Linux shell command Lookup php Trojan method

A word to find a PHP trojan

The code is as follows

Copy Code

# Find./-name "*.php" |xargs egrep phpspy|c99sh|milw0rm|eval\ (gunerpress|eval\ (BASE64_DECOOLCODE|SPIDER_BC) > Tmp/php.txt # grep-r--include=*.php ' [^a-z]eval ($_post '. >/tmp/eval.txt # grep-r--include=*.php ' file_put_contents (. *$_post\[.*\]); >/tmp/file_put_contents.txt # Find./-name "*.php"-type f-print0 | xargs-0 egrep "(Phpspy|c99sh|milw0rm|eval\ (gzuncompress\ base64_decoolcode|eval\ (base64_decoolcode|spider_bc| Gzinflate) "| Awk-f: ' {print $} ' | Sort | Uniq

Find PHP files that have been modified in the last day

The paging files in the general site are rarely changed, except, of course, dynamically generated temporarily. And those who generally will not change in the page directory if the file is modified, it may be a lot of people do hands and feet.

The code is as follows	Copy Code
# find-mtime-1-type f-name\*.php

Modify permissions for a Web site

The code is as follows	Copy Code
# Find-type f-name\*.php-exec chmod 444 {}\; # Find./-type d-exec chmod 555{}\;

Common remark of the back door:

The code is as follows	Copy Code
Grep-r--include=*.php ' [^a-z]eval ($_post '. > Grep.txt Grep-r--include=*.php ' file_put_contents (. *$_post\[.*\]); > Grep.txt

The search results are written to the file, downloaded to slow down analysis, other features Trojans, backdoor similar. If necessary, to the whole station all files to a feature lookup, upload pictures must have also bundled, to the second large cleaning

Disabling less frequently used functions

Will not use the permissions and the larger PHP function in the php.ini file in the ban. The modification method is as follows:

Disable_functions = System,exec,shell_exec ......