
//static settings initialize
shellDetector::$_settings = $params;
$shelldetector = new shellDetector($params);
if ($shelldetector->isConsole()) {
$options = getopt("d:hcb");
if (array_key_exists("d",$options)) {
$shelldetector->setDir($options["d"]);
}
if (array_key_exists("b",$options)) {
$shelldetector->setBrief(true);
}
if (array_key_exists("c",$options)) {
shellDetector::$_settings['is_cron'] = true;
$shelldetector->setCron(true);
}
}
$shelldetector->start();
class shellDetector {
//settings: extensions that should be scanned
private $extension = array('php');
//settings: show line number where suspicious function used
private $showlinenumbers = true;
//settings: used with access time & modified time
private $dateformat = "H:i:s d/m/Y";
//settings: if I want to use other language
private $language = '';
//settings: if console used
private $console = false;
//settings: if brief info is needed
private $brief = false;
//settings: scan specific directory
private $directory = '.';
//settings: scan hidden files & directories
private $scan_hidden = true;
//settings: perform different task
private $task = '';
//settings: used with is_cron(true) file format for report file
private $report_format = '\s\h\e\l\l\d\e\t\e\c\t\o\r\_Gi-dmY.\h\t\m\l';
//settings: if true run like a cron (no output)
private $is_cron = false;
//settings: maximum files to scan (more then 30000 you should scan specific directory)
private $filelimit = 30000;
//settings: protect script with user & password in case to disable simply set to NULL
private $authentication = array("username" => "admin", "password" => "protect");
//settings: get shells signatures db by remote
private $remotefingerprint = false;
//settings: hide suspicious files
private $hidesuspicious = false;
//settings: type of file submission to review (0 - old one not secure but will work with allow_url_fopen = false, 1 - new one more secure but allow_url_fopen need to be true.)
private $submitfile = 1;
/*
* System variables
*/
//system variable used with output
static $_settings = array();
//system variable used with is_cron
static $_output = '';
// global counters
private $counter = 0;
private $suspcounter = 0;
//system variable hold all scanned files
private $_files = array();
//system variable hold bad files
private $_badfiles = array();
//system: hold shells signatures
private $fingerprints = array();
//system: title
private $_title = 'Web Shell Detector';
//system: version of shell detector
private $_version = '1.66';
//system: regex for detect Suspicious behavior
private $_regex = '%(preg_replace.*\/e|`.*?\$.*?`|\bcreate_function\b|\bpassthru\b|\bshell_exec\b|\bexec\b|\bbase64_decode\b|\bedoced_46esab\b|\beval\b|\bsystem\b|\bproc_open\b|\bpopen\b|\bcurl_exec\b|\bcurl_multi_exec\b|\bparse_ini_file\b|\bshow_source\b)%';
//system: public key to encrypt file content
private $_public_key = 'LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0NCk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRRDZCNWZaY2NRN2dROS93TitsWWdONUViVU4NClNwK0ZaWjcyR0QvemFrNEtDWkZISEwzOHBYaS96bVFBU1hNNHZEQXJjYllTMUpodERSeTFGVGhNb2dOdzVKck8NClA1VGprL2xDcklJUzVONWVhYUQvK1NLRnFYWXJ4bWpMVVhmb3JIZ25rYUIxQzh4dFdHQXJZWWZWN2lCVm1mRGMNCnJXY3hnbGNXQzEwU241ZDRhd0lEQVFBQg0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tDQo=';
private $_self = '';
/**
* Constructor
*/
function __construct($settings = null) {
if (is_array($settings)) {
$own = get_object_vars($this);
foreach ($settings as $key => $value) {
if (key_exists($key, $own) && substr($key, 0, 1) != '_') {
$this->$key = $value;
}
}
$this->_self = basename(__FILE__);
}
if ($this->authentication != null) {
if ((!isset($_SERVER['PHP_AUTH_USER']) || (isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_USER'] != $this->authentication['username'])) || (!isset($_SERVER['PHP_AUTH_PW']) || (isset($_SERVER['PHP_AUTH_PW']) && $_SERVER['PHP_AUTH_PW'] != $this->authentication['password']))) {
header('WWW-Authenticate: Basic realm="Login"');
header('HTTP/1.0 401 Unauthorized');
echo $this->t('Please login to continue.');
exit ;
}
}
if (isset($_GET['task'])) {
$this->task = $_GET['task'];
}
if (isset($_GET['s']) && 1 == $_GET['s']) {
$this->hidesuspicious = false;
}
if (file_exists('shelldetect.db')) {
$context = stream_context_create(array('http' => array('timeout' => 30)));
$this->fingerprints = unserialize(base64_decode(file_get_contents('shelldetect.db', 0, $context)));
}
if ($this->remotefingerprint) {
$this->fingerprints = unserialize(base64_decode(file_get_contents('https://raw.github.com/emposha/PHP-Shell-Detector/master/shelldetect.db')));
}
}
public function setDir($dir) {
$this->directory = $dir;
}
public function setCron($val) {
$this->is_cron = $val;
}
public function setBrief($val) {
$this->brief = $val;
}
public function isBrief() {
return $this->brief;
