Commands by faceinthecrowd

Commands by faceinthecrowd (1)

sorted by

find potentially malicious PHP commands used in backdoors and aliked scripts

I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect. What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.
This is sample output - yours may be different.
0

for ii in $(find /path/to/docroot -type f -name \*.php); do echo $ii; wc -lc $ii | awk '{ nr=$2/($1 + 1); printf("%d\n",nr); }'; done

faceinthecrowd · 2013-04-05 19:06:17 10

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Check These Out

Check if the files in current directory has the RPATH variable defined

Using gentoo prefix portage I got in a situation where some packages did not contain the needed RPATH variable. This command helped me to find out which ones I should recompile

Look for English words in /dev/urandom

* to get the English dictionary: wget http://www.mavi1.org/web_security/wordlists/webster-dictionary.txt

how to export a table in .csv file

Exports the result of query in a csv file

diff the same file in two directories.

This is useful when you're diffing two files of the same name in radically different directory trees. For example: Set $ path1='/some/long/convoluted/path/to/all/of/your/source/from/a/long/dead/machine' then $ path2='/local/version/of/same/file' then run the command. Much easier on the eyes when you're looking back across your command history, especially if you're doing the same diff over and over again.

copy from host1 to host2, through your host

Good if only you have access to host1 and host2, but they have no access to your host (so ncat won't work) and they have no direct access to each other.

colorize sequences of digits

Credits go to Flatcap https://www.commandlinefu.com/commands/by/flatcap

Convert CSV to JSON

Replace 'csv_file.csv' with your filename.

List all open ports and their owning executables

Particularly useful on OS X where netstat doesn't have -p option.

Advanced python tracing

Trace python statement execution and syscalls invoked during that simultaneously

Show a zoomable world map

show a zoomable world map

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:

» all commands
» commands with 3 up-votes (commandlinefu3)
» commands with 10 up-votes (commandlinefu10)
» commands by faceinthecrowd