PHP website is hanging Trojan Repair method Summary, PHP hanging Trojan Summary
In Linux we can use the command to search the Trojan file, to the code installation directory to execute the following command
Code to copy code as follows
Find./-iname "*.php" | Xargs grep-h-N "eval (base64_decode")
Search out close to 100 results, this list of results is very important, the Trojan is inside, to a file open to verify whether it is a trojan, if it is, delete immediately
Finally found 10 trojan files, stored in various directories, are PHP Webshell, function is complete, with base64 code
If you look up a directory in Windows directly using Windows File Search, you can search for eval or recently modified file, then if it is dedecms we want to check the latest dedecms bug and then fix it.
Here is a PHP Trojan find tool, directly to your site root directory
Code to copy code as follows
/**************php Web Trojan scanner ************************/
/* [+] Author: Alibaba */
/* [+] qq:1499281192 * www.111cn.net/
/* [+] msn:weeming21@hotmail.com */
/* [+] Starter: t00ls.net, reprint please specify T00LS * *
/* [+] Version: v1.0 */
/* [+] Features: Web version of the PHP Trojan scan Tool */
/* [+] Note: The scanned file is not necessarily the back door, */
/* Please judge, review and compare the original documents. */
/* If you're not sure if the file you swept is a backdoor, */
/* You are welcome to send me the document for analysis. */
/*******************************************************/
Ob_start ();
Set_time_limit (0);
$username = "T00ls"; Set User name
$password = "T00ls"; Set Password
$MD 5 = MD5 (MD5 ($USERNAME). MD5 ($password));
$version = "PHP Web Trojan Scanner v1.0";
PHP Web Trojan Scanner
$realpath = Realpath ('./');
$selfpath = $_server[' php_self ');
$selfpath = substr ($selfpath, 0, Strrpos ($selfpath, '/'));
Define (' Realpath ', str_replace ('//', '/', str_replace (' \ ', '/', substr ($realpath, 0, strlen ($realpath)-strlen ($ Selfpath)));
Define (' MYFILE ', basename (__file__));
Define (' MYPATH ', str_replace (' \ ', '/', dirname (__file__)). ' /');
Define (' Myfullpath ', str_replace (' \ ', '/', (__file__)));
Define (' HOST ', "http://". $_server[' Http_host ');
?>
<?php Echo $version?>
if (! ( Isset ($_cookie[' t00ls ')) && $_cookie[' t00ls '] = = $MD 5) &&! (Isset ($_post[' username ')) && isset ($_post[' password ']) && (MD5 (MD5 ($_post[' username ')). MD5 ($_post [' Password '])) = = $MD 5)))
{
Echo ';
}
ElseIf (isset ($_post[' username ')) && isset ($_post[' password ']) && (MD5 (MD5 ($_post[' username ')). MD5 ( $_post[' password ')) (= = $MD 5)))
{
Setcookie ("T00ls", $md 5, Time () +60*60*24*365, "/");
echo "landed successfully! ";
Header (' refresh:1; Url= '. MYFILE. '? Action=scan ');
Exit ();
}
Else
{
Setcookie ("T00ls", $md 5, Time () +60*60*24*365, "/");
$setting = GetSetting ();
$action = Isset ($_get[' action '])? $_get[' action ']: "";
if ($action = = "Logout")
{
Setcookie ("T00ls", "", Time ()-3600);
Header ("Location:".) MYFILE);
Exit ();
}
if ($action = = "Download" && isset ($_get[' file ']) && trim ($_get[' file '])! = "")
{
$file = $_get[' file '];
Ob_clean ();
if (@file_exists ($file)) {
Header ("Content-type:application/octet-stream");
Header ("Content-disposition:filename=". BaseName ($file). "" ");
Echo file_get_contents ($file);
}
Exit ();
}
?>
if ($action = = "setting")
{
if (Isset ($_post[' btnsetting '))
{
$Ssetting = Array ();
$Ssetting [' User ']=isset ($_post[' checkuser ')? $_post[' checkuser ']: "PHP | php? | Phtml ";
$Ssetting [' All ']=isset ($_post[' checkall ') &&$_post[' Checkall ']== "on"? 1:0;
$Ssetting [' HTA ']=isset ($_post[' Checkhta ') &&$_post[' Checkhta ']== "on"? 1:0;