}
public function isConsole() {
return $this->console;
}
/**
* Start function
*/
public function start() {
switch ($this->task) {
case 'sendfile':
$this->sendfile();
break;
case 'getsha':
$this->header();
$this->filescan();
$this->showsha();
$this->footer();
break;
case 'update':
$this->header();
$this->update();
$this->footer();
break;
default:
$this->header();
$this->version();
$this->filescan();
$this->anaylize();
$this->footer();
break;
}
}
/**
* Update function get latest update
*/
private function update() {
if ($this->version()) {
$context = stream_context_create(array('http' => array('timeout' => 30)));
$content = file_get_contents('https://raw.github.com/emposha/PHP-Shell-Detector/master/shelldetect.db', 0, $context);
chmod('shelldetect.db', 0777);
if (file_put_contents('shelldetect.db', $content)) {
self::output($this->t('Shells signature database updated succesfully!'));
} else {
self::output($this->t('Cant save shells signature database please check permissions'), 'error');
}
} else {
self::output($this->t('Your shells signatures database already updated!'));
}
}
/**
* Check version function
*/
private function version() {
$context = stream_context_create(array('http' => array('timeout' => 10, 'header' => 'Connection: close')));
//check application version
$app_version = floatval($this->_version);
$server_version = file_get_contents('https://raw.github.com/emposha/PHP-Shell-Detector/master/version/app', 0, $context);
if (strlen($server_version) != 0 && floatval($server_version) != 0 && (floatval($server_version) > $app_version)) {
self::output($this->t('New version of application found. Please update!'), 'error');
} else if (strlen($server_version) == 0 || intval($server_version) == 0) {
self::output($this->t('Cant connect to server! Application version check failed!'), 'error');
}
$version = isset($this->fingerprints['version']) ? $this->fingerprints['version'] : 0;
$server_version = file_get_contents('https://raw.github.com/emposha/PHP-Shell-Detector/master/version/db', 0, $context);
if (strlen($server_version) != 0 && intval($server_version) != 0 && (intval($server_version) > intval($version))) {
self::output($this->t('New version of shells signature database found. Please update!'), 'error');
return true;
} else if (strlen($server_version) == 0 || intval($server_version) == 0) {
self::output($this->t('Cant connect to server! Version check failed!'), 'error');
}
unset($this->fingerprints['version']);
return false;
}
/**
* Send file to analyze
*/
private function sendfile() {
self::output('<style>.error{font-size: 14px;font-family: arial;margin: 0px;padding: 2px 6px 0px 0px;color: #DD3C10;text-align: center;}.success{font-size: 14px;font-family: arial;margin: 0px;padding: 2px 6px 0px 0px;color: #92B901;text-align: center;}</style>');
if (isset($_POST['filename'])) {
$filename = base64_decode($_POST['filename']);
if (file_exists($filename)) {
$email = isset($_POST['email']) ? $_POST['email'] : '';
$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : $_SERVER["SERVER_NAME"];
$postdata = http_build_query(array('task' => 'submit', 'ver' => '2', 'code' => base64_encode(file_get_contents($filename)), 'email' => $email, 'ip' => $_SERVER['REMOTE_ADDR']));
$context = stream_context_create(array('http' => array('method' => 'POST', 'header' => "Content-type: application/x-www-form-urlencoded\r\nReferer: " . $referer . "\r\n", 'content' => $postdata)));
$server_version = file_get_contents('http://www.shelldetector.com/api/', 0, $context);
self::output($server_version, 'success');
} else {
self::output($this->t('Cant find selected file.'), 'error');
}
} else {
self::output($this->t('No file specified.'), 'error');
}
}
/**
* Scan function executer
*/
private function filescan() {
self::output($this->t('Starting file scanner, please be patient file scanning can take some time.'));
self::output($this->t('Number of known shells in database is: ') . count($this->fingerprints));
self::output('<div class="info">' . $this->t('Files found:') . '<span class="filesfound">', null, false);
$this->listdir($this->directory);
self::output('</span></div>', null, false);
if ($this->filelimit>0) {
if (count($this->_files) > $this->filelimit) {
self::output($this->t('File limit reached, scanning process stopped.'));
}
}
if ($this->filelimit>0) {
self::output($this->t('File scan done, we have: @count files to analize', array("@count" => count($this->_files))));
} else {
self::output($this->t('File scan done, we have: @count files to analize', array("@count" => $this->counter)));
}
if ($this->hidesuspicious) {
self::output($this->t('Please note suspicious files information will not be displayed'), 'error');
}
}
/**
* Show sha1 for found files
*/
private function showsha() {
foreach ($this->_files as $file) {
