Created
October 14, 2012 06:17
Revisions
-
palimadra created this gist
Oct 14, 2012 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,91 @@ <html><head><title>Find String</title></head><body> <?php // upload the file to the root and access the file via a browser. //It may take time to run so be patient as it will check all the files in the root and the directories in the root // Most hosting services will have a time limit on how long a php script can run, typically 30 seconds. // On large sites with a lot of files this script may not be able to find and check all files within the time limit. // If you get a time out error you can try over riding the default time limits by removing the // in the front of these two lines. // ini_set('max_execution_time', '0'); // ini_set('set_time_limit', '0'); // if everything runs properly you should see this in the browser - ./your-file-name.php -> contains base64_decode // if base64 encoding is found you shall see a list of files that contain the obfuscated code // Please remove the file after running the file as it can be dangerous while on the server // The code has been taken from http://blog.aw-snap.info/p/simple-script-to-find-base64decode-in.html and for reference refer to the page find_files('.'); function find_files($seed) { if(! is_dir($seed)) return false; $files = array(); $dirs = array($seed); while(NULL !== ($dir = array_pop($dirs))) { if($dh = opendir($dir)) { while( false !== ($file = readdir($dh))) { if($file == '.' || $file == '..') continue; $path = $dir . '/' . $file; if(is_dir($path)) { $dirs[] = $path; } // the line below tells the script to only check the content of files with a .php extension. // the if{} statement says if you "match" php[\d]? at the end of the file name then check the contents // of the file. The [\d]? part means also match if there is a digit \d such as .php4 in the file extension // else { if(preg_match('/\/*\.php[\d]?$/i', $path)) { check_files($path); }} // 07/26/2011 Based on some recent Pharma hacks I have changed the default to check php, js and txt files else { if(preg_match('/^.*\.(php[\d]?|js|txt)$/i', $path)) { check_files($path); }} // if you would like to check other (all) file types you can comment out/un-comment and or modify // the following lines as needed. You can only have one of the else{} statements un-commented. // The first example contains a lengthy OR (the | means OR) statement, the part inside the (), // (php[\d]?|htm|html|shtml|js|asp|aspx) You can add/remove filetypes by modifying this part // (php[\d]?|htm|html|shtml) will only check .php, .htm, .html, .shtml files. // else { if(preg_match('/^.*\.(php[\d]?|htm|html|shtml|js|asp|aspx)$/i', $path)) { check_files($path); }} // In the next else{} statement there is no if{}, no checking of the file extension every file will be checked. // else { check_files($path); } // will check all file types for the code } closedir($dh); }}} function check_files($this_file) { // the variable $str_to_find is an array that contains the strings to search for inside the single quotes. // if you want to search for other strings replace base64_decode with the string you want to search for. $str_to_find[]='base64_decode'; $str_to_find[]='edoced_46esab'; // base64_decode reversed $str_to_find[]='preg_replace'; $str_to_find[]='HTTP_REFERER'; // checks for referrer based conditions $str_to_find[]='HTTP_USER_AGENT'; // checks for user agent based conditions if(!($content = file_get_contents($this_file))) { echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); } else { while(list(,$value)=each($str_to_find)) { if (stripos($content, $value) !== false) { echo("<p>$this_file -> contains $value</p>\n"); } } } unset($content); }?> </body></html>