php专区

首页 > php专区 > PHP应用 > 常用功能 > php网站被挂木马修复方法总结 - php高级应用

php网站被挂木马修复方法总结 - php高级应用

分享到：

【字体：大中小】

2016-11-03
来源：网络
682
64
9

导读：
php网站被挂木马修复是次要的最要的是怎么修复之后不再让木马再注入到你的网站才是重要的,下面我来总结一下php网站被挂木马修复与之后防止网站再次给挂木马的方法.在linux中我们可...

php网站被挂木马修复方法总结

php网站被挂木马修复是次要的最要的是怎么修复之后不再让木马再注入到你的网站才是重要的,下面我来总结一下php网站被挂木马修复与之后防止网站再次给挂木马的方法.

在linux中我们可以使用命令来搜查木马文件,到代码安装目录执行下面命令:

find ./ -iname "*.php" | xargs grep -H -n "eval(base64_decode"

搜出来接近100条结果,这个结果列表很重要,木马都在里面,要一个一个文件打开验证是否是木马,如果是,马上删除掉,最后找到10个木马文件,存放在各种目录,都是php webshell,功能很齐全,用base64编码.

如果你在windows中查找目录直接使用windows文件搜索就可以了,可以搜索eval或最近修改文件,然后如果是dedecms我们要查看最新dedecms漏洞呀然后修补.

下面给个php木马查找工具,直接放到你站点根目录,代码如下:

/**************PHP Web木马扫描器************************/

/* [+] 作者: alibaba */

/* [+] QQ: 1499281192 * www.phpfensi.com/

/* [+] MSN: weeming21@hotmail.com */

/* [+] 首发: t00ls.net , 转载请注明t00ls */

/* [+] 版本: v1.0 */

/* [+] 功能: web版php木马扫描工具*/

/* [+] 注意: 扫描出来的文件并不一定就是后门, */

/* 请自行判断、审核、对比原文件。*/

/* 如果你不确定扫出来的文件是否为后门，*/

/* 欢迎你把该文件发给我进行分析。*/

/*******************************************************/

ob_start();

set_time_limit(0);

$username = "t00ls"; //设置用户名

$password = "t00ls"; //设置密码

$md5 = md5(md5($username).md5($password));

$version = "PHP Web木马扫描器v1.0";

PHP Web 木马扫描器

$realpath = realpath('./');

$selfpath = $_SERVER['PHP_SELF'];

$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));

define('REALPATH', str_replace('//','/',str_replace('','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));

define('MYFILE', basename(__FILE__));

define('MYPATH', str_replace('', '/', dirname(__FILE__)).'/');

define('MYFULLPATH', str_replace('', '/', (__FILE__)));

define('HOST', "http://".$_SERVER['HTTP_HOST']);

?>

<?php echo $version?>

"Content-Type" content="text/html; charset=gb2312" />

if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))

{

echo '用户名: 密码: ';

}

elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

echo "登陆成功！";

header( 'refresh: 1; url='.MYFILE.'?action=scan' );

exit();

}

else

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

$setting = getSetting();

$action = isset($_GET['action'])?$_GET['action']:"";



if($action=="logout")

{

setcookie ("t00ls", "", time() - 3600);

Header("Location: ".MYFILE);

exit();

}

if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")

{

$file = $_GET['file'];

ob_clean();

if (@file_exists($file)) {

header("Content-type: application/octet-stream");

header("Content-Disposition: filename="".basename($file).""");

echo file_get_contents($file);

}

exit();

}

?>

"0" cellpadding="0" cellspacing="0" width="100%">

class="head">

echo $_SERVER['SERVER_ADDR']?>"float: right; font-weight:bold;">echo "$version"?>

class="alt1">

"float: right;">date("Y-m-d H:i:s",mktime())?>

"?action=scan">扫描 |

"?action=setting">设定 |

"?action=logout">登出

if($action=="setting")

{

if(isset($_POST['btnsetting']))

{

$Ssetting = array();

$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";

$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;

$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

echo "设置完成！";

header( 'refresh: 1; url='.MYFILE.'?action=setting' );

exit();

}

?>

"frmSetting" method="post" action="?action=setting">

"width:400px">

扫描设定

"100%" border="0" cellspacing="0" cellpadding="0">

"60">文件后缀:

"300">"text" name="checkuser" id="checkuser" style="width:300px;" value="">

for="checkall">所有文件

"checkbox" name="checkall" id="checkall" if($setting['all']==1) echo "checked"?>>

for="checkhta">设置文件

"checkbox" name="checkhta" id="checkhta" if($setting['hta']==1) echo "checked"?>>



"submit" name="btnsetting" id="btnsetting" value="提交">

}

else

{

$dir = isset($_POST['path'])?$_POST['path']:MYPATH;

$dir = substr($dir,-1)!="/"?$dir."/":$dir;

?>

"frmScan" method="post" action="">

"100%%" border="0" cellspacing="0" cellpadding="0">

"35" style="vertical-align:middle; padding-left:5px;">扫描路径:

"690">

"text" name="path" id="path" style="width:600px" value="">

 "submit" name="btnScan" id="btnScan" value="开始扫描">

if(isset($_POST['btnScan']))

{

$start=mktime();

$is_user = array();

$is_ext = "";

$list = "";



if(trim($setting['user'])!="")

{

$is_user = explode("|",$setting['user']);

if(count($is_user)>0)

{

foreach($is_user as $key=>$value)

$is_user[$key]=trim(str_replace("?","(.)",$value));

$is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))";

}

}

if($setting['hta']==1)

{

$is_hta=1;

$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;

$is_ext.="(^.htaccess$)";

}

if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))

{

$is_ext="(.+)";

}



$php_code = getCode();

if(!is_readable($dir))

$dir = MYPATH;

$count=$scanned=0;

scan($dir,$is_ext);

$end=mktime();

$spent = ($end - $start);

?>

"padding:10px; background-color:#ccc">扫描: echo $scanned?> 文件| 发现: echo $count?> 可疑文件| 耗时: echo $spent?> 秒

"100%" border="0" cellspacing="0" cellpadding="0">

class="head">

"15" align="center">No.

