#!/bin/csh -f

### Check for PHP Gumblar code in your sites
## Please check the following environments
## 1. Check folders
## 2. ICONV (Recommend for Japanese Users)
## 3. SENDMAIL path
## 4. MAIL_TO (To:)
## 5. MAIL_FROM (From:)
## 6. SUBJECT (Subject:)
## Version 1.0: 4 March, 2010 
#  Kimiya Kitani (kitani@bakkers.gr.jp).

# Please write all checking lists. 
# set Folders = {"Directory1","Direcotry2","...."}
# Attention: You must not insert space in split word ",".
#   Miss: "....", "...."  -- Correct --> "....","...."
set Folders = {"~/aaa/","~/bbbb/"}

# If "iconv" tool is installed and there is $ICONV file, the e-mail message for notice will automatically convert $ENCODE_FROM to $ENCODE_TO.
###
set ICONV		= /usr/bin/iconv
set ENCODE_FROM = "UTF8"
set ENCODE_TO	= "ISO-2022-JP"
### 
set P_NAME	= "$0"
set TMP		= /tmp/${P_NAME:t}.$$-2			# for sending e-mail message
set TMP2		= /tmp/${P_NAME:t}.$$			# for checking virus
## Use "sendmail -i -t"
set SENDMAIL	= /usr/sbin/sendmail
set MAIL_TO	= sample@sample.com
set MAIL_FROM	= postmaster@sample.com
set SUBJECT	= "[Hogehoge Site]: Suspicion PHP Gumblar was found. Please check it."


 # Cannot create or read the temporary file...
 touch $TMP
 if(! -f "$TMP" || ! -r "$TMP") then
    echo "Please check the permission of $TMP file or ${TMP:h} directory."
    exit
 endif
 touch $TMP2
 if(! -f "$TMP2" || ! -r "$TMP2") then
    echo "Please check the permission of $TMP2 file or ${TMP2:h} directory."
    exit
 endif
 
 # Check of sendmail command
 if (! -f "$SENDMAIL") then
   echo "Please check the path of $SENDMAIL command."
   rm -f $TMP $TMP2
   exit
 endif

### Check for PHP Gumblar. ###
cat /dev/null > $TMP2
foreach f_list ($Folders)
  grep -rnsH 'base64_decode' ${f_list}/* | grep 'eval' >> $TMP2
end
if (-z $TMP2) then
  # Not found (Safety).
  rm -f $TMP $TMP2
  exit
endif
#####
echo "Found \!"
# If found, the e-mail message (notice) will be sent. 

echo "From: $MAIL_FROM"		> $TMP
echo "To: $MAIL_TO"			>> $TMP
echo "Subject: $SUBJECT"	>> $TMP
echo ""						>> $TMP

# IF possible, add "Date" information.
date 		>> $TMP
echo ""		>> $TMP
echo '---Found Lists---' >> $TMP
cat $TMP2 >> $TMP 

if (-f "$ICONV" ) then
  $ICONV -f $ENCODE_FROM -t $ENCODE_TO  $TMP | $SENDMAIL -i -t
else
  cat $TMP | $SENDMAIL -i -t
endif

rm -f $TMP $TMP2