写了一个py脚本,用来找服务器被人留下的webshell。
之前是递归列举文件,现在用walk函数,快了些。
改动最大的就是正则了,看上去像样不少。
('[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\&;\&;]{1,4}.{,33}','[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\&;\&;]{1,4}.{,33}','[mM][mM] {,20}= {,3}[\&;\&;]{1,4}.{,33}','[mM][iI][mM][aA] {,20}= {,3}[\&;\&;]{1,4}.{,33}','<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]')
地址,,路过的一定要star哦:
https://github.com/donghouhe/find_horse_finished/blob/master/horse.py
#!/usr/bin/env python# encoding: utf-8# 2015-2-5'''____________/\ \/\ \/\__\/\ \/::\ \/::\ \/::| |/::\ \/:/\:\ \/:/\:\ \/:|:| |/:/\:\ \/:/ \:\__\ /:/ \:\ \ /:/|:| |__ /:/ \:\ \ /:/__/ \:|__| /:/__/ \:\__\ /:/ |:| /\__\ /:/__/_\:\__\ \:\ \ /:/ / \:\ \ /:/ / \/__|:|/:/ / \:\ /\ \/__/ \:\ /:/ / \:\ /:/ /|:/:/ / \:\ \:\__\\:\/:/ /\:\/:/ /|::/ /\:\/:/ /\::/__/\::/ //:/ /\::/ /~~\/__/\/__/\/__/'''import osimport sysimport reimport timerulelist = ('[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\&;\&;]{1,4}.{,33}','[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\&;\&;]{1,4}.{,33}','[mM][mM] {,20}= {,3}[\&;\&;]{1,4}.{,33}','[mM][iI][mM][aA] {,20}= {,3}[\&;\&;]{1,4}.{,33}','<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]')def scan(path):for root,dirs,files in os.walk(path):for filespath in files:realfile = os.path.join(root,filespath)if os.path.getsize(realfile) < 1024 * 1024 and all(map(lambda x: not realfile.endswith(x), ('.java', '.jar', '.css', '.class', '.bin', '.exe', '.jpg', '.png', '.pdf', '.doc', '.JPG', 'gif'))):filen = open(realfile)filestr = filen.read()filen.close()for rule in rulelist[:]:result = re.compile(rule).search(filestr)if result:print 'File: ', os.path.join(root,filespath ), result.group(0)print ('Modifed time: ', time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(os.path.getmtime(realfile))))breakif __name__=='__main__':if len(sys.argv)!=2:print "Usage:", sys.argv[0], '/dir'sys.exit(1)if not os.path.lexists(sys.argv[1]):print "wrong path"sys.exit(1)print "going"scan(sys.argv[1])
原以为“得不到”和“已失去”是最珍贵的,可原来把握眼前才是最重要的。
