A word to find a PHP trojan
The code is as follows |
Copy Code |
# Find./-name "*.php" |xargs egrep phpspy|c99sh|milw0rm|eval\ (gunerpress|eval\ (BASE64_DECOOLCODE|SPIDER_BC) > Tmp/php.txt
# grep-r--include=*.php ' [^a-z]eval ($_post '. >/tmp/eval.txt
# grep-r--include=*.php ' file_put_contents (. *$_post\[.*\]); >/tmp/file_put_contents.txt
# Find./-name "*.php"-type f-print0 | xargs-0 egrep "(Phpspy|c99sh|milw0rm|eval\ (gzuncompress\ base64_decoolcode|eval\ (base64_decoolcode|spider_bc| Gzinflate) "| Awk-f: ' {print $} ' | Sort | Uniq |
Find PHP files that have been modified in the last day
The paging files in the general site are rarely changed, except, of course, dynamically generated temporarily. And those who generally will not change in the page directory if the file is modified, it may be a lot of people do hands and feet.
The code is as follows |
Copy Code |
# find-mtime-1-type f-name\*.php |
Modify permissions for a Web site
The code is as follows |
Copy Code |
# Find-type f-name\*.php-exec chmod 444 {}\;
# Find./-type d-exec chmod 555{}\; |
Common remark of the back door:
The code is as follows |
Copy Code |
Grep-r--include=*.php ' [^a-z]eval ($_post '. > Grep.txt Grep-r--include=*.php ' file_put_contents (. *$_post\[.*\]); > Grep.txt
|
The search results are written to the file, downloaded to slow down analysis, other features Trojans, backdoor similar. If necessary, to the whole station all files to a feature lookup, upload pictures must have also bundled, to the second large cleaning
Disabling less frequently used functions
Will not use the permissions and the larger PHP function in the php.ini file in the ban. The modification method is as follows:
Disable_functions = System,exec,shell_exec ......