#!/bin/sh
# sploitfind: list possible exploit scripts and optionally email output
# usage: sploitfind [-a] [-c] [-m <emailaddress>] [egrep pattern]
#        -m : email output to <emailaddress> instead of writing to stdout
#        -a : shows all files not just changes since last run
#        -c : shows matching lines with context

PATH=/bin:/usr/bin:/usr/local/bin
export LANG=C

# default pattern - modify this required
sploitpattern='r0nin|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|sniper|noexecshell|/etc/passwd|revengans|directmail|bash_history|\.ru/|brute *force'

# process command line options
progname=$(basename $0)
domail=false showall=false showcontext=false
opts=$(getopt acm: "$@")
if [ $? != 0 ]; then
        echo "$progname: usage: $progname [-a] [-c] [-m <emailaddress>] [egrep pattern]" >&2
        exit 1
fi
eval set -- "$opts"
for i; do
   case "$i" in
           -a) showall=true; shift;;
           -c) showcontext=true; shift;;
           -m) domail=true; email=$2; shift; shift;;
           --) shift; break;;
   esac
done
if [ $# -gt 0 ]; then
        sploitpattern="$1"
fi

sploitdir=/var/run/sploitfind
last=$sploitdir/last
this=$sploitdir/this
pid=$sploitdir/pid

tmpout=/tmp/sploit.$$
tmpout2=/tmp/sploit2.$$
trap 'rm -f $tmpout $tmpout2' 0 1 2 3 15

umask 077

if [ ! -d $sploitdir ]; then
        mkdir $sploitdir || exit 2
fi

# exit if already running
[ -f $pid ] && kill -0 $(cat $pid) >/dev/null 2>&1 && exit 3
echo $$ > $pid

# search for files containing sploitpattern
find /home \( -regex '.*\.php$' -o -regex '.*\.cgi$'  \) -print0 | xargs -0 egrep -il "$sploitpattern" /dev/null | sort > $this

if [ -f $last ] && ! $showall ; then
        # show only changes since last run
        comm -13 $last $this > $tmpout
else
        # show all output
        cat $this > $tmpout
fi
mv $this $last

if $showcontext; then
        while read filename; do
                egrep -iC3 "$sploitpattern" "$filename" /dev/null
                echo; echo "------"; echo
        done < $tmpout >> $tmpout2
        mv -f $tmpout2 $tmpout
fi

if $domail; then
        # send mail if there is any output
        if [ $(awk 'END {print NR}' $tmpout) -gt 0 ]; then
                 mail -s "Possible exploit scripts on $(hostname)" $email < $tmpout || exit 2
        fi
else
        # output sent to stdout
        cat $tmpout
fi
exit 0