1

I'd like to search for suspicious php-files on a linux machine. Currently I have a solution for large strings, but few days ago I found a new version of a suspicious script. Instead of just setting a variable in one long line, the new version splits the line into chunks and concat it.

Here is a sample:

    $dlujpdi = 
    'KXskXXxbZSgnb2R5cmltcHViTkVDIHBvbWVvLCR0clRoPmRvc2V7TWVzJGZpb25zRV9'.
    'MICRsbWUoaXMtbmV3Y2Uoan07cGVucy0+dD0kY291KCdtZWxkcnJwaGlzJy4nZighLC'.
    'RwdGVkLT5TZXcgaWYobVsxdGhpKCRwZGRybiBmJHBhbiAkdGhpJHRobmQpQ2hhJGFkZ'.
    'XQsdGVkZCgnKXtyZXI9fXxcdXJudGlvbmU7b2RlaGVsaXZlOV17ZWRDLicodHIob24g'.
    'YnJldHRhb21IY3RpdGlvcy0+cy0+TVRQKCRkW109KTt9JHN0ZHkudGhpaGFybWF0J0N'.
    'vJyAnYWluJGJvc19rXC9cJG1zYm9kdGh0PnZhbiI7UyopJHN0bGVyJyc7cycpYSl7Py'.
    '8iaXMtbWUpLT5zKHN0KD8hOkRFcy0+cmV0QWx0c3MiYW1laWYoKS0kaGlzSCcsJGJvK'.
    'DIsNzdcc3RyLjIzJycsX2Nvcy0+ZXNwPmFkc2FnezY1OjpEPnRlb2R5bWF4aW1lcHVi'.

and so on. That why I'd like to search for this pattern, where Base64 Parts are concat together with a dot like here. Is there a way to do it with Linux Tools without writing a new short program?

user39063
  • 81
  • 1
  • 5

1 Answers1

2

On a Linux system, you could use something like:

grep -Erl '[[:alnum:]/+]{20,}' /path/to/php/parent/directory/*

Which tells grep to recursively look for files that contain at least 20 sequential characters from the Base64 alphabet; matching files have their filename printed. Adjust the 20 to taste.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
  • I had almost the same idea: grep -Elir "'[+0-9a-z]{67}'\." * – Cyrus Jan 19 '18 at 20:45
  • I debated about anchoring the line, but opted for something slightly more general, in case the next hiding technique uses different quoting or line lengths. Does require some tuning on the OP’s part to separate wheat from chaff. – Jeff Schaller Jan 19 '18 at 20:48