#/bin/bash ################################################################## ### c99 and variant shell detection, quarantine and or removal ### ### Created by: Michael LaSalvia on 10/08/09 ### ### Site: http://www.digitaloffensive.com ### ### Not responsible for your use of this script ### ################################################################## #Variables: if you dont know what you are doing leave these as is txtInfect=/tmp/php.txt dirSearch=/var/www/ qInfected=/tmp/infected ck1=/tmp/c99check1.txt ck2=/tmp/c99check2.txt ck3=/tmp/c99check3.txt echo "########################################################" echo "## Creating needed files and cleaning old check files ##" echo "## Ignore errors here ##" echo "########################################################" mkdir $qInfected rm -f $ck1 $ck2 $ck3 $txtInfect echo "########################################################" echo "### STARTING SEARCH FOR c99 and vairants ####" echo "########################################################" find $dirSearch -name \*.php >> $txtInfect for c99 in $(cat $txtInfect) do if grep "gzinflate" $c99 > /dev/null; then echo "$c99 is infected **CHECK 1 of 3**" echo $c99 >> $ck1 for c992 in $(cat $ck1) do if grep "'7X1rcxs5kuBnd0T" $c992 > /dev/null; then echo "$c992 is infected **CHECK 2 of 3**" echo $c992 >> $ck2 for c993 in $(cat $ck2) do if grep "/wxMNVWOra7tTSb4BOrTD7FuM+847ZoXbxU7K2m2Elzg1RYWkhKujJiJa6QaqTwy9X5tCDZ6f77AUoj9XtkXuWQ5ROgowOYpU59wydY/" $c993 > /dev/null; then echo "$c993 is infected **CHECK 3 of 3**" echo $c993 >> $ck3 echo -e "##############################################################" echo -e "## After 3x c99 code has been found in the following files: ##" cat $ck3.txt echo -e "##############################################################" echo -e "##### Press 1: To delete these files **WARNING** #####" echo -e "##### Press enter: Rename the infected php to .txt #####" echo -e "##### and move it to $qInfected for review #####" echo -e "##############################################################" echo -e "Please enter your choice: " read yChoice if [ "$yChoice" == 1 ] then for rmInfect in $(cat $ck3) do rm -f $rmInfect echo "** $rmInfect has been removed" done else for mvRname in $(cat $ck3) do mv $mvRname $mvRname.txt mv $mvRname.txt $qInfected echo "$mvRname has been renamed to $mvRname.txt" echo $mvRname.txt has been moved to $qInfected done fi fi done fi done fi done rm -f $ck1 $ck2 $ck3 $txtInfect