My simple example of a script that can help you detect malware on your website.

My simple example of a script that can help you detect malware on your website.

Evangelos Taxiarchis Evangelos Taxiarchis

Evangelos Taxiarchis

founder @ get.nolimitemails.com Secure,Comunication,Email,Security, Scalability Specialist Growth Strategist.

发布日期: 2024年7月27日
+ 关注

My simple example of a script that can help you detect malware on your website.?

This script will scan files on your server for suspicious patterns commonly found in malware.?

This is a basic implementation and may not catch all types of malware, but it can be a good starting point.

Python Script to Detect Malware

This script scans files in your web directory for suspicious patterns.?

You can run this script on your backend server.

Instructions

  1. Save the Script: Save the script as malware_scan.py on your server.
  2. Adjust the Directory: Modify the SCAN_DIR variable to point to your web directory. For example, if your website files are in /var/www/html, set SCAN_DIR = '/var/www/html'.
  3. Run the Script: Execute the script using Python:

Copy the code blow

Bash?

python3 malware_scan.py

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

import os

import re

# Define the directory to scan

SCAN_DIR = '/path/to/your/web/directory'

# Define suspicious patterns to look for

suspicious_patterns = [

????re.compile(r'<\?php\s*eval\('), ? ? ? ? ? ? # PHP eval() function

????re.compile(r'base64_decode\('), ? ? ? ? ? ? # base64 decode

????re.compile(r'shell_exec\('),? ? ? ? ? ? ? ? # shell execution

????re.compile(r'passthru\('),? ? ? ? ? ? ? ? ? # passthru function

????re.compile(r'system\('),? ? ? ? ? ? ? ? ? ? # system function

????re.compile(r'popen\('), ? ? ? ? ? ? ? ? ? ? # popen function

????re.compile(r'proc_open\('), ? ? ? ? ? ? ? ? # proc_open function

????re.compile(r'iframe'),? ? ? ? ? ? ? ? ? ? ? # iframes (often used in XSS attacks)

????re.compile(r'<script'), ? ? ? ? ? ? ? ? ? ? # script tags

????re.compile(r'var_dump\('),? ? ? ? ? ? ? ? ? # var_dump function (sometimes used maliciously)

????re.compile(r'gzuncompress\('),? ? ? ? ? ? ? # gzuncompress function

????re.compile(r'php_uname\(')? ? ? ? ? ? ? ? ? # php_uname function

]

def scan_file(file_path):

????"""Scan a single file for suspicious patterns."""

????try:

????????with open(file_path, 'r', encoding='utf-8', errors='ignore') as file:

????????????content = file.read()

????????????for pattern in suspicious_patterns:

????????????????if pattern.search(content):

????????????????????print(f'Suspicious pattern found in {file_path}')

????????????????????return True

????except Exception as e:

????????print(f'Error reading {file_path}: {e}')

????return False

def scan_directory(directory):

????"""Recursively scan a directory for suspicious files."""

????for root, _, files in os.walk(directory):

????????for file in files:

????????????file_path = os.path.join(root, file)

????????????scan_file(file_path)

if name == '__main__':

????scan_directory(SCAN_DIR)

????print('Scan complete.')

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Explanation

  • Patterns: The script uses regular expressions to define suspicious patterns commonly found in malware. You can add or remove patterns as needed.
  • Scanning: It recursively scans through all files in the specified directory, checking each file for the defined patterns.
  • Reporting: If a suspicious pattern is found, it prints the file path.

This script is a basic example and should be part of a larger security strategy. For more comprehensive protection, consider integrating it with other security tools and regularly updating the patterns based on the latest threats.

To enhance the security of your website, we can implement several additional measures:

  1. Detect and Block VPNs/Proxies: Use an API service that provides information on IP addresses, such as IPQualityScore or IP2Proxy, to detect and block requests from VPNs and proxies.
  2. Allow Only Authenticated Users with Valid Keys: Implement API key authentication and ensure only requests with valid keys are processed.
  3. Prevent Unauthorised Changes to System Files: Use file integrity monitoring to detect unauthorised changes to system files.
  4. Secure API Calls: Enforce HTTPS and validate all inputs to prevent SQL injection and other attacks.

Here is an extended Python script implementing these features:

Step 1: Add Dependencies

You might need to install some additional libraries:

COPY THIS CODE AND IMPLEMENT

Step 2:?

