Dec 012014
 

From https://github.com/fox-it/cryptophp/tree/master/scripts

fox-it made the following Python scripts to help administrators to detect and identify CryptoPHP. The scripts will require Python (preferably 2.7) to run.

RAW: https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py

Install:
cd /usr/local/src
wget --no-check-certificate https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
chmod +x check_filesystem.py
./check_filesystem.py /home

Example Usage:

./check_filesystem.py --help
Usage: check_filesystem.py [options] directory|file [directory2|file2] [..]

Options:
-h, --help show this help message and exit
-n, --no-color no color output [default: False]
-p PATTERNS, --patterns=PATTERNS
scan only files matching the patterns (comma
seperated) [default: *.png,*.gif,*.jpg,*.bmp]

To scan your whole system (it can take a while), run:
./check_filesystem.py

Or scan a specific directory, for example /home:
./check_filesystem.py /home

Files will either reported as suspicious or confirmed CryptoPHP shell as follows:

File matching patterns: ['*.png', '*.gif', '*.jpg', '*.bmp']
Recursively scanning directory: /
/home/www/social.png: CRYPTOPHP DETECTED! (version: 1.0)
/var/www/images/social.png: CRYPTOPHP DETECTED! (version: 1.0a)
/tmp/thumbs/admin/assets/images/thumb.png: CRYPTOPHP DETECTED! (version: 0.3x555)

The pattern for file matching can be changed using the –patterns. For example to scan all files you could specify:
$ ./check_filesystem.py --patterns '*.*' /home
File matching patterns: ['*']
Recursively scanning directory: /home

 Posted by at 2:04 pm

 Leave a Reply