【python】找呀找呀找webshell

写了一个py脚本，用来找服务器被人留下的webshell。

之前是递归列举文件，现在用walk函数，快了些。

改动最大的就是正则了，看上去像样不少。

(
		'[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
		'[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
		'[mM][mM] {,20}= {,3}[\'\"]{1,4}.{,33}',
		'[mM][iI][mM][aA] {,20}= {,3}[\'\"]{1,4}.{,33}',
		'<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]'
		)

地址，路过的一定要star哦：

https://github.com/donghouhe/find_horse_finished/blob/master/horse.py

#!/usr/bin/env python
# encoding: utf-8
# 2015-2-5
'''
      ___           ___           ___           ___     
     /\  \         /\  \         /\__\         /\  \    
    /::\  \       /::\  \       /::|  |       /::\  \   
   /:/\:\  \     /:/\:\  \     /:|:|  |      /:/\:\  \  
  /:/  \:\__\   /:/  \:\  \   /:/|:|  |__   /:/  \:\  \ 
 /:/__/ \:|__| /:/__/ \:\__\ /:/ |:| /\__\ /:/__/_\:\__ \:\  \ /:/  / \:\  \ /:/  / \/__|:|/:/  / \:\  /\ \/__/
  \:\  /:/  /   \:\  /:/  /      |:/:/  /   \:\ \:\__\  
   \:\/:/  /     \:\/:/  /       |::/  /     \:\/:/  /  
    \::/__/       \::/  /        /:/  /       \::/  /   
     ~~            \/__/         \/__/         \/__/    
'''

import os
import sys
import re
import time

rulelist = (
		'[_ ]{,1}[pP][aA][sS][sS][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
		'[_ ]{,1}[pP][Ww][\w ]{,20}= {,3}[\'\"]{1,4}.{,33}',
		'[mM][mM] {,20}= {,3}[\'\"]{1,4}.{,33}',
		'[mM][iI][mM][aA] {,20}= {,3}[\'\"]{1,4}.{,33}',
		'<[pP][aA][sS][sS].{,33}</[pP][aA][sS][sS]'
		)

def scan(path):
	for root,dirs,files in os.walk(path):
		for filespath in files:
			realfile = os.path.join(root,filespath)
			if os.path.getsize(realfile) < 1024 * 1024 and all(map(lambda x: not realfile.endswith(x),  ('.java', '.jar', '.css', '.class', '.bin', '.exe', '.jpg', '.png', '.pdf', '.doc', '.JPG', 'gif'))):
				filen = open(realfile)
				filestr = filen.read()
				filen.close()
				for rule in rulelist[:]:
					result = re.compile(rule).search(filestr)
					if result:
						print 'File: ', os.path.join(root,filespath ), result.group(0)
						print ('Modifed time: ', time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(os.path.getmtime(realfile))))
						break

if __name__=='__main__':

	if len(sys.argv)!=2:
		print "Usage:", sys.argv[0], '/dir'
		sys.exit(1)
	if not os.path.lexists(sys.argv[1]):
		print "wrong path"
		sys.exit(1)
	print "going"
	scan(sys.argv[1])