phpAV-1.1

1. #!/usr/bin/php
2. <?php
3. ini_set("max_execution_time", 0);
4. $start = get_time();
5. /*
6. ** Title:       phpAV
7. ** Version:     1.1
8. ** Author:      Milos Zivanovic
9. ** Email:       milosz.security@gmail.com
10. ** Date:        January 2010.
11. **
12. ** PHP script designed to work as antivirus for malicious php scripts. It will
13. ** search given directory and related files for dangerous functions and also
14. ** look for recognizable pattern in file names. phpAV is designed so it can be
15. ** easily configured and look in more file types in search for more functions
16. ** and file name patterns.
17. **
18. ** Usage: ./phpAV.php /var/www/
19. ** Log file will appear in the same directory as phpAV.php IF dangerous
20. ** functions/files are found, else the file won't be there.
21. **
22. ** Thanks:
23. ** Special thanks to Teo Manojlovic, idea for this originated in his mind.
24. ** Thanks to Ivan Markovic for additional ideas and tips.
25. **
26. ** Note: Script tested on linux (ubuntu karmic koala (9.10))
27. */
28.  
29. // CONFIGURATION SECTION
30. $functions = array('shell_exec', 'system', 'passthru', 'exec', 'eval', 'ftp_connect'); // dangerous functions
31. $file_types = array('php', 'php3', 'php4', 'php5', 'phps', 'ph3', 'ph4', 'html', 'htm', 'phtml', 'pl'); // file types to scan
32. $suspicious = array('c99', 'c100', 'r57', 'locus7', 'storm7', 'g00n'); // pattern names to look for
33. $log_file = "Log.txt"; // log file
34. // END OF CONFIGURATION SECTION
35.  
36. $dir = $argv[1];
37.  
38. if($argc != 2) {
39.     echo "Usage: ".$argv[0]." [DIR PATH]\n";
40.     exit();
41. }
42. if(substr($dir, -1) != "/") $dir .= "/";
43.  
44. $dirs_found = 0;
45. $files_found = 0;
46. $files_with_bad_functions = 0;
47. $bad_functions_found = 0;
48. $suspicious_files_found = 0;
49.  
50. search_dir($dir);
51.  
52. // print info & statistics
53. echo "phpAV-v1.1\nMilos Zivanovic [milosz.security@gmail.com]\n";
54. echo "Dir: \t\t\t\t\t".$dir."\n";
55. echo "Dirs scanned: \t\t\t\t".$dirs_found."\n";
56. echo "Files scanned: \t\t\t\t".$files_found."\n";
57. echo "Files with dangerous functions found: \t".$files_with_bad_functions."\n";
58. echo "Dangerous functions detected: \t\t".$bad_functions_found."\n";
59. echo "Suspicious files detected: \t\t".$suspicious_files_found."\n";
60. echo "Time taken: \t\t\t\t".number_format((get_time() - $start), 5)." seconds\n";
61.  
62. // ----- functions --------------------------------------------------------------------------------
63.  
64. function search_dir($path) {
65.     global $file_types, $dirs_found, $files_found;
66.     if ($dh = opendir($path)) {
67.         while (($file = readdir($dh)) !== false) {
68.             if($file != "." && $file != "..") {
69.                 if(is_dir($path.$file)) {
70.                     $dirs_found++;
71.                     search_dir($path.$file."/");
72.                 }
73.                 else if(is_readable($path.$file) && in_array(end(explode(".", $file)), $file_types)) {
74.                     $files_found++;
75.                     search_suspicious($path.$file);
76.                     search_in_file($path.$file);
77.                 }
78.             }
79.         }
80.     }
81.     closedir($dh);
82. }
83.  
84. function search_in_file($file) {
85.     global $functions, $bad_functions_found, $log_file, $files_with_bad_functions;
86.     $lines = array();
87.     $found_str = array();
88.     $found_line = array();
89.     $lines = file($file);
90.     for($i=0;$i<count($functions);$i++) {
91.         for($j=0;$j<count($lines);$j++) {
92.             if(strstr($lines[$j], " ".$functions[$i]."(") ||
93.                 strstr($lines[$j], "(".$functions[$i]."(") ||
94.                 strstr($lines[$j], ".".$functions[$i]."(") ||
95.                 strstr($lines[$j], "=".$functions[$i]."(") ||
96.                 strstr($lines[$j], "{".$functions[$i]."(") ||
97.                 strstr($lines[$j], ">".$functions[$i]."(") ||
98.                 strstr($lines[$j], "\t".$functions[$i]."(") ||
99.                 strstr($lines[$j], " ".$functions[$i]." (") ||
100.                 strstr($lines[$j], "=".$functions[$i]." (") ||
101.                 strstr($lines[$j], "{".$functions[$i]." (") ||
102.                 strstr($lines[$j], ".".$functions[$i]." (") ||
103.                 strstr($lines[$j], "(".$functions[$i]." (") ||
104.                 strstr($lines[$j], ">".$functions[$i]." (") ||
105.                 strstr($lines[$j], "\t".$functions[$i]." (") ||
106.                 substr($lines[$j], 0, strlen($functions[$i])) == $functions[$i]) {
107.  
108.                 $found_str[] = str_replace("\n", "", $lines[$j]);
109.                 $found_line[] = $j+1;
110.                 $bad_functions_found++;
111.         }
112.         }
113.     }
114.     if(!empty($found_str)) {
115.         $files_with_bad_functions++;
116.         file_put_contents($log_file, "File: ".$file."\n", FILE_APPEND);
117.         for($l=0;$l<count($found_str);$l++) {
118.             file_put_contents($log_file, "Line: ".$found_line[$l]." | ".$found_str[$l]."\n", FILE_APPEND);
119.         }
120.     }
121. }
122.  
123. function search_suspicious($file) {
124.     global $suspicious, $log_file, $suspicious_files_found;
125.     $filename = end(explode("/", $file));
126.     for($i=0;$i<count($suspicious);$i++)
127.         if(strstr($filename, $suspicious[$i])) {
128.             $suspicious_files_found++;
129.             file_put_contents($log_file, "WARNING: ".$file."\n", FILE_APPEND);
130.             break;
131.         }
132. }
133.  
134. function get_time() {
135.     $a = explode(" ", microtime());
136.     return(double) $a[0] + $a[1];
137. }
138. ?>