思路就是匹配脚本文件以及配置文件hash,找出hash改变的脚本或者配置文件,脚本共三个参数
1,-save 即读取web目录和配置文件,计算hash匹配并且保存文件
2,-find 即通过保存的hash与当前web目录脚本文件和配置文件hash匹配,找出hash变动的文件
3,-listen 首先执行save。然后循环执行find,如果发现hash异常通过email通知管理员。每次find完成后都sleep一段时间,这里默认半个小时,相当于半个小时检查一次。
import hashlib
import sys
import os
import re
import time
import smtplib
from email.mime.text import MIMEText
def send_mail(content):
to_list=["xxx@qq.com"]
mail_host="smtp.163.com"
mail_user="xxxx"
mail_pass="xxxr"
mail_postfix="163.com"
me=mail_user+"<"+mail_user+"@"+mail_postfix+">"
msg = MIMEText(content)
msg['Subject'] ='warning'
msg['From'] = me
msg['To'] = ";".join(to_list)
try:
s = smtplib.SMTP()
s.connect(mail_host)
s.login(mail_user,mail_pass)
s.sendmail(me, to_list, msg.as_string())
s.close()
return True
except Exception, e:
print str(e)
return False
def md5Checksum(filePath):
fh = open(filePath, 'rb')
m = hashlib.md5()
while True:
data = fh.read(8192)
if not data:
break
m.update(data)
fh.close()
return m.hexdigest()
def load_hash(filepath):
pass
def load_filelist(f):
f1=open(f,'r')
f_list=[]
while 1:
line=f1.readline()
if not line:
break
f_list.append(line)
dic={}
for str1 in f_list:
item1,item2= str1.split(':')
dic[item1]=item2
f1.close()
return dic
def save_config(configpath,webdir):
f1=open('config','w')
f1.writelines('configpath:'+configpath+'\r\n')
f1.writelines('webdir:'+webdir+'\r\n')
f1.close()
def find():
lists=[]
lists=findchange()
for str1 in lists:
print str1
def findchange():
relist=[]
dic1={}
dic1= load_filelist('save_hash')
dic2={}
dic2=load_filelist('config')
weblist=[]
weblist=load_all_path(dic2['webdir'].replace('\r\n',''))
weblist.append(str(dic2['configpath'].replace('\r\n','')))
for webpage in weblist:
if str(dic1.get(webpage))=='None':
relist.append(webpage+' is new file\r\n')
elif str(dic1.get(webpage)).replace('\r\n','')!=md5Checksum(webpage):
relist.append(webpage+' has been changed\r\n')
return relist
def load_all_path(rootDir):
str1=[]
list_dirs = os.walk(rootDir)
for root, dirs, files in list_dirs:
for f in files:
if str(os.path.splitext(f)[1])=='.php' or str(os.path.splitext(f)[0])=='.htaccess':
str1.append(str(os.path.join(root, f)))
return str1
def save(config,webpath):
save_config(config,webpath)
confighash=md5Checksum(config)
weblist=[]
weblist=load_all_path(webpath)
print weblist
f1=open('save_hash','w')
f1.writelines(config+':'+confighash+"\r\n")
for str1 in weblist:
print str1
f1.writelines(str1+':'+md5Checksum(str1)+"\r\n")
f1.close()
def listen(config,webpath):
save(config,webpath)
while 1:
lists=[]
lists=findchange()
if(len(lists)!=0):
str2=''
for str1 in lists:
str2=str2+str1.replace('\r\n','')+'\n'
send_mail(str2)
time.sleep(3600)
if __name__ == '__main__':
banner='''usage:
find.py -save config webpath
find.py -find
nohup python find.py -listen config webpath $
Example:
python find.py -save /etc/apache2/apache2.conf /var/www
python find.py -find
nohup python find.py -listen /etc/apache2/apache2.conf /var/www &
'''
if (len(sys.argv)<2):
print banner
elif (len(sys.argv)==4 and sys.argv[1]=='-save'):
save(sys.argv[2],sys.argv[3])
elif (len(sys.argv)==2 and sys.argv[1]=='-find'):
find()
elif (sys.argv[1]=='-listen'):
listen(sys.argv[2],sys.argv[3])
else :
print banner
摘自:http://zone.wooyun.org/content/3189
留言评论(旧系统):