利用Linux的inotify文件变化通知机制,安装pyinotify扩展后编写出来的监视Webshell的小工具。
当发现目录中新建或更改后的文件中包含有隐藏的PHP函数,可被Webshell利用的代码,涛涛电脑知识网,涛涛电脑知识网,则马上发送Email到管理员邮件报警
#!/usr/bin/env python
import sys
import os
import re
import pyinotify
import smtplib
import mimetypes
import datetime
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.mime.image import MIMEImage
if len(sys.argv) <2:
print("\n /*//////////////////////////////////////////");
print(" // Sov Webshell monitoring tool //");
print(" // by:0x001 //");
print(" //////////////////////////////////////////*/\n");
print(' Usage : python SovMonitor.py /web/0x001\n')
sys.exit()
host = "mail.0x001.com"
username = "admin@0x001.com"
password = "0x001.com"
email_from = "admin@0x001.com"
send_to = "admin@0x001.com"
subject = "Critical alarm from SovMonitor!"
pattern = re.compile(r"\bserver.execute\s+request|\bexecute\s+request|\beval\s+request|\beval_r\s+request|\bExecuteGlobal\s+request|\bExecute\s+Session|\bexecute\s*\(+\s*request|\beval\s*\(+\s*request|\beval_r\s*\(+\s*request|\bExecuteGlobal\s*\(+\s*request|\bExecute\s*\(+\s*Session|\s*'\s*:\s*eval|\bServer.CreateObject\s*\(\s*\"ScriptControl\"\s*\)|\bSystem.Reflection.Assembly.Load|\beval\s*\(+\s*\$|\beval_r\s*\(+\s*\$|\bassert\s*\(+\s*\$|`\$_Request\[.*`|`\$_GET\[.*`|`\$_POST\[.*`|\.ExecuteStatement\s*\(|\bnew\s+WebAdmin2Y|\beval\s*\(\s*@?base64_decode\s*\(|\beval\s*\(\s*@?gzuncompress\s*\(\s*@?base64_decode\(|\binclude.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire_once.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\bexecute\s*\(+\s*\w+\s*\(+.*\s*\)|\bshell_exec\b|\bpassthru\s*\(|\bwscript\.shell\b|\bShell\.Application\b|\bVBScript\.Encode\b|\bxp_cmdshell\b|\bproc_open\b|\bSystem\.Net\.Sockets\b|\bSystem\.Diagnostics\b|\bSystem\.DirectoryServices\b|\bSystem\.ServiceProcess\b|\bnew\s+Socket\b|\bSystem\.Reflection\.Assembly\.Load\(Request\.BinaryRead\b|\bRuntime\.getRuntime\(\)\.exec\b|clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8|clsid:13709620-C279-11CE-A49E-444553540000|clsid:0D43FE01-F093-11CF-8940-00A0C9054228|clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B|\bLANGUAGE\s*=\s*[\"]?\s*(vbscript|jscript|javascript).encode\b|'?e'?\.?'?v'?\.?'?a'?\.?'?l'")
p_file = re.compile(r"\.php$|\.java$|\.jpg$|\.gif$|\.png$|\.jpeg$")
def FileHandler(ev,filename):
# find file
match = p_file.search(filename)
if match == None:
return False
e = os.path.exists(filename)
if e == False:
return False
# read file
filecontent = ''
file = open(filename)
while True:
lines = file.readlines(100000)
if not lines:
break
for line in lines:
filecontent = filecontent +line
#print filecontent
match = pattern.finditer(filecontent)
mlist = list(match)
num = len(mlist)
if num >0:
nowtime = datetime.datetime.now().strftime("%Y-%m-%d %H:%M")
#message_body = ''
message_body = ev + filename + '\n\nDangerous keywords :\n'
print '\n',nowtime,' ',ev,filename,', Matching number : ',num,'\nMatching Result: ',
for m in mlist:
print m.group(),
message_body = message_body + ' | ' + m.group()
print '\n'
Send_Email = send_email(host,username,password)
Send_Email.do_send(email_from,send_to,subject,message_body)
Send_Email.do_close()
else:
#print '\nFalse, ',ev,filename,'\n'
pass
# Send mail Module class
class send_email():
datetime = datetime.datetime.now().strftime("%Y-%m-%d %H:%M")
errmsg = "Maybe something wrong happed! %s"
def __init__(self,host,username,password,port=25):
self.host = host
self.username = username
self.password = password
self.port = port
self.do_connect()
def do_connect(self):
self.smtp = smtplib.SMTP()
try:
self.smtp.connect(self.host +':'+ str(self.port))
self.smtp.login(self.username,self.password)
#except smtplib.SMTPException,e:
except Exception,e:
print self.errmsg % e
sys.exit(2)
def make_email_body(self):
self.email_body = MIMEMultipart()
self.email_body['From'] = self.email_from
self.email_body['To'] = self.send_to
self.email_body['Subject'] = self.subject
message = MIMEText(self.message_body)
self.email_body.attach(message)
def do_send(self,email_from,send_to,subject,message_body):
self.email_from = email_from
self.send_to = send_to
self.subject = subject
self.message_body = message_body + "\n=========================\n0x001 Sov.WAF" + self.datetime
self.make_email_body()
try:
self.smtp.sendmail(self.email_from,self.send_to,self.email_body.as_string())
except smtplib.SMTPException,e:
print self.errmsg % e
sys.exit(2)
def do_close(self):
self.smtp.quit()
print "Mail sent to %s at %s." % (self.send_to,self.datetime)
#==== Monitor ====#
wm = pyinotify.WatchManager() # Watch Manager
mask = pyinotify.IN_CREATE | pyinotify.IN_MODIFY # watched events
class EventHandler(pyinotify.ProcessEvent):
def process_IN_CREATE(self, event):
#print "Creating:", event.pathname
FileHandler("Creating:",event.pathname)
def process_IN_MODIFY(self, event):
#print "Modify:", event.pathname
FileHandler("Modify:",event.pathname)
handler = EventHandler()
notifier = pyinotify.Notifier(wm, handler)
wdd = wm.add_watch(sys.argv[1], mask, rec=True)
notifier.loop()
from: ?p=683