PHP Web Trojan scanner code sharing, PHP Web Trojan Scanner
No nonsense. paste the Code directly.
The Code is as follows:
<? Php header ('content-type: text/html; charset = gbk'); set_time_limit (0 ); // prevent timeout/*** php Directory scan monitoring enhanced version *** @ version 1.0 * the following variables need to be manually set before use *** // ==== =================== program configuration ========================================= */ $ pass = "test "; // set the password $ jkdir = ". "; // set the monitoring scan directory. The current directory is '. ', the upper-level directory is '.. ', you can also set an absolute path without a slash. The default value is the current directory $ logfilename = ". /m. log "; // set the log storage path, which can be placed in any location $ exclude = array ('data', 'images '); // exclude directory $ danger = 'eval | cmd | passthru | gzuncompr Ess '; // set the dangerous function to be searched to determine whether the trojan file $ suffix = 'php | inc '; // set the suffix of the file to be scanned. ===============*/$ filename =$ _ GET ['filename']; $ check = $ _ GET ['check']; $ jumpoff = false; $ url = $ _ SERVER ['php _ SELF ']; $ thisfile = end (explode ('/', $ url); $ jump = "{$ thisfile} | ". implode ('|', $ exclude); $ jkdir_num = $ file_num = $ danger_num = 0; define ('m _ path', $ jkdir ); define ('m _ log', $ logfilename); if ($ check = 'check') {$ Safearr = explode ("|", $ jump); $ start_time = microtime (true); safe_check ($ jkdir); $ end_time = microtime (true ); $ total = $ end_time-$ start_time; $ file_num = $ file_num-$ jkdir_num; $ message = "number of files :". $ file_num; $ message. = "folder count :". $ jkdir_num; $ message. = "number of suspicious files :". $ danger_num; $ message. = "execution time :". $ total; echo $ message;} else {if ($ _ GET ['M'] = "del") Delete (); // process File Deletion // read file content if (isset ($ _ GET ['readfile']) {// Output to view the password. After the password verification is correct, the output file content if (empty ($ _ POST ['passchack']) {echo "<form id = \" form1 \ "name = \" form1 \ "method = \" post \ "> ". "<label> pass ". "<input type = \" text \ "name = \" passchack \ "/> ". "</label> ". "<input type = \" submit \ "name = \" Submit \ "value = \" submit \ "/> ". "</form> ". ""; exit;} elseif (isset ($ _ POST ['passchack']) & $ _ POST ['passchack'] = $ pass) {$ code = file_get_contents ($ _ GET ['readfile']); echo "<textarea nam E = \ "code \" cols = \ "150 \" rows = \ "30 \" id = \ "code \" style = 'width: 100%; height: pixel PX; background: # cccccc; '>{$ code} </textarea> "; exit;} else {exit ;}} else {record_md5 (M_PATH); if (file_exists (M_LOG )) {$ log = unserialize (file_get_contents (M_LOG);} else {$ log = array ();} if ($ _ GET ['savethis '] = 1) {// Save the current file md5 to the log file @ unlink (M_LOG); file_put_contents (M_LOG, serialize ($ file_list); echo "<a href = 'scandir. php'> Protection Saved successfully! Click Back </a> "; exit;} if (empty ($ log) {echo" no log file has been created yet! Click [save current] to create a log file! ";} Else {if ($ file_list = $ log) {echo" this folder has not been changed! ";} Else {if (count ($ file_list)> 0) {foreach ($ file_list as $ file => $ md5) {if (! Isset ($ log [$ file]) {echo "New file: <a href = {$ file} target = '_ blank'> ". $ file. "</a> ". "created :". date ("Y-m-d H: I: s", filectime ($ file )). "modification time :". date ("Y-m-d H: I: s", filemtime ($ file )). "<a href =? Readfile = {$ file} target = '_ blank'> Source Code </a> <a href = '? M = del & filename = {$ file} 'target = '_ blank'> Delete </u> </a> <br/> ";} else {if ($ log [$ file]! = $ Md5) {echo "Modify