#!/bin/bash
EXCLUDE_DIRS=(
"/proc"
"/sys"
"/dev"
"/run"
"/boot"
"/var/log"
"/var/cache"
"/var/run"
)
# 定义常见的Webshell后缀
EXTENSIONS=("php" "php3" "php4" "php5" "phtml" "asp" "aspx" "ashx" "jsp" "jspx" "jsw" "jsv" "jspf" "pl" "cgi" "py" "html" "htm" "txt" "jpg" "png" "sh")
# 定义常见的横向扫描工具和脚本名称
SCANNER_NAMES=("nmap" "masscan" "zmap" "netcat" "nc" "telnet" "curl" "wget" "bash" "python" "perl" "ruby")
# 创建报告文件
REPORT="webshell_scan_report.txt"
echo "Webshell和扫描器残留扫描报告 - $(date)" > $REPORT
echo "" >> $REPORT
# 构建find命令的排除参数
EXCLUDE_PARAMS=()
for dir in "${EXCLUDE_DIRS[@]}"; do
EXCLUDE_PARAMS+=(-path "$dir" -prune -o)
done
EXCLUDE_PARAMS+=(-type f)
# 扫描系统中的可疑Webshell文件
echo "正在扫描潜在的Webshell文件..." | tee -a $REPORT
for ext in "${EXTENSIONS[@]}"; do
echo "检查.*$ext文件..." | tee -a $REPORT
find / "${EXCLUDE_PARAMS[@]}" -mtime -1 -name "*.$ext" -print | tee -a $REPORT
echo "" >> $REPORT
done
# 扫描系统中的横向扫描残留文件
echo "正在扫描潜在的扫描器残留文件..." | tee -a $REPORT
for name in "${SCANNER_NAMES[@]}"; do
echo "检查*$name*文件..." | tee -a $REPORT
find / "${EXCLUDE_PARAMS[@]}" -mtime -1 -name "*$name*" -print | tee -a $REPORT
echo "" >> $REPORT
done
echo "扫描完成。报告已保存到$REPORT"
