PHP Web Trojan scanner code sharing _php instance

Source: Internet
Author: User
Tags explode md5 readfile

No nonsense, directly affixed to the code.

The code is as follows:

<?php header (' CONTENT-TYPE:TEXT/HTML;CHARSET=GBK '); Set_time_limit (0)//Prevent timeout/** * * PHP directory Scan Monitor Enhanced version * * @version 1.0 * The following variables need to be manually set before use * **//*===================== process Order configuration =====================*/$pass = "Test";//Set Password $jkdir = "."; Set the directory for the monitoring scan, the current directory is '. ', the previous directory is '.. ', you can also set an absolute path, no trailing slashes, and the current directory $logfilename = "./m.log";//Set the path to store log, which can be placed anywhere $exclude =array (' data ', ' images ');/exclude Directory $danger = ' eval|cmd|passthru|gzuncompress ';//Set the dangerous function to find to determine whether the Trojan file $suffix = ' Php|inc ' 
//Set to scan the file suffix/*===================== configuration end =====================*/$filename =$_get[' filename ']; 
$check =$_get[' Check ']; 
$jumpoff =false; 
$url = $_server[' php_self ']; 
$thisfile = End (Explode ('/', $url)); $jump = "{$thisfile}|". 
Implode (' | ', $exclude); 
$jkdir _num= $file _num= $danger _num=0; 
Define (' M_path ', $jkdir); 
Define (' M_log ', $logfilename); 
if ($check = = ' Check ') {$safearr = explode ("|", $jump); 
$start _time=microtime (TRUE); 
Safe_check ($jkdir); 
$end _time=microtime (TRUE); 
$total = $end _time-$start _time; $file _num= $file _num-$jkdir _num; 
$message = "Number of files:". $file _num; 
$message. = "Number of folders:". $jkdir _num; 
$message. = "Number of suspicious documents:". $danger _num; 
$message. = "Execution time:". $total; 
Echo $message; }else{if ($_get[' m ']== "del") Delete ()//Processing file deletion//Read file contents if (Isset ($_get[' ReadFile '))) {//Output view password, correct password checksum output file content if (emp Ty ($_post[' passchack ')) {echo "<form id=\" form1\ "name=\" form1\ "method=\" post\ ">". "<label>pass". "<input type=\" text\ "name=\" Passchack\ "/>". "</label>". "<input type=\" submit\ "name=\" submit\ "value=\" submitted \ "/>". 
  "</form>". ""; 
Exit }elseif (Isset ($_post[' passchack ']) &&$_post[' passchack ']== $pass) {$code =file_get_contents ($_get[' 
  ReadFile ']); echo "<textarea name=\" code\ "cols=\" 150\ "rows=\" 30\ "id=\" code\ "style=" width:100%;height:450px;background:# CCCCCC; ' 
  >{$code}</textarea> "; 
Exit 
}else{exit; 
}}else{record_md5 (M_path); 
if (file_exists (M_log)) {$log = Unserialize (file_get_contents (M_log)); }else{$log = Array (); 
} if ($_get[' Savethis ']==1) {//Save current file MD5 to log file @unlink (M_log); 
File_put_contents (M_log,serialize ($file _list)); echo "<a href= ' scandir.php ' > Save success!" 
Click to return to </a> "; 
Exit if (empty ($log)) {echo does not currently have a log file created!) Click [Save current] to create log file! 
"; }else{if ($file _list== $log) {echo] No changes have been made to this folder! 
"; }else{if (count ($file _list) > 0) {foreach ($file _list as $file => $md 5) {if (!isset ($log [$file])) {echo "New file: <a href={$file} target= ' _blank ' >". $file. " </a> "." Creation Time: ". Date (" Y-m-d h:i:s ", Filectime ($file))." Modified: ". Date (" Y-m-d h:i:s ", Filemtime ($file))." <a href =?readfile={$file} target= ' _blank ' > Source </a><a href= '? m=del&filename={$file} ' target= ' _blank ' > Delete 
