How to check whether php websites have been cracked

How to check whether php websites have been cracked

From: http://www.gregfreeman.org/2013/how-to-tell-if-your-php-site-has-been-compromised/
0x01 view access logs

 

Check whether there is a file upload operation (POST method ),
IPREMOVED--[01/Mar/2013: 06: 16: 48-0600] "POST/uploads/monthly_10_2012/view. php HTTP/1.1 "200 36"-"" Mozilla/5.0"
IPREMOVED--[01/Mar/2013: 06: 12: 58-0600] "POST/public/style_images/master/profile/blog. php HTTP/1.1 "200 36"-"" Mozilla/5.0"
The default log format of nginx is:
Access_log logs/access. log
Or
Access_log logs/access. log combined;
The default log location for nginx is:
Nginx installation directory/log/
0x02 search for files containing malicious php code

 

2.1Search for recently changed PHP files
Find.-type f-name '*. php'-mtime-7
-Type f indicates that a normal general file is searched-mtime-7 indicates the File Modified within 7*24 hours.
The result may be as follows:

./uploads/monthly_04_2008/index.php./uploads/monthly_10_2008/index.php./uploads/monthly_08_2009/template.php./uploads/monthly_02_2013/index.php

2.2Check whether any suspicious code exists in the file.

Find. -type f-name '*. php' | xargs grep-l "eval * (" -- color (* represents any space) find. -type f-name '*. php' | xargs grep-l "base64_decode * (" -- colorfind. -type f-name '*. php' | xargs grep-l "gzinflate * (" -- colorfind. -type f-name '*. php '| xargs grep-l "eval * (str_rot13 * (base64_decode * (" -- color

Note: Many Commands do not support passing parameters in pipelines, but they actually need to be like this. Therefore, xargs is used. This command can be used to pass parameters in pipelines; grep-l indicates the file name that only contains a string. If-l is removed, the row content that matches the specified string is displayed.
The significance of several special strings: eval () executes strings according to php code, which is the most common php one-sentence Trojan.
Base64_decode () decodes the string base64. When payload is base64 encoded during the attack, this function is useful.
Gzinflate () decompress the string. This function is used after payload is compressed with gzdeflate during the attack.
Str_rot13 (): encode the character string with rot13.
You can also use a regular expression to search for files and find the code:
Find. -type f-name '*. php' | xargs egrep-I "(mail | fsockopen | pfsockopen | stream \ _ socket \ _ client | exec | system | passthru | eval | base64_decode )*("
The following describes common webshell functions:
Mail (): used to send spam to website users
Fsockopen (): enables a network connection or a unix socket connection, which can be used by payload to send remote requests.
Pfsockopen (): similar to fsockopen ()
Stream_socket_client (): Create a remote connection, for example:

<?php$fp = stream_socket_client("tcp://www.example.com:80", $errno, $errstr, 30); if (!$fp) {     echo "$errstr ($errno)<br />\n"; } else {     fwrite($fp, "GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n");     while (!feof($fp)) {         echo fgets($fp, 1024);     }     fclose($fp); } ?>

Exec (): Command Execution Function
System (): Same as exec ()
Passthru (): Same as exec ()
When the regular expression preg_replace () is modified by the modifier "e", the replacement string must be executed in php code before replacement, in this case, you can use the following scan:
Find. -type f-name '*. php '| xargs egrep-I "preg_replace * \ ([' | \"]) (.). * \ 2 [a-z] * e [^ \ 1] * \ 1 *, "-- color
0x03 compare code files

 

In this case, a clean code is required, which is compared with the code in use. For example
Diff-r wordpress-clean/wordpress-compromised/-x wp-content
The above example compares wordpress-clean/and wordpress-comprised/, and the wp-content/sub-directories in the directory are not compared.
0x04 search for Writable Directories

 

Check whether there are any suspicious files in this directory. Run the following script to check whether a PHP file exists in a directory with the permission of 777.
Search_dir = $ (pwd)
Writable_dirs = $ (find $ search_dir-type d-perm 0777)
For dir in $ writable_dirs
Do
# Echo $ dir
Find $ dir-type f-name '*. php'
Done
Hackers often insert php code into jpg files. Therefore, when querying these directories, they also need to query jpg files:
Find wp-content/uploads-type f-iname '*. jpg' | xargs grep-I php
Note:-iname indicates that the file name is not case sensitive. grep-I also indicates that the file name is case insensitive.
0x05 detect iframe labels

 

Hackers often embed iframe tags, so they can view the source code of the web page and search for iframe tags. The following command can be used:
Grep-I '<iframe' mywebsite.txt
For dynamically generated pages, you can use the ff Live HTTP Headers plug-in to download the source code and find whether the iframe tag exists.
0x06 search for sensitive strings in the database

 

Including % base64 _ %, % eval (% <and other keywords mentioned above
0x07 check the. htaccess File

 

Whether auto_prepend_file and auto_append_file are included. Run the following command:
Find.-type f-name' \. htaccess' | xargs grep-I auto_prepend_file
Find.-type f-name' \. htaccess' | xargs grep-I auto_append_file
Auto_prepend_file is used to load the php script auto_append_file before the current script file is loaded. If the. htaccess file is modified, the hacker can load the malicious script he wants to load when accessing the php script in the. htaccess directory.
Htaccess files can also be used to hijack Website access traffic to hacker websites,
RewriteCond % {HTTP_USER_AGENT} ^. * Baiduspider. * $
Rewriterule ^ (. *) $ http://www.hacker.com/muma.php [R = 301]
Redirect the access of the baidu crawler to the hacker's website (including HTTP_USER_AGENT and http keywords)
RewriteCond % {HTTP_REFERER} ^. * baidu.com. * $ Rewriterule ^ (. *) $ http://www.hacker.com/muma.php [R = 301]
Redirect traffic from the baidu search engine to a hacker's website (including HTTP_REFERER and http keywords) to check whether the website is attacked. htaccess modification causes traffic hijacking, which can be found in the search. use the following command to access the htaccess file:

find . -type f -name '\.htaccess' | xargs grep -i http;find . -type f -name '\.htaccess' | xargs grep -i HTTP_USER_AGENT;find . -type f -name '\.htaccess' | xargs grep -i HTTP_REFERER

Reading original