self::output('<dl><dt>' . $this->t('Show sha for file:') . ' ' . basename($file) . '<span class="plus">-</span></dt>', null, false);
self::output('<dd><dl><dt>' . $this->t('Full path:') . '</dt><dd>' . $file . '</dd>', null, false);
self::output('<dt>' . $this->t('Sha1:') . '</dt><dd>' . sha1_file($file) . '</dd></dl></dd></dl>', null, false);
}
self::output('', 'clearer');
}
/**
* Check files for using suspicious function
*/
private function analyze($file) {
$counter = 0;
$this->counter++;
$content = file_get_contents($file);
$base64_content = base64_encode($content);
$shellflag = $this->unpack($file, $content, $base64_content);
if ($shellflag != false) {
$this->fileInfo($file, $base64_content);
$shellcolor = 'red';
preg_match('#(.*)\[(.*?)\]\[(.*?)\]\[(.*?)\]#', $shellflag, $shellmatch);
if (is_array($shellmatch) && count($shellmatch)>0) {
$shellflag = $shellmatch[1] . '(' . $shellmatch[4] . ')';
switch($shellmatch[3]) {
case 1 :
$shellcolor = 'orange';
$shellflag .= ' ' . $this->t('please note it`s a malicious file not a shell');
break;
case 2:
$shellcolor = 'orange';
$shellflag .= ' ' . $this->t('please note potentially dangerous file (legit file but may be used by hackers)');
break;
}
}
if ($this->isConsole() && !$this->isBrief()) {
print "$file: $shellflag\n";
}
self::output('<dt>' . $this->t('Fingerprint:') . '</dt><dd class="' . $shellcolor . '">' . $this->t('Positive, it`s a ') . $shellflag . '</dd></dl></dd></dl>', null, false);
} else if ($this->hidesuspicious != true) {
if (preg_match_all($this->_regex, $content, $matches)) {
$this->fileInfo($file, $base64_content);
if ($this->showlinenumbers) {
self::output('<dt>' . $this->t('suspicious functions used:') . '</dt><dd>', null, false);
$_content = explode("\n", $content);
for ($line = 0; $line < count($_content); $line++) {
if (preg_match_all($this->_regex, $_content[$line], $matches)) {
$lineid = md5($line . $file);
self::output($this->_implode($matches) . ' (<a href="#" class="showline" id="ne_' . $lineid . '">' . $this->t('line:') . ($line + 1) . '</a>);', null, false);
self::output('<div class="hidden source" id="line_' . $lineid . '"><code>' . htmlentities($_content[$line]) . '</code></div>', null, false);
}
}
self::output(' </dd>', null, false);
} else {
self::output('<dt>' . $this->t('suspicious functions used:') . '</dt><dd>' . $this->_implode($matches) . ' </dd>', null, false);
}
$key = $this->fileprepare($file, $base64_content);
self::output('<dt>' . $this->t('Fingerprint:') . '</dt><dd class="green">' . $key . '</dd></dl></dd></dl>', null, false);
$this->suspcounter++;
}
} else {
if (preg_match_all($this->_regex, $content, $matches)) {
$this->suspcounter++;
}
}
}
/**
* Check files for using suspicious function
*/
private function anaylize() {
foreach ($this->_files as $file) {
if (is_readable($file)) {
$this->analyze($file);
}
}
self::output('', 'clearer');
self::output($this->t('<strong>Status</strong>: @count suspicious files found and @shells shells found. <a href="' . $_SERVER['PHP_SELF'] . '?s=1">Rescan and show suspicious files</a>' , array("@count" => $this->suspcounter, "@shells" => count($this->_badfiles) ? '<strong>' . count($this->_badfiles) . '</strong>' : count($this->_badfiles))), (count($this->_badfiles) ? 'error' : 'success'));
}
/**
* Prepare file submit function
*/
private function fileprepare($file, $base64_content) {
$filtered_file = filter_var($file, FILTER_SANITIZE_SPECIAL_CHARS);
$key = $this->t('Negative') . ' <small class="source_submit_parent">(' . $this->t('if wrong') . ' <a href="#" id="m_' . md5($file) . '" class="source_submit">' . $this->t('submit file for analize') . '</a>)</small>';
$key .= '<div id="wrapform_' . md5($file) . '" class="hidden"><iframe border="0" scrolling="no" class="hidden" id="iform_' . md5($file) . '" name="iform_' . md5($file) . '" src="http://www.shelldetector.com/api/loader.html" />"></iframe>';
if ($this->submitfile == 0) {
$key .= '<form id="form_' . md5($file) . '" target="iform_' . md5($file) . '" action="http://www.shelldetector.com/api/?task=submit&ver=2" method="post">';
} else {
$key .= '<form id="form_' . md5($file) . '" target="iform_' . md5($file) . '" action="?task=sendfile" method="post">';
}
$key .= '<dl><dt>' . $this->t('Submit file') . ' ' . basename($filtered_file) . '</dt><dd>';
$key .= '<dl><dt class="submit_email">' . $this->t('Your email') . '<br /><span class="small">' . $this->t('(in case you want to be notified):') . '</span></dt><dd class="submit_email_field"><input type="text" name="email" id="email" value="" class="text ui-widget-content ui-corner-all" /></dd></dl></dd></dl>';
if ($this->submitfile == 0) {
if (function_exists('openssl_public_encrypt')) {
if (openssl_public_encrypt($base64_content, $crypted_data, base64_decode($this->_public_key))) {
