How to detect small programs and common trojans

Www.2cto.com: an earlier article for your reference.

China has a lot of open-source software, but it also brings us a lot of insurance problems, the biggest headache for website Trojans, here I am writing a small php program to detect website Trojans for your reference.
1. There are a lot of open-source software in China, but it also brings us a lot of security issues. The biggest headache for website developers is that, here I am writing a small php program to detect website Trojans for your reference.
Software principle: individual Trojans are encrypted. The so-called encryption facilitates our detection. The most obvious feature of php Trojans is that eval and base64_decode functions are used, this is a good way to detect, of course, some cms malformed files may also present this, the difference is that the cms file is opened in a normal line, while the trojan is usually:
Eval (base64_decode (..............));
?
This Code is based on the following:
Function parallfiles ($ d)
{
$ Dh = dir ($ d );
While ($ filename = $ dh-read ())
{
If ($ filename = '.' | $ filename = '..') continue;
$ Tfile = $ d. '/'. $ filename;
If (is_dir ($ tfile ))
{
// Echo: $ tfile
;
Parallfiles ($ tfile );
}
Else
{
If (! Ereg (\. php, $ tfile) continue;
$ Bd = file_get_contents ($ tfile );
If (eregi (eval \ (, $ bd ))
{
Echo $ tfile
\ R \ n;
}
}
}
}
Parallfiles (dirname (_ file __));
?
Using this detection program will take all files with eval as suspicious files. Open it and look at it. If the code is like the former, it is definitely a Trojan. Www.2cto.com
For users with application servers, remember to set website permissions. The file storing html and attachments does not grant the script permission, and the folder executing the script does not grant the write permission.
2. mysql Privilege Escalation Vulnerability handling
The mysql privilege escalation vulnerability is fatal on windows servers. If you clear all web Trojans and find that heike is still able to mount Trojans, it is probably caused by this problem, how many aspects are involved:
(1) do not use the root user for website users. If a user has no permissions, specify that the user has the permission to operate a database;
(2) Check the website or windows file to see if there is a udf. dll or xudf. dll (x is usually number 1, 2, 3, etc.). If yes, it indicates that your server has been attacked. This Trojan is fatal, to clear the problem, use net stop mysql to end mysql, delete these dll files, and then use net start mysql to start mysql again.