Rudimentary file scan

This is a block of bash script which checks files (php,phtml) for potential malware, this is by no means perfect and it will probably come up with a lot of false positives but it will give you a general idea of what is happening in your code.

Basically the script will check a folder for php/phtml files which use the following statements :

  • eval – used to evaluate php code coming from a string
  • mysql_query – runs a direct query against mysql, if your application is built with a new framework this should not happen normally
  • include($_ – this is used to include files coming from super-globals
  • echo($_ – echo super-global variables
  • print_r($_ – echo super-global variables
  • REMOTE_ADDR – used to check for a specific IP address  – usually used to lock the malware to a specific IP address (the attacker)

Usage:

./scan.sh /path/to/folder /path/to/outputFile

Save the following code as scan.sh and chmod +x scan.sh

#!/bin/bash

export doNotCheck={""};

function checkFile {
    filename="${1##*/}";
    if [[ "${doNotCheck[@]}" =~ "${filename}" ]]; then
        echo "file ${filename} was excluded from the check";
    else 
        if grep -iFq "eval(" $1
        then
            matchPart=$(cat $1 | grep -sn "eval(");
            logFile $1 $2 'Found eval usage' "${matchPart}";
        else 
            if grep -iFq "mysql_query($_" $1
            then
                matchPart=$(cat $1 | grep -sn "mysql_query(\$\_");
                logFile $1 $2 'Found mysql_query with request param' "${matchPart}";
            else 
                if grep -iFq "include($_" $1
                then
                    matchPart=$(cat $1 | grep -sn "include(\$\_");
                    logFile $1 $2 'Found remote file include' "${matchPart}";
                else 
                    if grep -iFq "echo($_" $1
                    then
                        matchPart=$(cat $1 | grep -sn "echo(\$\_");
                        logFile $1 $2 'Found echo of request param' "${matchPart}";
                    else 
                        if grep -iFq "print_r($_" $1
                        then
                            matchPart=$(cat $1 | grep -sn "print_r(\$\_");
                            logFile $1 $2 'Found print_r of request param' "${matchPart}";
                        else 
                            if grep -iFq "REMOTE_ADDR" $1
                            then
                                matchPart=$(cat $1 | grep -sn "REMOTE_ADDR");
                                logFile $1 $2 'Found IP check' "${matchPart}";                        
                            fi                
                        fi                
                    fi                
                fi
            
            fi
        fi    
    fi
}
function logFile {
    echo "${3} - ${1} - Line: ${4}" >> $2
}
find $1 -type f -iname '*.php*' -print0 |
while IFS= read -r -d '' f;
do
    checkFile $f $2
done
find $1 -type f -iname '*.phtml' -print0 |
while IFS= read -r -d '' f;
do
    checkFile $f $2
done