Malicious String Scanner

1. <?php
2. /*
3. Up@hacker-newbie.org
4. */
5. $config = array();
6. $config['dir'] = array('/c99/i', '/r57/i', '/gifimg/i', '/idx/i', '/idx_config/i');
7. $config['type'] = array('/\.htaccess$/i', '/\.php[45]?$/i', '/\.html?$/i', '/\.aspx?$/i', '/\.inc$/i', '/\.cfm$/i', '/\.css$/i');
8. $config['file'] = array('/db-.*\.php/i', '/(.*?)\.(cache|bak|old)\.php/i', '/class-(snoopy|smtp|feed|pop3|IXR|phpmailer|json|simplepie|phpass|http|oembed|ftp-pure|wp-filesystem-ssh2|wp-filesystem-ftpsockets|ftp|wp-filesystem-ftpext|pclzip|wp-importer|wp-upgrader|wp-filesystem-base|ftp-sockets|wp-filesystem-direct)\.php/i');
9. $config['contains'] = array('/edoced_46esab/i', '/system/i', '/str_rot13/i', '/gzinflate/i', '/gzinflate*\(str_rot13*\(base64_decode/i', '/passthru *\(/i', '/eval *\(/i', '/shell_exec *\(/i', '/jumping/i', '/r3c0ded/i', '/document\.write *\(unescape *\(/i', '/base64_decode *\(/i', '/system *\(/i', '/`.+`/', '/phpinfo *\(/i', '/hacked by /i', '/shell/i', '/b374k 2.8 /i', '/1n73ction/i', '/s_func/i', '/popcash/i', '/miner/i', '/coinhive/i', '/web[\s-]*shell/i', '/c99/i', '/r57/i', '/indoxploit/i', '/b374k/i', '/Jayalah Indonesiaku/i', '/mailer/i', '/ransome/i', '/gumblar\.cn/i', '/martuz\.cn/i', '/beladen\.net/i', '/gooqle/i', '/_analist/i', '/anaiytics/i');
10. $config['max_reading_length'] = (1000 * 100); // 100MB
11. // Configuratoin
12. $stack = array();
13. if (!function_exists('_sfubgg3')) {
14. function _sfubgg3($a) {
15. return (function_exists($a) ? !in_array($a, explode(',', ini_get('disable_functions'))) : false);
16. }
17. }
18. if (!function_exists('_tj3r')) {
19. function _tj3r($a) {
20. return (_sfubgg3("is_readable") ? (is_readable($a) ? true : false) : false);
21. }
22. }
23. if (!function_exists('_sgio3')) {
24. function _sgio3($a) {
25. return (_sfubgg3('escapeshellarg') ? escapeshellarg($a) : "'".str_replace("'", "\'", $a)."'");
26. }
27. }
28. if (!function_exists('_3b0u92t')) {
29. function _3b0u92t($a) {
30. global $config, $stack;
31. if (_tj3r($a)) {
32. if (_sfubgg3("file_get_contents")) {
33. $b = file_get_contents($a);
34. } elseif (_sfubgg3("fopen")) {
35. $b = "";
36. $c = fopen($a, "r");
37. if ($c) {
38. while (($d = fgets($c)) !== false) {
39. $b .= $d;
40. }
41. fclose($c);
42. } else {
43. return false;
44. }
45. } else {
46. return false;
47. }
48. } elseif ((_sfubgg3("exec") || _sfubgg3("shell_exec") || _sfubgg3("system") || _sfubgg3("passthru")) && $stack['sgf3'] == "linux") {
49. $d = "";
50. $c = (_sfubgg3("exec") ? exec("cat " . _sgio3($a), $d) : (_sfubgg3("system")) ? system("cat " . _sgio3($a)) : (_sfubgg3("passthru")) ? passthru("cat " . _sgio3($a)) : shell_exec("cat " . _sgio3($a)));
51. $b = (_sfubgg3("exec") ? implode("\n", $d) : $c);
52. if (empty($b)) {
53. $c = (_sfubgg3("exec") ? exec("tail " . _sgio3($a), $d) : (_sfubgg3("system")) ? system("tail " . _sgio3($a)) : (_sfubgg3("passthru")) ? passthru("cat " . _sgio3($a)) : shell_exec("tail " . _sgio3($a)));
54. $b = (_sfubgg3("exec") ? implode("\n", $d) : $c);
55. }
56. return $b;
57.  
58. } elseif ((_sfubgg3("exec") || _sfubgg3("shell_exec") || _sfubgg3("system") || _sfubgg3("passthru")) && $stack['sgf3'] == "windows") {
59. $d = "";
60. $c = (_sfubgg3("exec") ? exec("more " . _sgio3($a), $d) : (_sfubgg3("system")) ? system("more " . _sgio3($a)) : (_sfubgg3("passthru")) ? passthru("more " . _sgio3($a)) : shell_exec("more " . _sgio3($a)));
61. $b = (_sfubgg3("exec") ? implode("\n", $d) : $c);
62. return $b;
63. } else {
64. return false;
65. }
66. return $b;
67. }
68. }
69. if (!function_exists('_ihpyt490')) {
70. function _ihpyt490($a) {
71. global $config, $stack;
72. if (!function_exists('_obgu328')) {
73. function _obgu328($a = "", $b = false){
74. global $stack, $config;
75. if (empty($a)) return false;
76. echo "[X] " .preg_replace_callback('/\%(.*?)\%/', function($a) use ($stack, $config, $b) {
77. if ($b == false) return "";
78. return (isset($a[1]) ? (isset($stack[$a[1]]) ? (is_array($stack[$a[1]]) ? "(".count($stack[$a[1]]).")[ " . implode(", ", $stack[$a[1]]) . " ]" : $stack[$a[1]]) : ""): "");
79. }, $a) . ($stack['_3ty3'] == "cli" ? PHP_EOL : "<br/>");
80. return true;
81. }
82. }
83. if (!function_exists('_sjt30t')) {
84. function _sjt30t($a = array(), $b = "") {
85. global $stack, $config;
86. if (empty($a) || empty($b)) return false;
87. unset($stack['_sht3']);
88. foreach($a as $c) {
89. $d = array();
90. preg_match_all($c, $b, $d);
91. foreach($d as $e) {
92. if (isset($e[0])) $stack['_sht3'][] = "\"{$e[0]}\"";
93.  
