First of all, the document that is hanging horse.
Trojan files are generally disguised as normal files, or non-executable files, to achieve the purpose of deception.
For example, disguised as icon file.
Find a disguised file, open with the editor, you will find the source code inside.
This works presumably by introducing the icon file with include in a normal file,
Then, the code in the file is unknowingly followed by the normal application file execution.
Also, for hidden purposes, the include code is not explicitly written.
Example: @include "\x2fh\x6fm\x65/\x77w\x77r\x6fo\x74/\x64e\x66a\x75l\x74/\x77p
One thing to note here is that \XDD, where DD is a 16 binary number, is substituted with such a meta-character.
Corresponding letters to achieve the purpose of the implicit stitching path.
Here's how to find:
The commands I use are:
grep--color-i-r-n "@include"/home/
Other ways to view this link.
This allows you to view all files containing "@include" in the specified location, such as the "/home/" directory.
Then use a text editor to open the file of the suspected Trojan file, to see if it is code.
If yes, find out its representative characters. For example, a constant of define.
The next step is to find a file with the same characteristics in the same way as above.
Second, use Nginx to do reverse proxy
First on the code:
Location/ { proxy_redirect off; Proxy_set_header Host $host; Proxy_set_header X-real-IP $remote _addr; Proxy_set_header X-forwarded-for $proxy _add_x_forwarded_for; if 255.255. 255.0 ) { proxy_pass http://127.0. 0.1:8080; Break ; } Proxy_pass https://www.baidu.com;}
Where if this IP is 255.255.255.0 to access, then jump to local 8080 port
The premise is to open and listen to this port
If not, then jump to Baidu
One thing to note here is that if the condition contains a path, it should be replaced with a $request_uri.
Also, if you do not use Proxy_pass in the IF, the if configuration is not performed.
A link address is also attached.
Linux find the suspected to be hanging Trojan file method and Nginx according to different IP to do different reverse proxy