Page 1 of 1

Scanning Files...

Posted: Wed Jun 11, 2008 9:14 am
by syntax24
Here's something I've been curious about... how does one go about scanning files.... like for example one of my clients sites got hacked... had an iframe that was malicious at the bottom of most pages. the static pages were easy to find. however the 3rd party software had thousands of files that were included and whatnot, which I had to look through. It would be very convenient if I could just have a simple script run that checks EVERY script it can find in a directory for something like <iframe* or javascript:* and Shows me Every example of such code. Then I could confirm which ones were good, and any that were bad, I would know which file they are in.

is it possible to somewhat scan other files like this?

and if so, could a web based version be made to scan compressed files allowing webmasters to upload their files which may be infected and run a scan?

just curious. I can honestly do it the old fashioned way should it happen again.

Re: Scanning Files...

Posted: Wed Jun 11, 2008 9:21 am
by aceconcepts
It can be done, take a look at http://uk3.php.net/manual/en/function.fopen.php and you will also need to use a string searching function of some sort.

Re: Scanning Files...

Posted: Wed Jun 11, 2008 12:14 pm
by anti.veeranna
The best way is to use grep from the shell, it's quite fast :)

The PHP way however looks something like this:

Code: Select all

 
<?php
// list file extensions that you care about here
$extensions = array('php','inc');
 
foreach(new RecursiveIteratorIterator(new RecursiveDirectoryIterator('.')) as $Item)
{
    if ($Item->isFile() and in_array(pathinfo($Item->getFilename(),PATHINFO_EXTENSION),$extensions))
    {
        foreach($Item->openFile() as $linenum => $line)
        {
            // add the code to check your pattern here
            if (stripos($line,'<iframe') !== false) {
                echo $Item->getPathname(), ':', $linenum, ' ', $line;
            }
        }
    }
}
 
It will print out the path, name, line number and line for all the files that match the pattern in current and all subdirectories recursively.

You probably need to change the stripos call to match your own pattern.

The "." (dot) in RecursiveDirectoryIterator constructor stands for the current directory (the one where this script is in), if you want to use the script on any other directory, replace the dot with the name of that directory.