Syhunt Web Backdoor Scanner .LUA or .EXE – Easy Customization and Configuration

By | July 27, 2015

So I found this neat little script laying around, it makes looking for backdoors and webshells on webservers a cake walk. Backdoors are always changing and different hacker groups rename common backdoors so you can update this script with new intel in two seconds. To add a new filename to search simple add /newfilename in the format below and it will add it to the search. You can compile this into an .exe file if you prefer using your favorite compiler.

 

Here is the code:

require(‘Gelo’)
usage = [[
—————————————————————-
Syhunt Web Backdoor Scanner 1.0
—————————————————————-

USAGE:
bdscan.exe [url]

Example:
bdscan.exe http://www.somehost.com

Note: Our Sandcat Pro scanner includes advanced signatures and a
more up-to-date list of checks.
More details about this product can be found at:
http://www.syhunt.com/?n=Sandcat.Pro
]]

–Turn this into an .EXE file using Gelo:
–http://www.syhunt.com/?n=Tools.Gelo

pathlist = [[
/0wn.asp
/0wn3d.c
/0wn3d.php
/1.exe
/2.exe
/3.exe
/4.exe
/CmdServlet
/Crystal.php
/Dx.php
/Fire.exe
/FireD.exe
/FireDaemon.exe
/JAsfv.dll
/JspWebshell.jsp
/JspWebshell.jspx
/JspWebshell1.2.jsp
/JspWebshell1.2.jspx
/LSAExt.dll
/ListServlet
/NCC-Shell.php
/NetworkFileManagerPHP.php
/PHANTASMA.php
/PHPJackal.php
/PHPRemoteView.php
/Private-i3lue.php
/UpServlet
/Uploader.php
/accept_language.php
/admin.dll
/antichat.php
/aspydrv.asp
/aspydrv.aspx
/aspydrv.mspx
/author.dll
/avent.php
/backdoor.php
/backupsql.php
/bin.exe
/browser.jsp
/c100.php
/c100shell.php
/c99.php
/c99_PSych0.php
/c99_locus7s.php
/c99_madnet.php
/c99_w4cking.php
/c99shell.php
/cfexec.cfm
/cihshell.php
/cihshell_fix.php
/cmd-asp-5.1.asp
/cmd-asp.asp
/cmd.GPL
/cmd.asp
/cmd.aspx
/cmd.c
/cmd.cfm
/cmd.cgi
/cmd.d2w
/cmd.do
/cmd.exe
/cmd.exe?/c+dir
/cmd.js
/cmd.jsp
/cmd.jspx
/cmd.mspx
/cmd.nsf
/cmd.php
/cmd.pl
/cmd.py
/cmd.sh
/cmd.show
/cmd1.exe
/cmd1.exe?/c+dir
/cmd32.exe
/cmdServlet
/cmd_win32.jsp
/cmd_win32.jspx
/cmdasp.asp
/cmdasp.aspx
/cmdjsp.jsp
/cmdjsp.jspx
/cod3r.php
/cod3rz.php
/cod3rzshell.php
/compfilt.dll
/ctt_sh.php
/cybershell.php
/dc.php
/dx.php
/ekin0x.php
/erne.php
/exec.asp
/exec.jsp
/exploit.c
/explore.asp
/fatal.php
/fpexedll.dll
/fso.asp
/fso.aspx
/fso.mspx
/ftp.exe
/ftpx.exe
/gfs_sh.php
/goonshell.php
/h4x.php
/h4x0r.php
/hack.exe
/hack.jsp
/heykir.php
/httpext.dll
/httpodbc.dll
/iMHaPFtp.php
/idq.dll
/iiscrack.dll
/iise.dll
/ironshell.php
/jackal.php
/jsback.php
/jsp-reverse.jsp
/jsp-reverse.jspx
/kacak.asp
/kacak.aspx
/kacak.mspx
/kshell.asp
/kshell.aspx
/kshell.mspx
/l33t.php
/lamashell.php
/list.asp
/list.jsp
/list.php
/list.pl
/list.sh
/liz0zim.php
/load_shell.php
/locu.php
/locus.php
/locus7s.php
/mantis-email-bomber.php
/matamu.php
/md5filt.dll
/msw3prt.dll
/myshell.php
/mysql.php
/mysql2.php
/mysql_tool.php
/mysqlwebsh.php
/nc.exe
/ncx.exe
/ncx99.exe
/netcat.exe
/nshell.php
/nst.php
/nstview.php
/ntdaddy.asp
/ntdaddy.aspx
/ntdaddy.mspx
/omnithread_rt.dll
/own.asp
/own.exe
/own.jsp
/owned.php
/pHpINJ.php
/perl-reverse-shell.pl
/perlcmd.cgi
/php-backdoor.php
/php-findsock-shell.php
/php-include-w-shell.php
/php-reverse-shell.php
/phpbypass.php
/phpshell.php
/pmsh.pl
/pwdump.exe
/pwdump2.exe
/pwdump3.exe
/pws.php
/pwsdata.dll
/r57.1.4.0.php
/r57.php
/r57142.php
/r57_Mohajer22.php
/r57_iFX.php
/r57_kartal.php
/redcod.php
/remview.php
/remview_2002_08_05.php
/remview_2002_08_24.php
/remview_2003_04_22.php
/remview_2003_10_23.php
/remview_fix.php
/rhtools.asp
/rhtools.aspx
/rhtools.mspx
/root.exe
/root.exe?/c+dir
/rootshell.php
/ru24_post_sh.php
/safe0ver.php
/safemod.php
/samdump.dll
/sensepost.exe
/sensepost.exe?/c+dir
/servlet/CmdServlet
/shell.GPL
/shell.asp
/shell.aspx
/shell.cfm
/shell.cgi
/shell.d2w
/shell.do
/shell.exe
/shell.js
/shell.jsp
/shell.jspx
/shell.mspx
/shell.nsf
/shell.pl
/shell.py
/shell.show
/shtml.dll
/simattacker.php
/simp-worm_sys.p5.php
/simple-backdoor.php
/simple_cmd.php
/socat.exe
/sosyete.php
/spybypass.php
/sql.php
/ssinc.dll
/sspifilt.dll
/stresbypass.php
/unreal.php
/up.asp
/up.jsp
/up.php
/up.pl
/up.sh
/up_win32.jsp
/vnchooks.dll
/w3k.php
/w4cking.php
/w4k.php
/winshell.php
/worm.php
/wso2.php
/x.php
/xx.php
/xxx.php
/zaco.php
/zacosmall.php
/zehir4.asp
/zehir4.aspx
/zehir4.mspx
]]

if arg[1] == nil then
print(usage)
else
print(‘Scanning ‘..arg[1]..’…’)
http = GHTTPRequest:new()
p = GStrListParser:new()
p:loadfromstr(pathlist)
while p:parsing() do
http:open(‘GET’,arg[1]..p.current)
if http.statuscode ~= 404 then
print(‘Found: ‘..p.current)
end
end
p:release()
http:release()
end

Share Button

2 thoughts on “Syhunt Web Backdoor Scanner .LUA or .EXE – Easy Customization and Configuration

  1. Pingback: buy viagra in usa online

  2. Pingback: Margaret Cunniffe and David Brown are Australian Fraudsters based in Melbourne Victoria claim to raise money for charities via Synergize Vip Vip Club and Connect Network Fundraise but are nothing more than con-artists.

Leave a Reply

Your email address will not be published. Required fields are marked *