This article will share with you a piece of code, phpweb Trojan scanner. If you need a friend to directly copy the code, you can use it. the code is super simple and has annotations. if you need a friend, you can refer to it without any nonsense and paste the code directly.
The code is as follows:
<? Php header ('content-type: text/html; charset = gbk'); set_time_limit (0 ); // prevent timeout/*** php directory scan monitoring enhanced version *** @ version 1.0 * the following variables need to be manually set before use *** // ==== =================== program configuration ========================================= */ $ pass = "test "; // Set the password $ jkdir = ". "; // Set the monitoring scan Directory. the current directory is '. ', the upper-level directory is '.. ', you can also set an absolute path without a slash. the default value is the current directory $ logfilename = ". /m. log "; // Set the log storage path, which can be placed in any location $ exclude = array ('data', 'images '); // exclude directory $ danger = 'eval | cmd | passthru | gzuncompress '; // you can specify a function to identify the trojan file $ suffix = 'php | Inc '; // Set the suffix of the file to be scanned. ===============*/$ filename =$ _ GET ['filename']; $ check = $ _ GET ['check']; $ jumpoff = false; $ url = $ _ SERVER ['php _ SELF ']; $ thisfile = end (explode ('/', $ url); $ jump = "{$ thisfile} | ". implode ('|', $ exclude); $ jkdir_num = $ file_num = $ danger_num = 0; define ('m _ path', $ jkdir ); define ('m _ log', $ logfilename); if ($ check = 'check') {$ safearr = explode ("|", $ jump ); $ start_time = microtime (true); safe_check ($ jkdir); $ end_time = microtime (true); $ total = $ end_time-$ start_time; $ file_num = $ file_num-$ jkdir_num; $ message = "number of files :". $ file_num; $ message. = "folder count :". $ jkdir_num; $ message. = "number of suspicious files :". $ danger_num; $ message. = "Execution time :". $ total; echo $ message;} else {if ($ _ GET ['M'] = "del") Delete (); // process file deletion // read the file content if (isset ($ _ GET ['readfile']) {// output view password, after the password is verified correctly, the output file content if (empty ($ _ POST ['passchack']) {echo "". ""; exit;} elseif (isset ($ _ POST ['passchack']) & $ _ POST ['passchack'] = $ pass) {$ code = file_get_contents ($ _ GET ['readfile']); echo"{$ Code}"; Exit;} else {exit ;}} else {record_md5 (M_PATH); if (file_exists (M_LOG) {$ log = unserialize (file_get_contents (M_LOG ));} else {$ log = array ();} if ($ _ GET ['savethis '] = 1) {// Save the md5 of the current file to the log file @ unlink (M_LOG ); file_put_contents (M_LOG, serialize ($ file_list); echo "saved successfully! Click "; exit;} if (empty ($ log) {echo" no log file has been created yet! Click [save current] to create a log file! ";} Else {if ($ file_list = $ log) {echo" this folder has not been changed! ";} Else {if (count ($ file_list)> 0) {foreach ($ file_list as $ file => $ md5) {if (! Isset ($ log [$ file]) {echo "add file :". $ file. "". "created :". date ("Y-m-d H: I: s", filectime ($ file )). "Modification time :". date ("Y-m-d H: I: s", filemtime ($ file )). "Source Code deletion
";} Else {if ($ log [$ file]! = $ Md5) {echo "modify File :". $ file. "". "created :". date ("Y-m-d H: I: s", filectime ($ file )). "Modification time :". date ("Y-m-d H: I: s", filemtime ($ file )). "Source Code
"; Unset ($ log [$ file]);} else {unset ($ log [$ file]) ;}}} if (count ($ log)> 0) {foreach ($ log as $ file => $ md5) {echo "delete file :". $ file."
";}}}}// Calculate the md5 function record_md5 ($ jkdir) {global $ file_list, $ exclude; if (is_dir ($ jkdir )) {$ file = scandir ($ jkdir); foreach ($ file as $ f) {if ($ f! = '.' & $ F! = '..'&&! In_array ($ f, $ exclude) {$ path = $ jkdir. '/'. $ f; if (is_dir ($ path) {record_md5 ($ path);} else {$ file_list [$ path] = md5_file ($ path );}}}}} function Safe_Check ($ jkdir) // traverse the file {global $ danger, $ suffix, $ jkdir_num, $ file_num, $ danger_num;) or die ('folder does not exist '); while ($ file = $ hand-> read () {$ filename = $ jkdir. '/'. $ file; if (! $ Jumpoff) {if (Jump ($ filename) continue;} if (@ is_dir ($ filename) & $ file! = '.' & $ File! = '..' & $ File! = '. /.. ') {$ Jkdir_num ++; Safe_Check ($ filename);} if (preg_match_all ("/\. ($ suffix)/I ", $ filename, $ out) {$ str =''; $ fp = @ fopen ($ filename, 'r ') or die ('No authorization'); while (! Feof ($ fp) {$ str. = fgets ($ fp, 1024);} fclose ($ fp); if (preg_match_all ("/($ danger) [\ r \ n \ t] {0 ,} ([\ [\ (])/I ", $ str, $ out) {echo" suspicious file: {$ filename }". "created :". date ("Y-m-d H: I: s", filectime ($ filename )). "Modification time :". date ("Y-m-d H: I: s", filemtime ($ filename ))."View codeDelete
"; $ Danger_num ++ ;}}$ file_num ++ ;}} function Edit () // view suspicious files {global $ filename; $ filename = str_replace (".. "," ", $ filename); $ file = $ filename; $ content =" "; if (is_file ($ file) {$ fp = fopen ($ file, "r") or die ('No authorization'); $ content = fread ($ fp, filesize ($ file); fclose ($ fp ); $ content = htmlspecialchars ($ content);} echo"$ Content\ R \ n "; exit ();} function Delete () // Delete the file {global $ filename, $ pass; if (empty ($ _ POST ['passschack']) {echo "". ""; exit;} elseif (isset ($ _ POST ['passchack']) & $ _ POST ['passchack'] = $ pass) {(is_file ($ filename ))? ($ Mes = unlink ($ filename )? 'Deleted successfully': 'failed to view authorization'): ''; echo $ mes; exit ();} else {echo 'incorrect password! '; Exit ;}} function Jump ($ file) // skip the file {global $ jump, $ safearr; if ($ jump! = '') {Foreach ($ safearr as $ v) {if ($ v ='') continue; if (eregi ($ v, $ file )) return true ;}} return false ;}?> [View file changes] | [save the current file fingerprint] | [scan suspicious files]
The above code is shared by the php web Trojan scanner code. This article is accompanied by a comment. if you do not understand it, please leave a message for me. I believe there are more than one implementation method, you are welcome to share different implementation methods.