file: <a href = {$ file} target = '_ blank'> ". $ file. "</a> ". "created :". date ("Y-m-d H: I: s", filectime ($ file )). "modification time :". date ("Y-m-d H: I: s", filemtime ($ file )). "<a href =? Readfile = {$ file} target = '_ blank'> Source Code </a> <br/> "; unset ($ log [$ file]);} else {unset ($ log [$ file]) ;}}} if (count ($ log)> 0) {foreach ($ log as $ file => $ md5) {echo "delete file: <a href = {$ file} target = '_ blank'> ". $ file. "</a> <br/>" ;}}}}// calculate the md5 function record_md5 ($ jkdir) {global $ file_list, $ exclude; if (is_dir ($ jkdir) {$ file = scandir ($ jkdir); foreach ($ file as $ f) {if ($ f! = '.' & $ F! = '..'&&! In_array ($ f, $ exclude) {$ path = $ jkdir. '/'. $ f; if (is_dir ($ path) {record_md5 ($ path);} else {$ file_list [$ path] = md5_file ($ path );}}}}} function Safe_Check ($ jkdir) // traverse the file {global $ danger, $ suffix, $ jkdir_num, $ file_num, $ danger_num;) or die ('Folder does not exist '); while ($ file = $ hand-> read () {$ filename = $ jkdir. '/'. $ file; if (! $ Jumpoff) {if (Jump ($ filename) continue;} if (@ is_dir ($ filename) & $ file! = '.' & $ File! = '..' & $ File! = '. /.. ') {$ Jkdir_num ++; Safe_Check ($ filename);} if (preg_match_all ("/\. ($ suffix)/I ", $ filename, $ out) {$ str =''; $ fp = @ fopen ($ filename, 'R ') or die ('no authorization'); while (! Feof ($ fp) {$ str. = fgets ($ fp, 1024);} fclose ($ fp); if (preg_match_all ("/($ danger) [\ r \ n \ t] {0 ,} ([\ [\ (])/I ", $ str, $ out) {echo" <font color = 'green' style = 'font-size: 14px '> Suspicious File: {$ filename} </font> ". "created :". date ("Y-m-d H: I: s", filectime ($ filename )). "modification time :". date ("Y-m-d H: I: s", filemtime ($ filename )). "<a href = '? Readfile = {$ filename} 'target = '_ blank'> <u> View Code </u> </a> <a href = '? M = del & filename = $ filename 'target = '_ blank'> Delete </u> </a> <br> "; $ danger_num ++ ;}} $ file_num ++ ;}} function Edit () // view the Suspicious File {global $ filename; $ filename = str_replace (".. "," ", $ filename); $ file = $ filename; $ content =" "; if (is_file ($ file) {$ fp = fopen ($ file, "r") or die ('no authorization'); $ content = fread ($ fp, filesize ($ file); fclose ($ fp ); $ content = htmlspecialchars ($ content);} echo "<textarea name = 'str' style = 'Width: 100%; height: pixel PX; background: # cccccc; '> $ content </textarea> \ r \ n "; exit ();} function Delete () // delete the file {global $ filename, $ pass; if (empty ($ _ POST ['passchack']) {echo "<form id = \" form1 \ "name = \" form1 \ "method = \" post \ "> ". "<label> pass ". "<input type = \" text \ "name = \" passchack \ "/> ". "</label> ". "<input type = \" submit \ "name = \" Submit \ "value = \" submit \ "/> ". "</form> ". ""; exit;} elseif (isset ($ _ POST ['passschack']) & $ _ POST ['passschack'] ==$ pass) {(is_file ($ filename ))? ($ Mes = unlink ($ filename )? 'Deleted successfully': 'failed to view authorization'): ''; echo $ mes; exit ();} else {echo 'incorrect password! '; Exit ;}} function Jump ($ file) // skip the file {global $ jump, $ safearr; if ($ jump! = '') {Foreach ($ safearr as $ v) {if ($ v ='') continue; if (eregi ($ v, $ file )) return true ;}} return false ;}?> <A href = "scandir. php"> [View File changes] </a> | <a href = "scandir. php? Savethis = 1 "> [saving the current file fingerprint] </a> | <a href =" scandir. php? Check = check "> [scanning suspicious files] </a>
The above code is shared by the php web Trojan scanner code. This article is accompanied by a comment. If you do not understand it, please leave a message for me. I believe there are more than one implementation method, you are welcome to share different implementation methods.