$key .= '<input type="hidden" name="crypted" value="1" /><input type="hidden" name="code" value="' . base64_encode($crypted_data) . '" /></form>';
} else {
$key .= '<input type="hidden" name="code" value="' . $base64_content . '" />';
}
} else {
$key .= '<input type="hidden" name="code" value="' . $base64_content . '" />';
}
}
$key .= '<input type="hidden" name="filename" value="' . base64_encode($file) . '" /></form>';
$key .= '</div>';
return $key;
}
/**
* Show file information
*/
private function fileInfo($file, $base64_content) {
$owner = fileowner($file);
$self_owner = getmyuid();
$permissions = substr(sprintf('%o', fileperms($file)), -4);
if (function_exists('posix_getpwuid')) {
$owner = posix_getpwuid($owner);
$owner = $owner['name'];
$self_owner = posix_getpwuid($self_owner);
$self_owner = $self_owner['name'];
}
if ($owner !== $self_owner) {
$owner = '<span class="orange">' . $owner .'</span> <small>(' . $this->t('Please note: file have different owner') . ')</small>';
}
if (intval($permissions) == 777) {
$permissions = '<span class="orange">' . $permissions .'</span> <small>(' . $this->t('Please note: file have full access permissions') . ')</small>';
}
$filtered_file = filter_var($file, FILTER_SANITIZE_SPECIAL_CHARS);
self::output('<dl><dt>' . $this->t('Suspicious behavior found in:') . ' ' . basename($filtered_file) . '<span class="plus">-</span></dt>', null, false);
self::output('<dd><dl><dt>' . $this->t('Full path:') . '</dt><dd>' . $filtered_file . '</dd>', null, false);
self::output('<dt>' . $this->t('Owner:') . '</dt><dd>' . $owner . '</dd>', null, false);
self::output('<dt>' . $this->t('Permission:') . '</dt><dd>' . $permissions . '</dd>', null, false);
self::output('<dt>' . $this->t('Last accessed:') . '</dt><dd>' . date($this->dateformat, fileatime($file)) . '</dd>', null, false);
self::output('<dt>' . $this->t('Last modified:') . '</dt><dd>' . date($this->dateformat, filemtime($file)) . '</dd>', null, false);
self::output('<dt>' . $this->t('MD5 hash:') . '</dt><dd>' . md5($base64_content) . '</dd>', null, false);
self::output('<dt>' . $this->t('Filesize:') . '</dt><dd>' . $this->HumanReadableFilesize($file) . '</dd>', null, false);
}
/**
* Unpacking function, main idea taken from http://www.tareeinternet.com/
*/
private function unpack($file, $content, $base64_content) {
if ($flag = ($this->fingerprint($file, $base64_content)) ) {
return $flag;
} elseif ($flag = ($this->fingerprint($file, $content))) {
return $flag;
} else {
$counter = 0;
$encoded_content = preg_replace("/<\?php|\?>|<\?/", "", $content);
$temp = array();
if (preg_match("/(\beval\b\(gzinflate|\beval\b\(base64_decode)/", $encoded_content)) {
while (preg_match("/\beval\((gzinflate|base64_decode)\((.*?)\);/", $encoded_content, $matches)) {
$encoded_content = preg_replace("/<\?php|\?>|<\?|eval/", "", $encoded_content);
$temp = $matches;
if (isset($matches[1]) && isset($matches[2]) && strpos($matches[2], '$') === false) {
eval("\$encoded_content = " . $matches[1] . '(' . $matches[2] . ";");
} else if (isset($matches[1]) && isset($matches[2]) && strpos($matches[2], '$') !== false) {
preg_match('/\$(.*?)\)/', $matches[2], $variable);
if (isset($variable[1])) {
preg_match('/\$' . $variable[1] . '=(.*?);/', $content, $content_match);
if (isset($content_match[1])) {
$content_temp = $matches[1] . '(' . str_replace('$' . $variable[1], $content_match[1], $matches[2]);
eval("\$encoded_content = " . $content_temp . ";");
} else {
$encoded_content = '';
}
} else {
$encoded_content = '';
}
} else {
$encoded_content = '';
}
if ($counter > 20) {
//protect from looping
break;
}
$counter++;
}
} else if (preg_match("/preg_replace.*\/e\"/", $encoded_content)) {
while (preg_match("/preg_replace\((.*?)\/e(.*)\);/", $encoded_content, $matches)) {
$encoded_content = preg_replace("/<\?php|\?>|<\?/", "", $encoded_content);
preg_replace("/preg_replace\((.*?)\/e(.*)\);/", "", $encoded_content);
if (isset($matches[1]) && isset($matches[2])) {
eval("\$encoded_content = preg_replace(" . $matches[1] . '/' . $matches[2] . ');');
}
if ($counter > 20) {
//protect from looping
break;
}
$counter++;
}
} else {
$encoded_content = '';
}
if ($encoded_content != '') {
$encoded_content64 = base64_encode($encoded_content);
$flag = $this->fingerprint($file, $encoded_content64);
} else {
$flag = false;
}
}
return $flag;
}
/**
* Fingerprint function
*/
private function fingerprint($file, $content = null) {
$key = false;
// pre prepare all the fingerprints on the first request for optimisation.
static $fingerprint_cache = array();
if(empty($fingerprint_cache) === true){
foreach ($this->fingerprints as $fingerprint => $shell){
if (strpos($fingerprint, 'bb:') !== false) {
$fingerprint = base64_decode(str_replace('bb:', '', $fingerprint));
}
$fingerprint_cache['/' . preg_quote($fingerprint, '/') . '/'] = $shell;
