Dec 012014
 

From https://github.com/fox-it/cryptophp/tree/master/scripts

fox-it made the following Python scripts to help administrators to detect and identify CryptoPHP. The scripts will require Python (preferably 2.7) to run.

RAW: https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py

Install:

cd /usr/local/src
wget --no-check-certificate https://raw.githubusercontent.com/fox-it/cryptophp/master/scripts/check_filesystem.py
chmod +x check_filesystem.py
./check_filesystem.py /home

Example Usage:

./check_filesystem.py --help
Usage: check_filesystem.py [options] directory|file [directory2|file2] [..]

Options:
  -h, --help            show this help message and exit
  -n, --no-color        no color output [default: False]
  -p PATTERNS, --patterns=PATTERNS
                        scan only files matching the patterns (comma
                        seperated) [default: *.png,*.gif,*.jpg,*.bmp]

To scan your whole system (it can take a while), run:

./check_filesystem.py

Or scan a specific directory, for example /home:

./check_filesystem.py /home

Files will either reported as suspicious or confirmed CryptoPHP shell as follows:

File matching patterns: ['*.png', '*.gif', '*.jpg', '*.bmp']
Recursively scanning directory: /
 /home/www/social.png: CRYPTOPHP DETECTED! (version: 1.0)
 /var/www/images/social.png: CRYPTOPHP DETECTED! (version: 1.0a)
 /tmp/thumbs/admin/assets/images/thumb.png: CRYPTOPHP DETECTED! (version: 0.3x555)

The pattern for file matching can be changed using the –patterns. For example to scan all files you could specify:

$ ./check_filesystem.py --patterns '*.*' /home
File matching patterns: ['*']
Recursively scanning directory: /home
Share This!
 Posted by at 2:04 pm