利用Linux的inotify文件变化通知机制,安装pyinotify扩展后编写出来的监视Webshell的小工具。 当发现目录中新建或更改后的文件中包含有隐藏的 PHP 函数,可被Webshell利用的代码,则马上发送Email到管理员邮件报警 #!/usr/bin/env python import sys import os import re import pyinotify import smtplib import mimetypes import datetime from email.mime.text import MIMEText from email.mime.multipart import MIMEMultipart from email.mime.image import MIMEImage if len(sys.argv) <2: print("\n /*//////////////////////////////////////////"); print(" // Sov Webshell monitoring tool //"); print(" // by:0x001 http://www.0x001.com //"); print(" //////////////////////////////////////////*/\n"); print(' Usage : python SovMonitor.py /web/0x001\n') sys.exit() host = "mail.0x001.com" username = "admin@0x001.com" password = "0x001.com" email_from = "admin@0x001.com" send_to = "admin@0x001.com" subject = "Critical alarm from SovMonitor!" pattern = re.compile(r"\bserver.execute\s+request|\bexecute\s+request|\beval\s+request|\beval_r\s+request|\bExecuteGlobal\s+request|\bExecute\s+Session|\bexecute\s*\(+\s*request|\beval\s*\(+\s*request|\beval_r\s*\(+\s*request|\bExecuteGlobal\s*\(+\s*request|\bExecute\s*\(+\s*Session|\s*'\s*:\s*eval|\bServer.CreateObject\s*\(\s*\"ScriptControl\"\s*\)|\bSystem.Reflection.Assembly.Load|\beval\s*\(+\s*\$|\beval_r\s*\(+\s*\$|\bassert\s*\(+\s*\$|`\$_Request\[.*`|`\$_GET\[.*`|`\$_POST\[.*`|\.ExecuteStatement\s*\(|\bnew\s+WebAdmin2Y|\beval\s*\(\s*@?base64_decode\s*\(|\beval\s*\(\s*@?gzuncompress\s*\(\s*@?base64_decode\(|\binclude.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire_once.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\brequire.*(\.jpg|\.gif|\.png|\.bmp|\.txt)|\bexecute\s*\(+\s*\w+\s*\(+.*\s*\)|\bshell_exec\b|\bpassthru\s*\(|\bwscript\.shell\b|\bShell\.Application\b|\bVBScript\.Encode\b|\bxp_cmdshell\b|\bproc_open\b|\bSystem\.Net\.Sockets\b|\bSystem\.Diagnostics\b|\bSystem\.DirectoryServices\b|\bSystem\.ServiceProcess\b|\bnew\s+Socket\b|\bSystem\.Reflection\.Assembly\.Load\(Request\.BinaryRead\b|\bRuntime\.getRuntime\(\)\.exec\b|clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8|clsid:13709620-C279-11CE-A49E-444553540000|clsid:0D43FE01-F093-11CF-8940-00A0C9054228|clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B|\bLANGUAGE\s*=\s*[\"]?\s*(vbscript|jscript|javascript).encode\b|'?e'?\.?'?v'?\.?'?a'?\.?'?l'") p_file = re.compile(r"\.php$|\.java$|\.jpg$|\.gif$|\.png$|\.jpeg$") def FileHandler(ev,filename): # find file www.2cto.com match = p_file.search(filename) if match == None: return False e = os.path.exists(filename) if e == False: return False # read file filecontent = '' file = open(filename) while True: lines = file.readlines(100000) if not lines: break for line in lines: filecontent = filecontent +line #print filecontent match = pattern.finditer(filecontent) mlist = list(match) num = len(mlist) if num >0: nowtime = datetime.datetime.now().strftime("%Y-%m-%d %H:%M") #message_body = '' message_body = ev + filename + '\n\nDangerous keywords :\n' print '\n',nowtime,' ',ev,filename,', Matching number : ',num,'\nMatching Result: ', for m in mlist: print m.group(), message_body = message_body + ' | ' + m.group() print '\n' Send_Email = send_email(host,username,password) Send_Email.do_send(email_from,send_to,subject,message_body) Send_Email.do_close() else: #print '\nFalse, ',ev,filename,'\n' pass # Send mail Module class class send_email(): datetime = datetime.datetime.now().strftime("%Y-%m-%d %H:%M") errmsg = "Maybe something wrong happed! %s" def __init__(self,host,username,password,port=25): self.host = host self.username = username self.password = password self.port = port self.do_connect() def do_connect(self): self.smtp = smtplib.SMTP() try: self.smtp.connect(self.host +':'+ str(self.port)) self.smtp.login(self.username,self.password) #except smtplib.SMTPException,e: except Exception,e: print self.errmsg % e sys.exit(2) def make_email_body(self): self.email_body = MIMEMultipart() self.email_body['From'] = self.email_from self.email_body['To'] = self.send_to self.email_body['Subject'] = self.subject message = MIMEText(self.message_body) self.email_body.attach(message) def do_send(self,email_from,send_to,subject,message_body): self.email_from = email_from self.send_to = send_to self.subject = subject self.message_body = message_body + "\n=========================\n0x001 Sov.WAF" + self.datetime self.make_email_body() try: self.smtp.sendmail(self.email_from,self.send_to,self.email_body.as_string()) except smtplib.SMTPException,e: print self.errmsg % e sys.exit(2) def do_close(self): self.smtp.quit() print "Mail sent to %s at %s." % (self.send_to,self.datetime) #==== Monitor ====# wm = pyinotify.WatchManager() # Watch Manager mask = pyinotify.IN_CREATE | pyinotify.IN_MODIFY # watched events class EventHandler(pyinotify.ProcessEvent): def process_IN_CREATE(self, event): #print "Creating:", event.pathname FileHandler("Creating:",event.pathname) def process_IN_MODIFY(self, event): #print "Modify:", event.pathname FileHandler("Modify:",event.pathname) handler = EventHandler() notifier = pyinotify.Notifier(wm, handler) wdd = wm.add_watch(sys.argv[1], mask, rec=True) notifier.loop() from: http://www.0x001.com/?p=683
查看更多关于Python利用inotify监视目录防Webshell - 网站安全 - 自的详细内容...