#!/bin/csh -f

### Check for PHP Gumblar code in your sites
## Please check the following environments
## 1. Check folders
## 2. ICONV (Recommend for Japanese Users)
## 3. SENDMAIL path
## 4. MAIL_TO (To:)
## 5. MAIL_FROM (From:)
## 6. SUBJECT (Subject:)
## Version 1.0: 4 March, 2010 
##         1.0a: 5 March, 2010: Windows for Cygwin環境専用にした（要email, tcsh, 推奨iconv）
####       
#  Kimiya Kitani (kitani@bakkers.gr.jp).

# Please write all checking lists. 
# set Folders = {"Directory1","Direcotry2","...."}
# Attention: You must not insert space in split word ",".
#   Miss: "....", "...."  -- Correct --> "....","...."
set Folders = {"~/aaa/","~/bbbb/"}

# If "iconv" tool is installed and there is $ICONV file, the e-mail message for notice will automatically convert $ENCODE_FROM to $ENCODE_TO.
###
set ICONV		= /usr/bin/iconv
set ENCODE_FROM = "UTF-8"
set ENCODE_TO	= "ISO-2022-JP"
### 
set P_NAME	= "$0"
set TMP		= /tmp/${P_NAME:t}.$$-2			# for sending e-mail message
set TMP2		= /tmp/${P_NAME:t}.$$			# for checking virus
set SENDMAIL	= /usr/bin/email
set MAIL_TO	= "sample@sample.com"
set MAIL_FROM	= "postmaster@sample.com"
set SUBJECT	= "[Hogehoge Site]: Suspicion PHP Gumblar was found. Please check it."

# for cygwin users on Windows OS
# email -s "subject" -f "from" -n "sender name" -r smtp_server -p smtp_port -m smtp_auth_type -u smtp_user -i smtp_pass -tls 
set SENDER_NAME = "Postmaster"
set SMTP_SERVER = smtp-server
set SMTP_PORT   = 587
set SMTP_AUTH_TYPE = "LOGIN"
set SMTP_USER   = "sample"
set SMTP_PASS   = "hogehoge"
set SMTP_TLS_USE = "YES"

# creation of smtp command
set SENDMAIL_OPT = "-f ${MAIL_FROM} -n '${SENDER_NAME}' -r  ${SMTP_SERVER} -p ${SMTP_PORT} -x 120"
if( "$SMTP_AUTH_TYPE" != "" ) then
  set SENDMAIL_OPT = "$SENDMAIL_OPT -m ${SMTP_AUTH_TYPE} -u '${SMTP_USER}' -i '${SMTP_PASS}'"
  if ( "$SMTP_TLS_USE" == "YES" ) then
     set SENDMAIL_OPT = "$SENDMAIL_OPT -tls"
  endif
endif

 # Cannot create or read the temporary file...
 touch $TMP
 if(! -f "$TMP" || ! -r "$TMP") then
    echo "Please check the permission of $TMP file or ${TMP:h} directory."
    exit
 endif
 touch $TMP2
 if(! -f "$TMP2" || ! -r "$TMP2") then
    echo "Please check the permission of $TMP2 file or ${TMP2:h} directory."
    exit
 endif
 
 # Check of sendmail command
 if (! -f "$SENDMAIL") then
   echo "Please check the path of $SENDMAIL command."
   rm -f $TMP $TMP2
   exit
 endif

### Check for PHP Gumblar. ###
cat /dev/null > $TMP2
foreach f_list ($Folders)
  grep -rnsH 'base64_decode' ${f_list}/* | grep 'eval' >> $TMP2
end
if (-z $TMP2) then
  # Not found (Safety).
  rm -f $TMP $TMP2
  exit
endif
#####
echo "Found \!"
# If found, the e-mail message (notice) will be sent. 

# IF possible, add "Date" information.
date 		> $TMP
echo ""		>> $TMP
echo '---Found Lists---' >> $TMP
cat $TMP2 >> $TMP 

#echo $SENDMAIL_OPT
#rm -f $TMP $TMP2
#exit

if ( -f "$ICONV" ) then
  $ICONV -f $ENCODE_FROM -t $ENCODE_TO  $TMP | $SENDMAIL -s "$SUBJECT" $SENDMAIL_OPT $MAIL_TO
else
  cat $TMP | $SENDMAIL -s "$SUBJECT" $SENDMAIL_OPT $MAIL_TO
endif

rm -f $TMP $TMP2