evomalware.sh

#!/bin/bash
# EvoMalware, script to detect infected websites.

# You can set aggressive to true to search for suspicions scripts.
aggressive=false
# Path to search for.
#wwwpath=/home
# Path for cPanel(and some Directadmin) servers. Server's running Pesk should use /var/www/vhosts/*/httpdocs
wwwpath=/home/*/public_html
# URL to download patterns and filenames.
databaseURL="http://antispam00.evolix.org/evomalware"
databasePATH=/var/lib/evomalware
# Tools.
find="ionice -c3 find -O3"
grep="nice -n 19 grep"
wc="nice -n 19 wc"
wget="wget -q -t 3"
md5sum="md5sum --status -c"
# Various.
fileslist=$(mktemp)
tmpPATH=/tmp/evomalware.tmp

trap "rm -rf $fileslist $tmpPATH" EXIT

usage() {
    cat<<EOT
    $0 to search for known malwares.
    $0 --aggressive to include suspicions scripts.
EOT
exit 1
}

if [[ "$1" == "--aggressive" ]]; then
    aggressive=true
fi
if [[ -n "$1" && "$1" != "--aggressive" ]]; then
    usage
fi

# Download last patterns and filenames.
mkdir -p $databasePATH
mkdir -p $tmpPATH
cd $tmpPATH
for file in evomalware.filenames evomalware.patterns evomalware.whitelist evomalware.suspect; do
    $wget ${databaseURL}/${file}
    $wget ${databaseURL}/${file}.md5
    if $md5sum ${file}.md5; then
        cp $file ${databasePATH}/
    else
        echo "Error with ${databaseURL}/${file}, wrong md5sum!"
        exit 1
    fi
done
filenames=$(cat ${databasePATH}/evomalware.filenames | tr -d '\n')
patterns=$(cat ${databasePATH}/evomalware.patterns | tr -d '\n')
whitelist=$(cat ${databasePATH}/evomalware.whitelist | tr -d '\n')
suspect=$(cat ${databasePATH}/evomalware.suspect | tr -d '\n')

# Search for .php files (less than 1M).
find $wwwpath -name evobackup -prune -o \( -type f ! -size +1M -name "*.php" \) \
    | grep -E -v "$whitelist" > $fileslist 2>/dev/null
while read file; do
    # Search known filenames.
    if [[ "$file" =~ $filenames ]]; then
        echo "Known malware: $file"
    # Search .php files in WP's wp-content/uploads/
    elif [[ "$file" =~ "wp-content/uploads/" ]]; then
        echo "PHP file in a non-PHP folder detected: $file"
    # Count the length of the longest line and search if suspect php functions are used.
    elif [[ $($wc -L "$file" 2>/dev/null | cut -d' ' -f1) -gt 10000 ]]; then
        grep -q -E "$suspect" "$file"
        if [[ $? -eq 0 ]]; then
            echo "Suspect file! More than 10000 characters in one line (and suspect PHP functions): $file."
        fi
    else
        # Search for patterns.
        $grep -H -E -r -l -q "$patterns" "$file" 2>/dev/null
        if [[ $? -eq 0 ]]; then
            echo "Contains a known malware pattern: $file"
        fi
    fi
done < $fileslist

# Search for suspicious scripts... Only when in aggressive mode.
# It will increase scan time, but swapped all instances of '.' here with '$wwwpath' to work with cases of multiple httpdoc areas(ie on shared hosting panels)
if ( $aggressive ); then
    $find $wwwpath -name javascript.php
    $find $wwwpath -name bp.pl
    $find $wwwpath -name tn.php
    $find $wwwpath -name tn.php3
    $find $wwwpath -name tn.phtml
    $find $wwwpath -name tn.txt
    $find $wwwpath -name xm.php
    $find $wwwpath -name logs.php
    $find $wwwpath -type f -name "*.php" -exec sh -c 'cat {} | awk "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
    $find $wwwpath -type f -name "*.php" -exec sh -c 'cat {} | awk -Fx "{ print NF}" | sort -n | tail -1 | tr -d '\\\\n' && echo " : {}"' \; | sort -n | tail -10
    $grep -r 'ini_set(chr' $wwwpath
    $grep -r 'eval(base64_decode($_POST' $wwwpath
    $grep -r 'eval(gzinflate(' $wwwpath
    $grep -r 'ini_set(.mail.add_x_header' $wwwpath
    $grep -r '@require' $wwwpath
    $grep -r '@ini_set' $wwwpath
    $grep -ri 'error_reporting(0' $wwwpath
    $grep -r base64_decode $wwwpath
    $grep -r codeeclipse $wwwpath
    $grep -r 'eval(' $wwwpath
    $grep -r '\x..\x..' $wwwpath
    $grep -r 'chr(rand(' $wwwpath
fi