/** * Scan given file for all malware patterns * * @global string $fileExt file extension list to be scanned * @global array $patterns array of patterns to search for * @param string $path path of the scanned file */ function scan_file($path) { global $ext, $patterns, $count, $total_results, $jamssFileNames; if (in_array(pathinfo($path, PATHINFO_EXTENSION), $ext) && filesize($path) && !stripos($path, 'jamss.php')) { if ($malic_file_descr = array_search(pathinfo($path, PATHINFO_BASENAME), $jamssFileNames)) { echo '<hr><p><h3 class="pattern">Suspicious filename found :</h3> File: <span class="file">', $path, '</span>', " ---> <strong>Details:</strong>\n <span class=\"pattern_desc\">\"{$malic_file_descr}\"</span></p>\n"; } if (!($content = file_get_contents($path))) { $error = 'Could not check ' . $path; echo formatError($error); } else { // do a search for fingerprints foreach ($patterns as $pattern) { if (is_array($pattern)) { // it's a pattern // RegEx modifiers: i=case-insensitive; s=dot matches also newlines; S=optimization preg_match_all('#' . $pattern[0] . '#isS', $content, $found, PREG_OFFSET_CAPTURE); } else { // it's a string preg_match_all('#' . $pattern . '#isS', $content, $found, PREG_OFFSET_CAPTURE); } $all_results = $found[0]; // remove outer array from results $results_count = count($all_results); // count the number of results $total_results += $results_count; // total results of all fingerprints if (!empty($all_results)) { $count++; if (is_array($pattern)) { // then it has some additional comments echo "<hr><p><span class=\"pattern\">Pattern #{$pattern['2']} - {$pattern['1']}</span>\n --> found {$results_count} occurence(s) in file <span class=\"file\">{$path}</span>", NL, NL, "<strong>Details: </strong> <span class=\"pattern_desc\">\"{$pattern['3']}\"</span></p>\n"; foreach ($all_results as $match) { // output the line of malware code, but sanitize it before // the offset is in $match[1] echo '<span class="offset">Line #: ', calculate_line_number($match[1], $content), '</span>', "<pre>... " . htmlentities(substr($content, $match[1], 200), ENT_QUOTES) . " ...</pre>\n"; } } else { // it's a string, no comments available echo "<hr><p>In file <span class=\"file\">{$path}</span>", "-> we found {$results_count} occurence(s) of <span class=\"pattern\">String '{$pattern}'</span>", NL; foreach ($all_results as $match) { // output the line of malware code, but sanitize it before echo '<span class="offset">Line #: ', calculate_line_number($match[1], $content), '</span>', "<pre>... " . htmlentities(substr($content, $match[1], 200), ENT_QUOTES) . " ...</pre>\n"; } } echo "--> {$path} is a <b>", filetype($path), '</b>. It was last <b>accessed</b>: ', date(DATE_ATOM, fileatime($path)), ', last <b>changed</b>: ' . date(DATE_ATOM, filectime($path)), ', last <b>modified</b>: ', date(DATE_ATOM, filemtime($path)), '.<br/>'; echo 'File permissions:', substr(sprintf('%o', fileperms($path)), -4), '<br/>'; } } unset($content); } } }
function scan_file($path) { global $ext, $patterns, $count, $total_results, $FileNames; $dateformat = "d F Y - H:i:s "; if (in_array(pathinfo($path, PATHINFO_EXTENSION), $ext) && filesize($path) && !stripos($path, 'malware-scanner.php')) { if ($malic_file_descr = array_search(pathinfo($path, PATHINFO_BASENAME), $FileNames)) { echo '<tr> <td>' . basename($path) . '</td> <td>Suspicious FileName</td> <td> - </td> <td>' . substr(sprintf('%o', fileperms($path)), -4) . '</td> <td><a href="#details-' . pathinfo($path, PATHINFO_FILENAME) . '" class="mb-xs mt-xs mr-xs modal-with-zoom-anim btn btn-success"><i class="fa fa-file-text"></i> Details</a></td> <div id="details-' . pathinfo($path, PATHINFO_FILENAME) . '" class="zoom-anim-dialog modal-block modal-header-color modal-block-danger mfp-hide"> <section class="panel"> <header class="panel-heading"> <h2 class="panel-title">Details</h2> </header> <div class="panel-body"> <label class="col-sm-3 control-label"><i class="fa fa-file-text"></i> File Name: </label> <div class="col-sm-9"> <input type="text" name="name" class="form-control" value="' . basename($path) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-flag"></i> Path:</label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . $path . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-lock"></i> Permission: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . substr(sprintf('%o', fileperms($path)), -4) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-key"></i> Last Accessed: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . date($dateformat, fileatime($path)) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-pencil-square-o"></i> Last Modified: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . date($dateformat, filemtime($path)) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-folder"></i> File Size: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . HumanReadableFilesize($path) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-cog"></i> MD5 Hash: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . md5_file($path) . '" readonly /><br /> </div> </div> <footer class="panel-footer"> <div class="row"> <div class="row"> <div class="col-md-8 text-left"> </div> <div class="col-md-4 text-right"> <button class="btn btn-default modal-dismiss">Close</button> </div> </div> </div> </footer> </section> </div> </tr> '; } if (!($content = file_get_contents($path))) { $error = 'Could not check ' . $path; } else { foreach ($patterns as $pattern) { if (is_array($pattern)) { preg_match_all('#' . $pattern[0] . '#isS', $content, $found, PREG_OFFSET_CAPTURE); } else { preg_match_all('#' . $pattern . '#isS', $content, $found, PREG_OFFSET_CAPTURE); } $all_results = $found[0]; $results_count = count($all_results); $total_results += $results_count; if (!empty($all_results)) { $count++; if (is_array($pattern)) { echo '<tr> <td>' . basename($path) . '</td> <td><font color="red"><i>' . $pattern[1] . '</i></font></td> <td>' . $results_count . '</td> <td>' . substr(sprintf('%o', fileperms($path)), -4) . '</td> <td><a href="#details-' . $count . '" class="mb-xs mt-xs mr-xs modal-with-zoom-anim btn btn-success"><i class="fa fa-file-text"></i> Details</a></td> <div id="details-' . $count . '" class="zoom-anim-dialog modal-block modal-header-color modal-block-danger mfp-hide"> <section class="panel"> <header class="panel-heading"> <h2 class="panel-title">Details</h2> </header> <div class="panel-body"> <label class="col-sm-3 control-label"><i class="fa fa-file-text"></i> File Name: </label> <div class="col-sm-9"> <input type="text" name="name" class="form-control" value="' . basename($path) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-flag"></i> Path:</label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . $path . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-lock"></i> Permission: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . substr(sprintf('%o', fileperms($path)), -4) . '" readonly /> '; $permissions = substr(sprintf('%o', fileperms($path)), -4); if (intval($permissions) == 777) { $permissions = '<font color="orange">(Please note: The file have full access permissions)</font><br /><br />'; } else { echo '<br />'; } echo ' </div> <label class="col-sm-3 control-label"><i class="fa fa-key"></i> Last Accessed: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . date($dateformat, fileatime($path)) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-pencil-square-o"></i> Last Modified: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . date($dateformat, filemtime($path)) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-folder"></i> File Size: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . HumanReadableFilesize($path) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-cog"></i> MD5 Hash: </label> <div class="col-sm-9"> <input type="text" class="form-control" value="' . md5_file($path) . '" readonly /><br /> </div> <label class="col-sm-3 control-label"><i class="fa fa-folder"></i> Threat Description: </label> <div class="col-sm-9"> <textarea type="text" class="form-control" rows="7" readonly />' . $pattern[2] . '</textarea><br /> </div> '; foreach ($all_results as $match) { echo '<span class="offset">Line #: ', calculate_line_number($match[1], $content), '</span>', "<pre>... " . htmlentities(substr($content, $match[1], 200), ENT_QUOTES) . " ...</pre>\n"; } echo ' </div> <footer class="panel-footer"> <div class="row"> <div class="row"> <div class="col-md-8 text-left"> </div> <div class="col-md-4 text-right"> <button class="btn btn-default modal-dismiss">Close</button> </div> </div> </div> </footer> </section> </div> '; } echo ' </tr> '; } } unset($content); } } }