}
}
foreach ($fingerprint_cache as $fingerprint => $shell) {
if (preg_match($fingerprint, $content)) {
# [version] => 1359928984 db content FIXME?!?!?
if ($fingerprint == "version") break;
$key = $shell;
$this->_badfiles[] = $file;
break;
}
}
return $key;
}
/**
* Recursively implode array
*/
private function _implode($array, $glue = ', ') {
$temp = array();
foreach ($array as $value) {
if (is_array($value)) {
$temp[] = $this->_implode($value);
} else {
$temp[] = $value;
}
}
return implode($glue, array_unique($temp));
}
/**
* Output footer function
*/
private function footer() {
self::output('</div></body></html>', null, false);
if ($this->is_cron || $this->console) {
$this->flush();
}
}
/**
* Output header function
*/
private function header() {
$style = '<style type="text/css" media="all">body{background-color:#ccc;font:13px tahoma,arial;color:#151515;direction:ltr}h1{text-align:center;font-size:24px}dl{margin:0;padding:0}#content{width:1024px;margin:0 auto;padding:35px 40px;border:1px solid #e8e8e8;background:#fff;overflow:hidden;-webkit-border-radius:7px;-moz-border-radius:7px;border-radius:7px}dl dt{cursor:pointer;background:#5f9be3;color:#fff;float:left;font-weight:700;margin-right:10px;width:99%;position:relative;padding:5px}dl dt .plus{position:absolute;right:4px}dl dd{margin:2px 0;padding:5px 0}dl dd dl{margin-top:24px;margin-left:60px}dl dd dl dt{background:#4fcba3!important;width:180px!important}.error{background-color:#ffebe8;border:1px solid #dd3c10;padding:4px 10px;margin:5px 0}.success{background-color:#fff;border:1px solid #bdc7d8;padding:4px 10px;margin:5px 0}.info{background-color:#fff9d7;border:1px solid #e2c822;padding:4px 10px;margin:5px 0}.clearer{clear:both;height:0;font-size:0}.hidden{display:none}.green{font-weight:700;color:#92b901}.red{font-weight:700;color:#dd3c10}.orange{font-weight:700;color:#ff7f00}.green small{font-weight:400!important;color:#151515!important}.filesfound {position: relative}.files {position: absolute;left:4px;background-color:#FFF9D7}iframe{border:0px;height:80px;width:100%}.small{font-size: 10px;font-weight:normal;}.ui-widget-content dl dd dl {margin-left: 0px !important;}.ui-widget-content input {width: 310px;margin-top: 4px;}.submit_email {width: 190px !important;}.submit_email_field{float: left; width: 100px !important;}#loader{position:fixed;top:25%;bottom:0;left:45%;z-index:99;display:block;text-align:center;width:100%;padding-top:125px;text-align:left;font-weight:700;text-transform:uppercase;text-indent:-20px;font-size:24px;color:#5f9be3}#circularG{position:relative;width:128px;height:128px}.circularG{position:absolute;background-color:#5f9be3;width:29px;height:29px;-webkit-border-radius:19px;-moz-border-radius:19px;-webkit-animation-name:bounce_circularg;-webkit-animation-duration:1.04s;-webkit-animation-iteration-count:infinite;-webkit-animation-direction:linear;-moz-animation-name:bounce_circularg;-moz-animation-duration:1.04s;-moz-animation-iteration-count:infinite;-moz-animation-direction:linear;border-radius:19px;-o-animation-name:bounce_circularg;-o-animation-duration:1.04s;-o-animation-iteration-count:infinite;-o-animation-direction:linear;-ms-animation-name:bounce_circularg;-ms-animation-duration:1.04s;-ms-animation-iteration-count:infinite;-ms-animation-direction:linear}#circularG_1{left:0;top:50px;-webkit-animation-delay:.39s;-moz-animation-delay:.39s;-o-animation-delay:.39s;-ms-animation-delay:.39s}#circularG_2{left:14px;top:14px;-webkit-animation-delay:.52s;-moz-animation-delay:.52s;-o-animation-delay:.52s;-ms-animation-delay:.52s}#circularG_3{top:0;left:50px;-webkit-animation-delay:.65s;-moz-animation-delay:.65s;-o-animation-delay:.65s;-ms-animation-delay:.65s}#circularG_4{right:14px;top:14px;-webkit-animation-delay:.78s;-moz-animation-delay:.78s;-o-animation-delay:.78s;-ms-animation-delay:.78s}#circularG_5{right:0;top:50px;-webkit-animation-delay:.91s;-moz-animation-delay:.91s;-o-animation-delay:.91s;-ms-animation-delay:.91s}#circularG_6{right:14px;bottom:14px;-webkit-animation-delay:1.04s;-moz-animation-delay:1.04s;-o-animation-delay:1.04s;-ms-animation-delay:1.04s}#circularG_7{left:50px;bottom:0;-webkit-animation-delay:1.17s;-moz-animation-delay:1.17s;-o-animation-delay:1.17s;-ms-animation-delay:1.17s}#circularG_8{left:14px;bottom:14px;-webkit-animation-delay:1.3s;-moz-animation-delay:1.3s;-o-animation-delay:1.3s;-ms-animation-delay:1.3s}@-webkit-keyframes bounce_circularg{0%{-webkit-transform:scale(1)}100%{-webkit-transform:scale(.3)}}@-moz-keyframes bounce_circularg{0%{-moz-transform:scale(1)}100%{-moz-transform:scale(.3)}}@-o-keyframes bounce_circularg{0%{-o-transform:scale(1)}100%{-o-transform:scale(.3)}}@-ms-keyframes bounce_circularg{0%{-ms-transform:scale(1)}100%{-ms-transform:scale(.3)}}</style>';
$script = 'function init(){$("#loader").hide();$("dt").live("click", function(){var text=$(this).children(".plus");if(text.length){$(this).next("dd").slideToggle();if(text.text()=="+"){text.text("-")}else{text.text("+")}}});$(".showline").live("click", function(){var id="li"+$(this).attr("id");$("#"+id).dialog({height:440,modal:true,width:600,title:"Source code"});return false});$(".source_submit").live("click",function(){var id="for"+$(this).attr("id");$("#wrap"+id).dialog({autoOpen:false,height:200,width:550,modal:true,resizable: false,title:"File submission",buttons: {"Submit file to analysis": function() {if ($(".ui-dialog-content form").length) {$("#i"+id).removeClass("hidden");$("#"+id).submit();$(".ui-dialog-content form").remove();} else {alert("This file already submited");}}/*,"Submit file to Virustotal": function () {alert("Not implemented");}*/}});$("#wrap"+id).dialog("open");return false})}$(document).ready(init);';