"48%">文件

"12%">更新时间

"10%">原因

"20%">特征

动作

echo $list?>

}

ob_flush();

function scan($path = '.',$is_ext){

global $php_code,$count,$scanned,$list;

$ignore = array('.', '..' );

$replace=array(" ","n","r","t");

$dh = @opendir( $path );

while(false!==($file=readdir($dh))){

if( !in_array( $file, $ignore ) ){

if( is_dir( "$path$file" ) ){

scan("$path$file/",$is_ext);

} else {

$current = $path.$file;

if(MYFULLPATH==$current) continue;

if(!preg_match("/$is_ext/i",$file)) continue;

if(is_readable($current))

{

$scanned++;

$content=file_get_contents($current);

$content= str_replace($replace,"",$content);

foreach($php_code as $key => $value)

{

if(preg_match("/$value/i",$content))

{

$count++;

$j = $count % 2 + 1;

$filetime = date('Y-m-d H:i:s',filemtime($current));

$reason = explode("->",$key);

$url = str_replace(REALPATH,HOST,$current);

preg_match("/$value/i",$content,$arr);

$list.="

class='alt$j' onmouseover='this.className="focus";' onmouseout='this.className="alt$j";'>

$count

'$url' target='_blank'>$current

$filetime

$reason[0]

$reason[1]

'?action=download&file=$current' target='_blank'>下载

//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."";

//echo $path . $file ."";

break;

}

closedir( $dh );

}

function getSetting()

{

$Ssetting = array();

if(isset($_COOKIE['t00ls_s']))

{

$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));

$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";

$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;

$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;

}

else

{

$Ssetting['user']="php | php? | phtml | shtml";

$Ssetting['all']=0;

$Ssetting['hta']=1;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

}

return $Ssetting;

}

function getCode()

{

return array(

'后门特征->phpfensi.com'=>'phpfensi.com',

'后门特征->c99shell'=>'c99shell',

'后门特征->phpspy'=>'phpspy',

'后门特征->Scanners'=>'Scanners',

'后门特征->cmd.php'=>'cmd.php',

'后门特征->str_rot13'=>'str_rot13',

'后门特征->webshell'=>'webshell',

'后门特征->EgY_SpIdEr'=>'EgY_SpIdEr',

'后门特征->tools88.com'=>'tools88.com',

'后门特征->SECFORCE'=>'SECFORCE',

'后门特征->eval("?>'=>'eval(('|")?>',

'可疑代码特征->system('=>'system(',

'可疑代码特征->passthru('=>'passthru(',

'可疑代码特征->shell_exec('=>'shell_exec(',

'可疑代码特征->exec('=>'exec(',

'可疑代码特征->popen('=>'popen(',

'可疑代码特征->proc_open'=>'proc_open',

'可疑代码特征->eval($'=>'eval(('|"|s*)$',

'可疑代码特征->assert($'=>'assert(('|"|s*)$',

'危险MYSQL代码->returns string soname'=>'returnsstringsoname',

'危险MYSQL代码->into outfile'=>'intooutfile',

'危险MYSQL代码->load_file'=>'select(s+)(.*)load_file',

'加密后门特征->eval(gzinflate('=>'eval(gzinflate(',

'加密后门特征->eval(base64_decode('=>'eval(base64_decode(',

'加密后门特征->eval(gzuncompress('=>'eval(gzuncompress(',

'加密后门特征->eval(gzdecode('=>'eval(gzdecode(',

'加密后门特征->eval(str_rot13('=>'eval(str_rot13(',

'加密后门特征->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',

'加密后门特征->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',

'一句话后门特征->call_user_func("assert"'=>'call_user_func(("|')assert("|')',

'上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")),('|"|s*)$_(POST|GET|REQUEST|COOKIE)[',

'.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication/x-httpd-php',

'.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',

'.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'

//开源代码phpfensi.com

);

}

分享到：

PHP防CC攻击实现代码总结 - php高级应用
PHP防CC攻击实现代码总结 CC攻击就是对方利用程序或一些代理对您的网站进行不间断的访问,造成您的网站处理不了而处于当机状态,下面我们来总结一些防CC攻击的php实例代码,各位朋友可参考. 例1,代码如下: //代理IP直接退出 emptyempty($_SERVER['HTTP_VIA']) or exit(&...

BS结构中使用PHP访问ORACLE LOB - php高...
BS结构中使用PHP访问ORACLE LOB 摘要：本文介绍了如何利用PHP的数据库访问技术实现对ORACLE LOB数据对象的存储。关键字：PHP；ORACLE； LOB；存储；引言:PHP，即“PHP: Hypertext Preprocessor”，是一种广泛用于 Open Source（开放源代码）并可以嵌入 HTML 的多用途脚本语言。它的语法...

php专区

php网站被挂木马修复方法总结 - php高级应用

php网站被挂木马修复方法总结

Tags

About