  </u></a><br/> "; }else{if ($log [$file]!= $MD 5) {echo modifies the file: <a href={$file} target= ' _blank ' > '. $file. " </a> "." Creation Time: ". Date (" Y-m-d h:i:s ", Filectime ($file))." Modified: ". Date (" Y-m-d h:i:s ", Filemtime ($file))." <a href =?readfile={$file} target= '_blank ' > Source </a><br/> '; 
   Unset ($log [$file]); 
   }else{unset ($log [$file]); Delete file: <a href={$file} if (count ($log) >0) {foreach ($log as $file => $md 5) {echo] Blank ' > '. $file. " 
  </a><br/> "; 
    Compute MD5 function RECORD_MD5 ($jkdir) {global $file _list, $exclude; 
        if (Is_dir ($jkdir)) {$file =scandir ($jkdir); foreach ($file as $f) {if ($f!= '. ' && $f!= ' ... ' &&!in_array ($f, $exclude)) {$p Ath = $jkdir. ' 
                /'. $f; 
                if (Is_dir ($path)) {record_md5 ($path); 
                }else{$file _list[$path]=md5_file ($path); The {global $danger, $suffix, $jkdir _num, $file _nu safe_check ($jkdir)/ 
M, $danger _num; 
) or Die (' folder does not exist '); while ($file = $hand->read ()) {$filename = $jkdir. ' 
  /'. $file; if (! $jumpoff) {if (JumP ($filename)) continue; if (@is_dir ($filename) && $file!= '. ' && $file!= ' ... ' 
  && $file!= './... ') 
  {$jkdir _num++; 
  Safe_check ($filename); } if (Preg_match_all ("/\.") ( 
  $suffix)/I ", $filename, $out)) {$str = '; 
  $fp = @fopen ($filename, ' r ') or Die (' no permissions '); 
  while (!feof ($fp)) {$str. = fgets ($fp, 1024); 
  } fclose ($FP); if (Preg_match_all ("/($danger) [\r\n\t]{0,} ([\[\ (])/I, $STR, $out)) {echo" <font color= ' green ' style= ' font-size: 14px ' > suspicious file: {$filename}</font> "." Creation Time: ". Date (" Y-m-d h:i:s ", Filectime ($filename))." Modified: ". Date (" Y-m-d h:i : S ", Filemtime ($filename))." <a href= '? readfile={$filename} ' target= ' _blank ' ><u> View Code </u></a 
  > <a href= '? m=del&filename= $filename ' target= ' _blank ' > Delete </u></a><br> '; 
  $danger _num++; 
}} $file _num++; 
} function Edit ()//view suspect file {global $filename; 
$filename = Str_replace ("..", "", $filename); 
$file = $filename; $content = ""; 
  if (Is_file ($file)) {$fp = fopen ($file, "R") or Die (' no permissions '); 
  $content = Fread ($fp, FileSize ($file)); 
  Fclose ($FP); 
$content = Htmlspecialchars ($content); echo "<textarea name= ' str ' style= ' width:100%;height:450px;background: #cccccc; ' 
> $content </textarea>\r\n "; 
Exit (); 
The function Delete ()//deletes the file {global $filename, $pass; if (Empty ($_post[' passchack ')) {echo "<form id=\" form1\ "name=\" form1\ "method=\" post\ ">". "<label>pass". "<input type=\" text\ "name=\" Passchack\ "/>". "</label>". "<input type=\" submit\ "name=\" submit\ "value=\" submitted \ "/>". 
  "</form>". ""; 
Exit }elseif (Isset ($_post[' passchack ']) &&$_post[' passchack ']== $pass) {(Is_file ($filename))? ( $mes =unlink ($filename)? ' 
  Delete successful ': ' Delete failed view permission '): '; 
  Echo $mes; 
Exit (); }else{echo ' password is wrong! 
  '; 
Exit 
} function Jump ($file)//Skip File {global $jump, $safearr; if ($jump!= ') {foreach ($safearr as $v) {if ($v = = ") ContiNue 
  if (eregi ($v, $file)) return true; 
return false; ?> <a href= "scandir.php" >[view file changes]</a>|<a href= "Scandir.php?savethis=1" >[Save the current file fingerprint]</a> |<a href= "Scandir.php?check=check" >[scan for suspicious files]</a>

The above code is the PHP Web Trojan scanner code sharing, this article is accompanied by comments, there are not clear welcome to my message, I believe that the implementation of more than one of the methods, you are welcome to share a lot of different ways to achieve.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.