self::output('<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="robots" content="noindex"><title>Web Shell Detector</title>' . $style . '<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.21/themes/base/jquery-ui.css" type="text/css" media="all" /><script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js" type="text/javascript" charset="utf-8"></script><script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.21/jquery-ui.js" type="text/javascript" charset="utf-8"></script><script type="text/javascript">' . $script . '</script></head><body><h1>' . $this->_title . ' v' . $this->_version . '<br />(PHP Version: ' . phpversion() .')</h1><div id="loader"><div id="circularG"><div id="circularG_1" class="circularG"></div><div id="circularG_2" class="circularG"></div><div id="circularG_3" class="circularG"></div><div id="circularG_4" class="circularG"></div><div id="circularG_5" class="circularG"></div><div id="circularG_6" class="circularG"></div><div id="circularG_7" class="circularG"></div><div id="circularG_8" class="circularG"></div></div><span class="loader_text"> ' . $this->t('Please wait') . '</span></div></div><div id="content">', null, false);
}
/**
* Output
*/
static function output($content, $class = 'info', $html = true) {
if ((isset(self::$_settings) && isset(self::$_settings['is_cron']) && self::$_settings['is_cron']) ||
(isset(self::$_settings) && isset(self::$_settings['console']) && self::$_settings['console'])) {
if ($html) {
self::$_output .= '<div class="' . $class . '">' . $content . '</div>';
} else {
self::$_output .= $content;
}
} else {
if ($html) {
print '<div class="' . $class . '">' . $content . '</div>';
} else {
print $content;
}
flush();
}
}
/**
* Save scanned data to file
*/
private function flush() {
if ($this->isConsole()) {
print "$this->counter files, $this->suspcounter suspicious, ".count($this->_badfiles)." shells\n";
}
if ($this->is_cron) {
$filename = date($this->report_format, time());
if (file_put_contents($filename, self::$_output)) {
print $this->t('Done, report file created');
} else {
print $this->t('Error, report file creation failed');
}
}
}
/**
* Translate function (ported from Drupal)
*/
private function t($string, $args = array()) {
if ($this->language) {
if (is_file('lang/' . $this->language . '.php')) {
include ('lang/' . $this->language . '.php');
if (isset($local[$string])) {
$string = $local[$string];
}
}
}
if (empty($args)) {
return $string;
} else {
foreach ($args as $key => $value) {
switch ($key[0]) {
case '@' :
$args[$key] = $value;
break;
}
}
return strtr($string, $args);
}
}
/**
* Recursivly list directories
*/
private function listdir($dir) {
if (!is_dir($dir) || !is_readable($dir)) {
return true;
}
$handle = opendir($dir);
if ($this->filelimit > 0) {
if (count($this->_files) > $this->filelimit) {
return true;
}
}
while (($file = readdir($handle)) !== false) {
if ($file == '.' || $file == '..') {
continue;
}
$filepath = $dir == '.' ? $file : $dir . '/' . $file;
if (is_link($filepath)) {
continue;
}
if (is_file($filepath)) {
if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) {
$extension = pathinfo($filepath);
if (is_string($this->extension) && $this->extension == '*') {
if ($this->filelimit > 0) {
$this->_files[] = $filepath;
} else {
$this->analyze($filepath);
}
} else {
if (isset($extension['extension']) && in_array($extension['extension'], $this->extension)) {
if ($this->_self != basename($filepath)) {
if ($this->filelimit > 0) {
$this->_files[] = $filepath;
} else {
$this->analyze($filepath);
}
}
}
}
}
} else if (is_dir($filepath)) {
if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) {
$this->listdir($filepath);
}
}
}
self::output('<span class="files">' . count($this->_files) . '</span>', null, false);
closedir($handle);
}
/**
* Returns a human readable filesize
* @author wesman20 (php.net)
* @author Jonas John
* @version 0.3
* @link http://www.jonasjohn.de/snippets/php/readable-filesize.htm
*/
private function HumanReadableFilesize($file) {
$size = filesize($file);
$mod = 1024;
$units = explode(' ', 'B KB MB GB TB PB');
for ($i = 0; $size > $mod; $i++) {
$size /= $mod;
}
return round($size, 2) . ' ' . $units[$i];
}
/**
* Own error handler
*/
static public function error_handler($errno, $errstr, $errfile, $errline) {
switch ($errno) {
case E_USER_WARNING :
case E_USER_ERROR :
case E_USER_NOTICE :
default :
shellDetector::output('<strong>Error: </strong>' . $errstr . ' line: ' . $errline, 'error');
break;
}
}
}
?>versi 2 : langsung buka
<?php
/* #################################################################################
# [+] File Name : Backdoor Scanner
# [+] Author : Magelang1337
################################################################################## */
putenv("TZ=Asia/Tokyo");
?>
<head>
<title>Backdoor Scanner by Magelang1337</title>
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_openBrWindow(theURL,winName,features) { //v2.0