BASH

pip install requests

import os

import re

import requests

import hashlib

# Define the directory to scan

SCAN_DIR = '/path/to/your/web/directory'

# Define suspicious patterns to look for

suspicious_patterns = [

????re.compile(r'<\?php\s*eval\('),

????re.compile(r'base64_decode\('),

????re.compile(r'shell_exec\('),

????re.compile(r'passthru\('),

????re.compile(r'system\('),

????re.compile(r'popen\('),

????re.compile(r'proc_open\('),

????re.compile(r'iframe'),

????re.compile(r'<script'),

????re.compile(r'var_dump\('),

????re.compile(r'gzuncompress\('),

????re.compile(r'php_uname\(')

]

# Define a list of valid API keys

VALID_API_KEYS = {'your-valid-api-key-1', 'your-valid-api-key-2'}

# IP Quality Score API URL (replace with your API key and URL)

IPQS_API_URL = 'https://ipqualityscore.com/api/json/ip/YOUR_API_KEY/'

def scan_file(file_path):

????"""Scan a single file for suspicious patterns."""

????try:

????????with open(file_path, 'r', encoding='utf-8', errors='ignore') as file:

????????????content = file.read()

????????????for pattern in suspicious_patterns:

????????????????if pattern.search(content):

????????????????????print(f'Suspicious pattern found in {file_path}')

领英推荐

????????????????????return True

????except Exception as e:

????????print(f'Error reading {file_path}: {e}')

????return False

def scan_directory(directory):

????"""Recursively scan a directory for suspicious files."""

????for root, _, files in os.walk(directory):

????????for file in files:

????????????file_path = os.path.join(root, file)

????????????scan_file(file_path)

def is_valid_ip(ip):

????"""Check if an IP address is from a VPN or Proxy."""

????try:

????????response = requests.get(IPQS_API_URL + ip)

????????data = response.json()

????????if data.get('proxy', False):

????????????print(f'Blocked proxy/VPN IP: {ip}')

????????????return False

????except Exception as e:

????????print(f'Error checking IP {ip}: {e}')

????return True

def is_valid_api_key(api_key):

????"""Check if the API key is valid."""

????return api_key in VALID_API_KEYS

def validate_request(request):

????"""Validate incoming API requests."""

????ip = request.get('ip')

????api_key = request.get('api_key')

????if not is_valid_api_key(api_key):

????????print('Invalid API key')

????????return False

????if not is_valid_ip(ip):

????????print('Invalid IP address')

????????return False

????return True

def file_hash(file_path):

????"""Compute SHA256 hash of a file."""

????sha256_hash = hashlib.sha256()

????try:

????????with open(file_path, 'rb') as file:

????????????for byte_block in iter(lambda: file.read(4096), b""):

????????????????sha256_hash.update(byte_block)

????????return sha256_hash.hexdigest()

????except Exception as e:

????????print(f'Error reading {file_path}: {e}')

????return None

def monitor_files(directory):

????"""Monitor files for unauthorized changes."""

????file_hashes = {}

????for root, _, files in os.walk(directory):

????????for file in files:

????????????file_path = os.path.join(root, file)

????????????file_hashes[file_path] = file_hash(file_path)

????while True:

????????for file_path, old_hash in file_hashes.items():

????????????new_hash = file_hash(file_path)

????????????if new_hash != old_hash:

????????????????print(f'File changed: {file_path}')

????????????????file_hashes[file_path] = new_hash

if name == '__main__':

????scan_directory(SCAN_DIR)

????print('Initial scan complete.')

????# Example of validating an API request

????example_request = {'ip': '8.8.8.8', 'api_key': 'your-valid-api-key-1'}

????if validate_request(example_request):

????????print('Request is valid.')

????else:

????????print('Request is invalid.')

????# Start monitoring files for changes

????monitor_files(SCAN_DIR)

BASH?

python3 security_script.py

list the Python libraries used in the security_script.py and provide the command to install each one using pip. After that, I'll give you the command to run the script.

Libraries Used

  1. os: This is a standard Python library, so you don't need to install it.
  2. re: This is a standard Python library, so you don't need to install it.
  3. requests: You need to install this library.
  4. hashlib: This is a standard Python library, so you don't need to install it.

Install Command for Requests Library

To install the requests library, use the following command:

bash

Copy code

pip install requests

Full List of Libraries and Installation Commands

  • os: Standard library (no installation needed)
  • re: Standard library (no installation needed)
  • requests: Install with pip install requests
  • hashlib: Standard library (no installation needed)

Command to Run the Script

Once you have installed the necessary libraries, you can run the script using the following command:

Command to Run the Script

Once you have installed the necessary libraries, you can run the script using the following command:

bash

Copy code

python3 security_script.py

Summary of Commands

Install the requests library: bash Copy code pip install requests

Run the script: bash Copy code python3 security_script.py

These commands will ensure that all necessary libraries are installed and the script can be executed successfully.

GOOD LUCK

THIS DOCUMENT IS WRITTEN AND EDITED? BY EVANGELOS TAXIARCIS FOR? BENEFITS OF GLOBAL ONLINE SECURITY

Curate Curate

Curate

216 位关注者

订阅

要查看或添加评论,请登录

Evangelos Taxiarchis的更多文章

社区洞察

其他会员也浏览了