Home > Developer > Web Develop

Methods to detect if a PHP site has been compromised

Source: Internet
Author: User
Tags vars egrep
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Original address: http://drops.wooyun.org/web/2718 Category: Web security
(This article focuses on using system commands)
First, view the access log
See if there is a file upload operation (POST method),

[Plain]View PlainCopy
    1. Ipremoved--[01/mar/2013:06:16:48-0600] "post/uploads/monthly_10_2012/view.php http/1.1"-"Mozilla/5.0"
    2. Ipremoved--[01/mar/2013:06:12:58-0600] "post/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" " mozilla/5.0 "

The log format of the Nginx default record is:

[Plain]View PlainCopy
    1. Access_log Logs/access.log

Or

[Plain]View PlainCopy
    1. Access_log Logs/access.log combined;

The location of the default logging for Nginx is:
Nginx installation directory/log/

Second, look for files containing malicious PHP code
2.1 Finding recently changed PHP files

[Plain]View PlainCopy
    1. Find. -type f-name ' *.php '-mtime-7

-type F means a search for normal files-mtime-7 the files that are modified within the hour
The results may be as follows:
./uploads/monthly_04_2008/index.php
./uploads/monthly_10_2008/index.php
./uploads/monthly_08_2009/template.php
./uploads/monthly_02_2013/index.php
2.2 Find out if there is a suspect code in the file

[Plain]View PlainCopy
    1. Find. -type f-name ' *.php ' | Xargs grep-l "eval * ("--color

(* represents any space)

[Plain]View PlainCopy
    1. find . -type f -name  ' *.php '  |  xargs grep -l  "base64_decode * ("  --COLOR  
    2. Find  . -type f -name  ' *.php '  | xargs grep -l  gzinflate * ("  --color  
    3. find . -type f -name  ' *. php '  | xargs grep -l  ' eval * (str_rot13 * (base64_decode * (" -- color  

Note: Many commands do not support pipeline pass parameters, and actually need this, so use the Xargs command, this command can be used to pass parameters of the pipeline, Grep-l represents only the file name of a string, if you remove-l will display the line content matching a particular string
The meaning of several special strings: eval () executes the string according to PHP code, is the most common PHP word trojan
Base64_decode () decodes the string base64, payload is Base64 encoded when attacking, this function is useful.
Gzinflate () The string decompression processing, when the attack payload with gzdeflate compression, use this function to decompress
STR_ROT13 () encodes a string rot13
You can also use regular expressions to search for files to find code:

[Plain]View PlainCopy
    1. Find. -type f-name ' *.php ' | Xargs egrep-i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) * ("

The following explains the functions commonly used by Webshell:
Mail (): Can be used to send spam messages to site users
Fsockopen (): Open a network connection or a UNIX socket connection that can be used to payload send remote requests
Pfsockopen (): Similar to Fsockopen ()
Stream_socket_client (): Establish a remote connection, as in the following example:

[PHP]View PlainCopy
  2. <?php
  4. $fp = stream_socket_client ("tcp://www.example.com:80", $errno,     $errstr, 30);
  6. if  (! $fp ) {    
  8. Echo     "$errstr ($errno) <br/>\n";
  10. } Else {
  12. Fwrite ($fp, "get/http/1.0\r\nhost:www.example.com\r\naccept: */*\r\n\r\n");
  14. while  (! feof ($fp)) {    
  16. Echo     fgets($fp, 1024);
  18. }
  20. Fclose ($fp);
  22. }
  24. ?>

EXEC (): Command execution function
System (): With exec ()
PassThru (): With exec ()
Preg_replace () The regular expression is decorated by the modifier "E", the replacement string needs to be executed in accordance with PHP code before replacing it, and this situation also needs to be taken into account in this case, the following scan can be used:

[Plain]View PlainCopy
    1. Find. -type f-name ' *.php ' | Xargs egrep-i "Preg_replace *\ ([' |\ ']) (.). *\2[a-z]*e[^\1]*\1 *, "--color


Third, compare code files
This situation requires a clean code, which is compared to the code being used. For example

[Plain]View PlainCopy
    1. Diff-r wordpress-clean/wordpress-compromised/-X wp-content

The above example compares the wordpress-clean/and wordpress-comprised/two directories, and the wp-content/subdirectory in the directory does not compare

Iv. Search for writable directories
See if there are any suspicious files in this directory, the following script looks for a directory with permissions of 777 for PHP files

[Plain]View PlainCopy
    1. search_dir=$ (PWD)
    2. writable_dirs=$ (Find $search _dir-type d-perm 0777)
    3. For dir in $writable _dirs
    4. Do
    5. #echo $dir
    6. Find $dir-type f-name ' *.php '
    7. Done

Hackers often insert PHP code into a JPG file, so you should also query for JPG files when querying these directories:

[Plain]View PlainCopy
    1. Find Wp-content/uploads-type f-iname ' *.jpg ' | Xargs grep-i PHP

Note:-iname indicates that the file name is case-insensitive grep-i also means case insensitive

V. Detection of IFRAME tags
Hackers often do is to embed the IFRAME tag, so you can view the source code of the Web page, and search for the presence of an IFRAME tag, you can use the following command:

[Plain]View PlainCopy
    1. Grep-i ' <iframe ' mywebsite.txt

For dynamically generated pages, you can use the FF live HTTP headers plugin to download to the source and find out if there is an IFRAME tag

Vi. finding sensitive strings in the database
including%base64_%,%eval (%<, etc. mentioned above some of the key words

Vii. checking. htaccess file
If Auto_prepend_file and Auto_append_file are included, use the following command

[Plain]View PlainCopy
    1. Find. -type f-name ' \.htaccess ' | Xargs grep-i Auto_prepend_file
    2. Find. -type f-name ' \.htaccess ' | Xargs grep-i Auto_append_file

Auto_prepend_file's role is to load the current script file before loading the PHP script auto_append_file the role of loading the current script file, then load the PHP script. If the hacker modifies the. htaccess file, you can load the malicious script that you want to load when you access the PHP script for the. htaccess directory.
The htaccess file can also be used to hijack the website traffic to the hacker's website,

[Plain]View PlainCopy
    1. Rewritecond%{http_user_agent}^.*baiduspider.*$
    2. Rewriterule ^ (. *) $ http://www.hacker.com/muma.php [r=301]

Redirect The visit of the Baidu Crawler to the hacker's website (contains http_user_agent and HTTP keywords)

[Plain]View PlainCopy
    1. Rewritecond%{http_referer} ^.*baidu.com.*$ rewriterule ^ (. *) $ http://www.hacker.com/muma.php [r=301]

REDIRECT traffic from the Baidu search engine to the hacker's website (containing http_referer and HTTP keywords) in order to see if the site is being htaccess modified to cause traffic hijacking, you can use the following command when searching for. htaccess files:

[Plain]View PlainCopy
    1. Find. -type f-name ' \.htaccess ' | Xargs grep-i http;
    2. Find. -type f-name ' \.htaccess ' | Xargs Grep-i http_user_agent;
    3. Find. -type f-name ' \.htaccess ' | Xargs grep-i Http_referer

Methods to detect if a PHP site has been compromised

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to detect browser in php how to detect mobile device in php php script to detect mobile devices php detect how to tell if site is wordpress check if domain has propagated php magic methods

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More