window.open(theURL,winName,features)
}
//-->
</script>
<style type="text/css">
<!--
body {
font-family: Tahoma;
color: #CCCCCC;
background-color: #000000;
font-size: 11px;
font-weight: bold;
}
.single{
border: 1px solid #00ff00;
padding: 5px;
}
a:visited {
color: #33333;
font-size: 11px;
font-family: tahoma;
text-decoration: none;
}
a:hover {
color: #ccff00;
text-decoration: none;
}
.abunai {
color: red;
text-decoration: none;
}
.xxx {
color: blue;
text-decoration: none;
}
a {
color: #ccff99;
font-size: 11px;
font-family: tahoma;
text-decoration: none;
}
td {
border-style: solid;
border-width: 0 0 1px 0;
font-size:11px; font-family:Tahoma,Verdana,Arial; color:#ccff99;
}
.me {
font-size:11px; font-family:Tahoma,Verdana,Arial; color:#ccff99;
border: 0px;
padding: 5px;
}
.isi:disabled{
padding: 2px;
border:1px solid #333333;
font-family: Tahoma;
color: #333333;
background-color: #000000;
font-size: 10px;
font-weight: bold;
}
.isi{
padding: 2px;
border:1px solid #666666;
font-family: Tahoma;
color: #ccff99;
background-color: #666666;
font-size: 10px;
font-weight: bold;
}
-->
</style>
<style type="text/css">
#patch {position:absolute; height:1; width:1px; top:0; left:0;}
</style>
</head>
<body>
<center><br><font color="#339900" size="14" face="arial">Backdoor Scanner</font></center><br>
<?php
if(isset($_REQUEST['edit']) && $_REQUEST['edit']=='file'){
if(isset($_POST['yes'])){
$filename = $_GET['file'];
echo "<br><br><br><font color=red size=3><b><center>".$filename." deleted...</b></font><br><br><br><br><br><br><br>";
unlink($filename);
echo "<META HTTP-EQUIV=Refresh CONTENT=\"2; URL=javascript:window.close();\">";
}else{
if($_POST['update']) {
$filename = $_POST['file'];
if(is_writable($filename)) {
$handle = fopen($filename, "w+");
$isi=$_POST['content'];
fwrite($handle, stripslashes($isi));
fclose($handle);
$stat= "<center><strong>edited successfully<br>";
} else {
$stat= "<center><font color=red><strong>Error! File may not be writable.</font></center>";
}
}
if($_POST['close']) {
echo "<META HTTP-EQUIV=Refresh CONTENT=\"0; URL=javascript:window.close();\">";
}
$filename = $_GET['file'];
if (file_exists($filename)){
$vuln = $_GET['bug'];
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
?>
<center>
<table>
<tr><td align="left" class="me"><strong><?=$filename?> >> Contains : <?=$vuln?></strong></td></tr>
<tr><td class="me">
<form method="post" action="">
<input type="hidden" name="file" value="<?=$filename?>">
<textarea name="content" cols="80" rows="15"><?=htmlspecialchars($contents)?></textarea><br>
</td></tr>
<tr><td align="center" class="me">
<?php
if($_POST['delete']) {
echo "Are you sure to delete ".$filename." ?";
?>
<tr><td align="center" class="me">
<input type="submit" name="yes" value=" Y E S ">
<input type="submit" name="no" value=" N O ">
</td></tr>
<?php
}else{
echo $stat;
?>
</td></tr>
<tr><td align="right" class="me">
<input type="submit" name="close" value=" C l o s e ">
<input type="submit" name="delete" value=" D e l e t e ">
<input type="submit" name="update" value=" S a v e ">
</td></tr>
<?php
}
fclose($handle);
?>
</table>
</form>
<?php
}else{
echo "<br><br><br><font color=red size=3><b><center>".$filename." not exist...</b></font><br><br><br><br><br><br><br>";
echo "<META HTTP-EQUIV=Refresh CONTENT=\"4; URL=javascript:window.close();\">";
}
?>
</center>
<?php
}
}elseif(isset($_POST['Submit'])){
$ceks = array('base64_decode','system','passthru','popen','exec','shell_exec','eval','move_uploaded_file');
foreach($ceks as $ceker){
if($_POST[$ceker]<>""){
$six.=$_POST[$ceker].".";
}
}
$cek = explode('.', $six);
function ListFiles($dir) {
if($dh = opendir($dir)) {
$files = Array();
$inner_files = Array();
while($file = readdir($dh)) {
if($file != "." && $file != "..") {
if(is_dir($dir . "/" . $file)) {
$inner_files = ListFiles($dir . "/" . $file);
if(is_array($inner_files)) $files = array_merge($files, $inner_files);
} else {
array_push($files, $dir . "/" . $file);
}
}
}
closedir($dh);
return $files;
}
}
?>
<center>
<table border="0" width="90%" cellpadding="5">
<tr>
<td class="me" align="right" width="30"><b>No</b></td>
<td class="me" align="center" width="105"><b> T y p e </b></td>
<td class="me" align="center"><b> F i l e L o c a t i o n </b></td>
<td class="me" align="center" width="150"><b> L a s t E d i t </b></td>
<td class="me" align="right" width="80"><b>F i l e S i z e</b></td>
</tr><br>
<?php
$target=$_SERVER['DOCUMENT_ROOT'];
foreach (ListFiles($target) as $key=>$file){
$nFile = substr($file, -4, 4);
if($nFile == ".php"){
if($file==$_SERVER['DOCUMENT_ROOT'].$_SERVER['PHP_SELF']){
}else{
$ops = @file_get_contents($file);
$op=strtolower($ops);
$arr = array('c99_buff_prepare' => 'c 9 9',
'abcr57' => 'r 5 7');
$sis=0;
if($op)
$size=filesize($file);
$last_modified = filemtime($file);
$last=date("M-d-Y H:i", $last_modified);
foreach($arr as $key => $val) {
if(@preg_match("/$key/", $op)) {
$sis=1;
$i++;
?>
<tr style ="background-color: Your background Color;" onmouseover="mover(this)" onmouseout="mout(this)">
<td align="right"><font color="red"><blink><?=$i?></blink></font></td>
<td align="center"><font color="red"><blink><?=$val?></blink></font></td>
<td align="left"><blink>