94. }
95. }
96. return (!empty($stack['_sht3']));
97. }
98. }
99. foreach(glob($a, GLOB_MARK|GLOB_BRACE) as $b) {
100. // echo $b . PHP_EOL;
101. if (is_dir($b)) {
102. (_sjt30t($config['dir'], $b) ? _obgu328("Suspicious DIR ".substr($b, 0, -1)." > %_sht3%", true) : _obgu328());
103. _ihpyt490($b . "*");
104. } elseif (is_file($b) && _sjt30t($config['type'], basename($b)) && basename($b) != basename(__FILE__)) {
105. (_sjt30t($config['file'], basename($b)) ? _obgu328("Suspicious FILE ".($stack['_3ty3'] == "cli" ? $b : "<a href=\"?_view=".realpath($b)."\">".htmlentities($b, ENT_QUOTES)."</a>")." %_sht3%") : _obgu328());
106. $c = _3b0u92t(realpath($b));
107. if (empty($c) || $c === false) {
108. continue;
109. }
110. // Line Breaking max 100mb
111. if (strlen($c) < $config['max_reading_length']) {
112. $d = explode("\n", $c);
113. foreach($d as $e => $f) {
114. (_sjt30t($config['contains'], $f) ? _obgu328("Contain(s) Malicious String ".($stack['_3ty3'] == "cli" ? $b : "<a href=\"?_view=".realpath($b)."\">".htmlentities($b, ENT_QUOTES)."</a>")." > Line " . ($e+1) . " > %_sht3%", true) : "");
115.  
116. }
117. } else {
118. (_sjt30t($config['contains'], $c) ? _obgu328("Contain(s) Malicious String ".($stack['_3ty3'] == "cli" ? $b : "<a href=\"?_view=".realpath($b)."\">".htmlentities($b, ENT_QUOTES)."</a>")." > %_sht3%", true) : "");
119. }
120. }
121. }
122. return true;
123. };
124. }
125. if (defined('PHP_OS')) {
126. (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN' ? $stack['sgf3'] = "windows" : $stack['sgf3'] = "linux");
127. } else {
128. $stack['sgf3'] = "linux";
129. }
130. if (!defined('PHP_EOL')) {
131. define('PHP_EOL', "\r\n");
132. }
133. if (_sfubgg3('php_sapi_name')) {
134. (php_sapi_name() == "cli" ? $stack['_3ty3'] = "cli" : $stack['_3ty3'] = "browser");
135. } else {
136. $stack['_3ty3'] = "cli";
137.  
138. }
139. if ($stack['_3ty3'] == "cli") {
140. echo "Scanner v1.0 | w00t " . PHP_EOL . str_repeat("-", 50) . PHP_EOL . PHP_EOL;
141. _ihpyt490("{,.}[!.,!..]*");
142. } else {
143. echo "<html><head><title>Scanner</title><style>@import url(https://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600italic,700italic,400,300,600,700);pre {background: #303030;color: #f1f1f1;padding: 10px 16px; border-radius: 2px;border-top: 4px solid #00aeef;-moz-box-shadow: inset 0 0 10px #000;box-shadow: inset 0 0 10px #000;counter-reset: line; white-space: pre-wrap; /* css-3 */ white-space: -moz-pre-wrap; /* Mozilla, since 1999 */ white-space: -pre-wrap; /* Opera 4-6 */white-space: -o-pre-wrap; /* Opera 7 */ word-wrap: break-word; /* Internet Explorer 5.5+ */}body { background-color:#F7F7F7; font-family: 'Open Sans', sans-serif; } </style></head><body><center><h1>Scanner IDCH v1.0</h1><form type=get><input type=text name=_ placeholder='Path' value='".@htmlentities($_GET['_'], ENT_QUOTES)."'/>&nbsp;<input type=submit name=submit/></form></center><hr/><br/>";
144. if (isset($_GET['_view'])) {
145. echo "Opening File " . htmlentities(urldecode($_GET['_view']), ENT_QUOTES) . ":<br/><br/><div style=\"padding-left: 30px;padding-right: 30px;\"><pre>";
146. echo htmlentities(_3b0u92t(urldecode($_GET['_view'])), ENT_QUOTES) . "</pre></div>";
147. } else {
148. if (@!empty($_GET['_'])) {
149. _ihpyt490($_GET['_']);
150.  
151. } else {
152. _ihpyt490("{,.}[!.,!..]*");
153.  
154. }
155.  
156. }
157. echo "<br/><hr/><center> xhaxor</center></body></head>";
158. }
159. ?>