Python监测文件

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174

# -*- coding: utf-8 -*- #use: python file_check.py ./ # 放在 /var/www/ 或 /var/www/html 下执行这个脚本，它会先备份当然目录下的所有文件，然后监控当前目录， # 一旦当前目录下的某个文件发生变更，就会自动还原，有新的文件产生就会自动删除。 # 使用方法，在Centos下，执行 python Python监测新增文件.py  经检测，如果新增文件，会自动删除，并给出提示，但是删除文件，并不会恢复 import os import hashlib import shutil import ntpath import time   CWD = os.getcwd() FILE_MD5_DICT = {} # 文件MD5字典 ORIGIN_FILE_LIST = []   # 特殊文件路径字符串 Special_path_str = 'drops_JWI96TY7ZKNMQPDRUOSG0FLH41A3C5EXVB82' bakstring = 'bak_EAR1IBM0JT9HZ75WU4Y3Q8KLPCX26NDFOGVS' logstring = 'log_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD' webshellstring = 'webshell_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD' difffile = 'diff_UMTGPJO17F82K35Z0LEDA6QB9WH4IYRXVSCN'   Special_string = 'drops_log' # 免死金牌 UNICODE_ENCODING = "utf-8" INVALID_UNICODE_CHAR_FORMAT = r"\?%02x"   # 文件路径字典 spec_base_path = os.path.realpath(os.path.join(CWD, Special_path_str)) Special_path = {     'bak' : os.path.realpath(os.path.join(spec_base_path, bakstring)),     'log' : os.path.realpath(os.path.join(spec_base_path, logstring)),     'webshell' : os.path.realpath(os.path.join(spec_base_path, webshellstring)),     'difffile' : os.path.realpath(os.path.join(spec_base_path, difffile)), }     def isListLike(value):     return isinstance(value, (list, tuple, set))   # 获取Unicode编码 def getUnicode(value, encoding=None, noneToNull=False):     if noneToNull and value is None:         return NULL     if isListLike(value):         value = list(getUnicode(_, encoding, noneToNull) for _ in value)         return value     if isinstance(value, unicode):         return value     elif isinstance(value, basestring):         while True:             try:                 return unicode(value, encoding or UNICODE_ENCODING)             except UnicodeDecodeError, ex:                 try:                     return unicode(value, UNICODE_ENCODING)                 except:                     value = value[:ex.start] + "".join(INVALID_UNICODE_CHAR_FORMAT % ord(_) for _ in value[ex.start:ex.end]) + value[ex.end:]     else:         try:             return unicode(value)         except UnicodeDecodeError:             return unicode(str(value), errors="ignore")   # 目录创建 def mkdir_p(path):     import errno     try:         os.makedirs(path)     except OSError as exc:         if exc.errno == errno.EEXIST and os.path.isdir(path):             pass         else: raise   # 获取当前所有文件路径 def getfilelist(cwd):     filelist = []     for root,subdirs, files in os.walk(cwd):         for filepath in files:             originalfile = os.path.join(root, filepath)             if Special_path_str not in originalfile:                 filelist.append(originalfile)     return filelist   # 计算机文件MD5值 def calcMD5(filepath):     try:         with open(filepath,'rb') as f:             md5obj = hashlib.md5()             md5obj.update(f.read())             hash = md5obj.hexdigest()             return hash     except Exception, e:         print u'[!] getmd5_error : ' + getUnicode(filepath)         print getUnicode(e)         try:             ORIGIN_FILE_LIST.remove(filepath)             FILE_MD5_DICT.pop(filepath, None)         except KeyError, e:             pass   # 获取所有文件MD5 def getfilemd5dict(filelist = []):     filemd5dict = {}     for ori_file in filelist:         if Special_path_str not in ori_file:             md5 = calcMD5(os.path.realpath(ori_file))             if md5:                 filemd5dict[ori_file] = md5     return filemd5dict   # 备份所有文件 def backup_file(filelist=[]):     # if len(os.listdir(Special_path['bak'])) == 0:     for filepath in filelist:         if Special_path_str not in filepath:             shutil.copy2(filepath, Special_path['bak'])   if __name__ == '__main__':     print u'---------start------------'     for value in Special_path:         mkdir_p(Special_path[value])     # 获取所有文件路径，并获取所有文件的MD5，同时备份所有文件     ORIGIN_FILE_LIST = getfilelist(CWD)     FILE_MD5_DICT = getfilemd5dict(ORIGIN_FILE_LIST)     backup_file(ORIGIN_FILE_LIST) # TODO 备份文件可能会产生重名BUG     print u'[*] pre work end!'     while True:         file_list = getfilelist(CWD)         # 移除新上传文件         diff_file_list = list(set(file_list) ^ set(ORIGIN_FILE_LIST))         if len(diff_file_list) != 0:             # import pdb;pdb.set_trace()             for filepath in diff_file_list:                 try:                     f = open(filepath, 'r').read()                 except Exception, e:                     break                 if Special_string not in f:                     try:                         print u'[*] webshell find : ' + getUnicode(filepath)                         shutil.move(filepath, os.path.join(Special_path['webshell'], ntpath.basename(filepath) + '.txt'))                     except Exception as e:                         print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filepath)                     try:                         f = open(os.path.join(Special_path['log'], 'log.txt'), 'a')                         f.write('newfile: ' + getUnicode(filepath) + ' : ' + str(time.ctime()) + '\n')                         f.close()                     except Exception as e:                         print u'[-] log error : file move error: ' + getUnicode(e)           # 防止任意文件被修改,还原被修改文件         md5_dict = getfilemd5dict(ORIGIN_FILE_LIST)         for filekey in md5_dict:             if md5_dict[filekey] != FILE_MD5_DICT[filekey]:                 try:                     f = open(filekey, 'r').read()                 except Exception, e:                     break                 if Special_string not in f:                     try:                         print u'[*] file had be change : ' + getUnicode(filekey)                         shutil.move(filekey, os.path.join(Special_path['difffile'], ntpath.basename(filekey) + '.txt'))                         shutil.move(os.path.join(Special_path['bak'], ntpath.basename(filekey)), filekey)                     except Exception as e:                         print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filekey)                     try:                         f = open(os.path.join(Special_path['log'], 'log.txt'), 'a')                         f.write('diff_file: ' + getUnicode(filekey) + ' : ' + getUnicode(time.ctime()) + '\n')                         f.close()                     except Exception as e:                         print u'[-] log error : done_diff: ' + getUnicode(filekey)                         pass         time.sleep(2)         # print '[*] ' + getUnicode(time.ctime())