<a href="#" class="abunai" onclick="MM_openBrWindow('?edit=file&file=<?=$file?>&bug=<?=$val?>','File view','status=yes,scrollbars=yes,width=700,height=600')" rel="nofollow"><?=$file?></a>
</blink></td>
<td align="center"><font color="red"><blink><?=$last?> GMT+9</blink></font></td>
<td align="right"><font color="red"><blink><?=$size?> byte</blink></font></td>
<script language="javascript">
var bgcolor = "transparent";
var change_color = "#444444"
function mover(aa) {
aa.style.backgroundColor = change_color;
}
function mout(aa) {
aa.style.backgroundColor = bgcolor;
}
</script>
</tr>
<?php
}
}
if($sis<>"1"){
if((@preg_match("/system\((.*?)\)/", $op))&&(@preg_match("/<pre>/", $op))&&(@preg_match("/empty\((.*?)\)/", $op))) {
$sis="2";
$i++;
$val="hidden shell";
?>
<tr style ="background-color: Your background Color;" onmouseover="mover(this)" onmouseout="mout(this)">
<td align="right"><font color="blue"><?=$i?></font></td>
<td align="center"><font color="blue"><?=$val?></font></td>
<td align="left">
<a href="#" class="xxx" onclick="MM_openBrWindow('?edit=file&file=<?=$file?>&bug=<?=$val?>','File view','status=yes,scrollbars=yes,width=700,height=600')" rel="nofollow"><?=$file?></a>
</td>
<td align="center"><font color="blue"><?=$last?> GMT+9</font></td>
<td align="right"><font color="blue"><?=$size?> byte</font></td>
<script language="javascript">
var bgcolor = "transparent";
var change_color = "#444444"
function mover(aa) {
aa.style.backgroundColor = change_color;
}
function mout(aa) {
aa.style.backgroundColor = bgcolor;
}
</script>
</tr>
<?php
}
}
if($sis=="0"){
foreach($cek as $bugs) {
if ($bugs<>""){
if(@preg_match("/$bugs\((.*?)\)/", $op)) {
$i++;
?>
<tr style ="background-color: Your background Color;" onmouseover="mover(this)" onmouseout="mout(this)">
<td align="right"><?=$i?></td>
<td align="center"><?=$bugs?></td>
<td align="left">
<a href="#" onclick="MM_openBrWindow('?edit=file&file=<?=$file?>&bug=<?=$bugs?>','File view','status=yes,scrollbars=yes,width=700,height=600')" rel="nofollow"><?=$file?></a>
</td>
<td align="center"><?=$last?> GMT+9</td>
<td align="right"><?=$size?> byte</td>
<script language="javascript">
var bgcolor = "transparent";
var change_color = "#444444"
function mover(aa) {
aa.style.backgroundColor = change_color;
}
function mout(aa) {
aa.style.backgroundColor = bgcolor;
}
</script>
</tr>
<?php
}
}
}
}
if($_POST['textV']<>""){
$text=$_POST['textV'];
if(@preg_match("/$text/", $op)) {
$i++;
?>
<tr style ="background-color: Your background Color;" onmouseover="mover(this)" onmouseout="mout(this)">
<td align="right"><?=$i?></td>
<td align="center"><?=$text?></td>
<td align="left">
<a href="#" onclick="MM_openBrWindow('?edit=file&file=<?=$file?>&bug=<?=$text?>','File view','status=yes,scrollbars=yes,width=700,height=600')" rel="nofollow"><?=$file?></a>
</td>
<td align="center"><?=$last?> GMT+9</td>
<td align="right"><?=$size?> byte</td>
<script language="javascript">
var bgcolor = "transparent";
var change_color = "#444444"
function mover(aa) {
aa.style.backgroundColor = change_color;
}
function mout(aa) {
aa.style.backgroundColor = bgcolor;
}
</script>
</tr>
<?php
}
}
}
}
}
if($i==0){
foreach($cek as $bugs) {
if ($bugs<>""){
$x++;
?>
<tr style ="background-color: Your background Color;" onmouseover="mover(this)" onmouseout="mout(this)">
<td align="right"><?=$x?></td>
<td align="center"><?=$bugs?></td>
<td align="center"> not exist </td>
<td align="center"> no record </td>
<td align="right"> - byte </td>
</tr>
<?php
}
}
}
?>
</table>
<?php
}else{
$find = array('default','base64_decode','system','passthru','popen','exec','shell_exec','eval','move_uploaded_file');
?>
<form id="fCheck" name="fCheck" method="post" action="" autocomplete="off">
<center>
<table class="single" width="400" border="1" cellpadding="10">
<tr><td class="me"><center>
<b>S e l e c t s c a n t y p e :</b><br>
<table class="me" width="200">
<tr><td class="me">
<script language="javascript">
function cekKlik(){
if (!document.fCheck.cekV.checked)
document.fCheck.textV.disabled=true;
else
document.fCheck.textV.disabled=false;
if(document.fCheck.cekV.checked){
master = master + 1;
}else{
if(master > 0 ){
master = master - 1;
}else{
master = master;
}
}
if(master != 0){
document.fCheck.Submit.disabled=false;
}else{
document.fCheck.Submit.disabled=true;
}
}
</script>
<?php
//dari sini
foreach($find as $bug) {
?>
<script language="javascript">
var master = 0;
function checkValue<?=$bug?>(){
if(document.fCheck.<?=$bug?>.checked){
master = master + 1;
}else{
if(master > 0 ){
master = master - 1;
}else{
master = master;
}
}
if(master != 0){
document.fCheck.Submit.disabled=false;
}else{
document.fCheck.Submit.disabled=true;
}
}
</script>
<input onclick="checkValue<?=$bug?>();" name="<?=$bug?>" type="checkbox" id="<?=$bug?>" value="<?=$bug?>" /> <?=$bug?><br>
<?php
}
?>
<input name="cekV" type="checkbox" onClick="cekKlik();" id="cekV" value="cekV">
<input class="isi" disabled="disabled" name="textV" value="other key word" onFocus="this.select()" type="text" id="textV">
<br><br>
<input type="hidden" name="asal" value="abcd">
<input disabled="disabled" type="submit" name="Submit" value=" S t a r t S c a n " />
</td></tr>
</table>
</td></tr></table>
</form>
<?
}
?>
<br><br><hr width="300">
<center>
Backdoor Scanner 0.01 © Magelang1337
<br><br>
</body>
begini tampilan kodenya
Pubiway 