Scan files (php) for questionable items ... looking for those exploits!

scanner.php

<?php

// Let's see those errors!
error_reporting(1);

// Give it some time!
set_time_limit(80);

// File ext(types) to check!
$check_files = array(
  'php',
  'php5',
  'inc',
  'txt',
  'css',
  'js',
  'htaccess',
  'png'
);

// Any folder name you want to ignore
$ignore_dirs = array(
  '_kb',
  'cgi-bin',
  'sym'
);

// Questionables!
// TODO add points for items
$questionable_strings = array(
    'passwd',
    'uudecode',
    'wshell',
    'popen',
    'str_rot13',
    'cx',
    'exec',
    'passthru',
    'proc_',
    'noscript',
    'script',
    'iframe',
    //'\x',
    'cgi.',
    'system',
    'passthru',
    'shell_exec',
    'system',
    'phpinfo',
    'base_convert',
    'hack',
    'eval',
    'gzinflate',
    'shell',
    'sh3ll',
    'alias',
    'SymLinks',
    'symlink',
    'crack',
    'REMOTE_ADDR',
    'getcwd',
    '/bin',
    'pcntl_fork',
    'posix_setsid',
    '.conf',
    '.ini',
    'stream_',
    'posix_getpwuid',
    'fileowner',
    'eregi',
    'ini_get',
    'proc_close',
    'unpack',
    'pack',
    'decbin',
    'REMOTE_ADDR',
    'base64_decode',
    'edoced_46esab',
    'get_loaded_extensions'
);

// Loop through the files
function scanDirectory($dir)
{
  global $ignore_dirs;
  // what directory do you want to start at?
  // you can only pass in parameters glob() will take
  // that means you can also limit file type
  foreach(glob($dir) as $item)
  {
    // is the record a directory?
    if(is_dir($item)){

      // if isn't folder to ignore
      if(!in_array($item, $ignore_dirs)){
        // we need to update this for better parament passing
        // i.e. ability to pass file type or glob() pattern
        scanDirectory($item.'/*');
      }
      
    } else { // Not a file!
      
      // lets get that extension!
      $ext = pathinfo($item, PATHINFO_EXTENSION);

      global $check_files;

      // if file type needs checking ... check it
      if(in_array($ext, $check_files)){
        scanFile($item);
      }
      
    }
  }
}

// Scan a file for possible exploits
function scanFile($file){
   if(!($content = file_get_contents($file))){
      // empty file...
      echo 'Erra';
   } else {
    global $questionable_strings;
    // file has content so let's get it's matches
    $matches = checkMatches($content, $questionable_strings);

    // Are there matches?
    if(count($matches) > 0){
      echo "$file";
      // handles those matches
      displayMatches($matches);
    }
   }
}

// Display all matches
function displayMatches($matches){
  echo '<ul>';
  $total_count = 0;
  foreach($matches as $type => $count){
    echo '<li>'.$type.' ('. $count . '</li>';
    $total_count += $count;
  }
  echo "<li>Total Count : $total_count</li>";
  echo '</ul>';
}

// Read string for questionables
function checkMatches($string, $questionable_strings){
  
  // holds all the hits
  $flags = array();

  // loop through questionables
  foreach($questionable_strings as $in_question){
    // how many time does the questionable show up
    $count = substr_count($string, $in_question);

    // if there is a hit ... record it
    if($count) 
    {
      $flags[$in_question] = $count;
    }
  }

  return $flags;
  
}

scanDirectory('*');