D7net
Home
Console
Upload
information
Create File
Create Folder
About
Tools
:
/
opt
/
dedrads
/
extras
/
Filename :
seosanitizer.sh
back
Copy
#!/bin/bash #This script uses locate to find numerical seo PHP hacks, then removes them from htaccess and makes them sterile #Original concept by Jason N. #Modified heavily by Erik S. to include appropriate error checking, logging, and usage. # This will correctly handle spaces + tabs IFS=$'\n'; # This is where we log our actions to LOGFILE="/root/seosanitize`date +%F`.log" ################################### ## SCRIPT'S USAGE INFORMATION ################################### function usage { echo echo "This script is used to locate and take appropriate action on known PHP/SEO hacks. " echo echo "usage: seosanitizer.sh <ACTION> [--dryrun]" echo echo "available actions:" echo " --chmod : chmod 0000 and chown root the offending file and clean htaccess" echo " --purge : remove/delete the hacked php script entirely and clean htaccess" echo " --quarantine : move the hacked php script to ~/quarantine and clean htaccess" echo " --htaccess : just clean the htaccess redirects, leave the files as they are" echo echo "note: when you pass --dryrun after action it only SHOWS the actions it would take." echo } # If we don't receive an action, print the usage if [ -z "$1" ]; then usage exit 0 fi # If argument 2 is --dryrun, set the dryrun variable to TRUE if [ "$2" == "--dryrun" ]; then DRYRUN=TRUE fi ############################################# ## HANDLING FUNCTIONS AND LOGGING ############################################# function chmod_file { ACTION="CHMOD" if [ "$DRYRUN" == "TRUE" ]; then echo "chmod -c 0000 $file [DRYRUN - NO ACTION TAKEN] " echo "chown -c root:root $file [DRYRUN - NO ACTION TAKEN] " echo "`date` - $file - Checks: 4/4 - Action: $ACTION [DRYRUN - NO ACTION TAKEN]" >> $LOGFILE else chmod -c 0000 $file ; chown -c root:root $file ; echo "`date` - $file - Checks: 4/4 - Action: $ACTION" >> $LOGFILE fi } function purge_file { ACTION="PURGE" if [ "$DRYRUN" == "TRUE" ]; then echo "rm -fv $file [DRYRUN - NO ACTION TAKEN]" echo "`date` - $file - Checks: 4/4 - Action: $ACTION [DRYRUN - NO ACTION TAKEN]" >> $LOGFILE else rm -fv $file ; echo "`date` - $file - Checks: 4/4 - Action: $ACTION" >> $LOGFILE fi } function quarantine_file { ACTION="QUARANTINE" if [ "$DRYRUN" == "TRUE" ]; then echo "mkdir -p ~$username/quarantine [DRYRUN - NO ACTION TAKEN]" echo "mv -fv $file ~$username/quarantine/ [DRYRUN - NO ACTION TAKEN]" echo "`date` - $file - Checks: 4/4 - Action: $ACTION" >> $LOGFILE else mkdir -p ~$username/quarantine/ mv -fv $file ~$username/quarantine/ echo "`date` - $file - Checks: 4/4 - Action: $ACTION" >> $LOGFILE fi } function seo_clean_htaccess { ACTION="CLEAN HTACCESS" if [ "$DRYRUN" == "TRUE" ]; then echo "--> Cleaning .htaccess file: $filepath/.htaccess" echo "sed -i -re '/Options\ -MultiViews/d' $filepath/.htaccess [DRYRUN - NO ACTION TAKEN]" echo "sed -i -re '/'$filename'/d' $filepath/.htaccess [DRYRUN - NO ACTION TAKEN]" echo "`date` - $filepath/.htaccess - Checks: 4/4 - Action: $ACTION [DRYRUN - NO ACTION TAKEN]" >> $LOGFILE echo else sed -i -re '/Options\ -MultiViews/d' $filepath/.htaccess; sed -i -re '/'$filename'/d' $filepath/.htaccess; echo "`date` - $filepath/.htaccess - Checks: 4/4 - Action: $ACTION" >> $LOGFILE fi } echo echo "*** WARNING *** ABOUT TO PROCEED WITH REQUESTED ACTION *** WARNING ***" echo echo " You should not use this tool without explicit permission from a T3 admin." echo echo sleep 5 echo echo "Starting search and sanitization... This will take awhile to complete!" echo "========================================================================" echo for file in $(locate --regex '.*/[0-9]{4,8}.php' '.*/[a-z]{1,1}[0-9]{4,8}.php') ; do filepath=`dirname $file`; filename=`basename $file`; username=`echo $file | awk -F/ '{print $3}'` if [ "$DRYRUN" == "TRUE" ]; then echo "[DRYRUN] Scanning: $file" fi ########################################################################### # COMMON SENSE: lets begin a series of error checks before we do anything ########################################################################### #check to see if base64_encode exists in the suspected hack file checkbase64=`grep -c base64_encode $file| cut -d: -f2`; if [[ "$checkbase64" -ge "1" ]] ; then if [ "$DRYRUN" == "TRUE" ]; then echo "[DRYRUN] Testing: $file: BASE64 FOUND (1/4)" ; fi #check to see if the file is being called in the .htaccess checkhtaxs=`grep -c "$filename" $filepath/.htaccess` if [[ "$checkhtaxs" -ge "1" ]]; then if [ "$DRYRUN" == "TRUE" ]; then echo "[DRYRUN] Testing: $file: CALLED IN HTACCESS (2/4)" ; fi #check to see if said htaccess has Options -MultiViews checkmultiviews=`grep -c 'Options -MultiViews' $filepath/.htaccess` if [[ "$checkmultiviews" -ge "1" ]]; then if [ "$DRYRUN" == "TRUE" ]; then echo "[DRYRUN] Testing: $filepath/.htaccess: -MULTIVIEWS (3/4)" ; fi #check to see if error reporting is set off in the hack (as always) checkerrorreporting=`grep -c "error_reporting(0)" $file` if [[ "$checkerrorreporting" -ge "1" ]]; then if [ "$DRYRUN" == "TRUE" ]; then echo "[DRYRUN] Testing: $file: error_reporting off (4/4)" ; fi ################################################################# ## OKAY, all 4 checks confirm this is a hack. Lets take action! ################################################################# echo "======================== SANITIZING CONFIRMED HACK FOUND IN ACCOUNT: $username ========================" case "$1" in --chmod) chmod_file seo_clean_htaccess ;; --purge) purge_file seo_clean_htaccess ;; --quarantine) quarantine_file seo_clean_htaccess ;; --htaccess) seo_clean_htaccess ;; --help) usage ;; *) echo "Unknown Action received, try using --help for options" usage exit 0 ;; esac fi fi fi fi done if [ -f $LOGFILE ]; then echo echo "Completed operations, for actions taken please review log file: $LOGFILE" echo else echo echo "Completed operation, no hack files were found that match all 4/4 checks." echo "You can run w/ --dryrun to see which checks were met and which were not." echo fi