Setcookie ("t00ls_s", Base64_encode (Serialize ($Ssetting)), Time () +60*60*24*365, "/");
echo "Setup is complete! ";
Header (' refresh:1; Url= '. MYFILE. '? Action=setting ');
Exit ();
}
?>
}
Else
{
$dir = isset ($_post[' path ')? $_post[' path ']:mypath;
$dir = substr ($dir, -1)! = "/"? $dir. " /": $dir;
?>
if (Isset ($_post[' Btnscan '))
{
$start =mktime ();
$is _user = Array ();
$is _ext = "";
$list = "";
if (Trim ($setting [' user '])! = "")
{
$is _user = explode ("|", $setting [' user ']);
if (count ($is _user) >0)
{
foreach ($is _user as $key = $value)
$is _user[$key]=trim (Str_replace ("?", "(.)", $value));
$is _ext = "(."). Implode ("($|.)) | (. ", $is _user)." ($|.))";
}
}
if ($setting [' HTA ']==1)
{
$is _hta=1;
$is _ext = strlen ($is _ext) >0 $is _ext. "|": $is _ext;
$is _ext.= "(^.htaccess$)";
}
if ($setting [' All ']==1 | | (Strlen ($is _ext) ==0 && $setting [' HTA ']==0])
{
$is _ext= "(. +)";
}
$php _code = GetCode ();
if (!is_readable ($dir))
$dir = MYPATH;
$count = $scanned = 0;
Scan ($dir, $is _ext);
$end =mktime ();
$spent = ($end-$start);
?>
Scan: file | discovery: Suspicious File | time: seconds
No. |
File |
Update Time |
Reason |
Characteristics |
Action |
}
}
}
Ob_flush ();
?>
function Scan ($path = '. ', $is _ext) {
Global $php _code, $count, $scanned, $list;
$ignore = Array ('. ', '.. ');
$replace =array ("", "N", "R", "T");
$DH = @opendir ($path);
while (false!== ($file =readdir ($DH))) {
if (!in_array ($file, $ignore)) {
if (Is_dir ("$path $file")) {
Scan ("$path $file/", $is _ext);
} else {
$current = $path. $file;
if (myfullpath== $current) continue;
if (!preg_match ("/$is _ext/i", $file)) continue;
if (is_readable ($current))
{
$scanned + +;
$content =file_get_contents ($current);
$content = Str_replace ($replace, "", $content);
foreach ($php _code as $key = $value)
{
if (Preg_match ("/$value/I", $content))
{
$count + +;
$j = $count% 2 + 1;
$filetime = Date (' y-m-d h:i:s ', Filemtime ($current));
$reason = Explode (",", $key);
$url = Str_replace (Realpath,host, $current);
Preg_match ("/$value/I", $content, $arr);
$list. = "
$count
$current
$filetime
$reason [0]
$reason [1]
Download
";
Echo $key. "-" . $path. $file. " (" . $arr [0]. ")" ."
";
Echo $path. $file. "
";
Break
}
}
}
}
}
}
Closedir ($DH);
}
function GetSetting ()
{
$Ssetting = Array ();
if (Isset ($_cookie[' t00ls_s '))
{
$Ssetting = Unserialize (Base64_decode ($_cookie[' t00ls_s '));
$Ssetting [' User ']=isset ($Ssetting [' user '])? $Ssetting [' User ']: PHP | php? | phtml | sHTML ";
$Ssetting [' All ']=isset ($Ssetting ["All"])? Intval ($Ssetting [' All ']): 0;
$Ssetting [' HTA ']=isset ($Ssetting [' HTA '])? intval ($Ssetting [' HTA ']): 1;
}
Else
{
$Ssetting [' user ']= php | php? | phtml | sHTML ";
$Ssetting [' All ']=0;
$Ssetting [' HTA ']=1;
Setcookie ("t00ls_s", Base64_encode (Serialize ($Ssetting)), Time () +60*60*24*365, "/");
}
return $Ssetting;
}
function GetCode ()
{
Return Array (
' Backdoor features->cha88.cn ' = ' cha88.cn ',
' Backdoor features->c99shell ' = ' C99shell ',
' Backdoor features->phpspy ' = ' phpspy ',
' Backdoor features->scanners ' = ' scanners ',
' Backdoor features->cmd.php ' = ' cmd.php ',
' Backdoor features->str_rot13 ' = ' str_rot13 ',
' Backdoor features->webshell ' = ' Webshell ',
' Backdoor features->egy_spider ' = ' egy_spider ',
' Backdoor features->tools88.com ' = ' tools88.com ',
' Backdoor features->secforce ' = ' secforce ',
' Back door feature->eval ('?> ' + ' eval (' | ')? > ',
' Suspicious code feature->system (' = = ' System (',
' Suspicious code features->passthru (' = ' = ' PassThru (',
' Suspicious code features->shell_exec (' = ' = ' shell_exec (',
' Suspicious code feature->exec (' = ' + ' EXEC (',
' Suspicious code features->popen (' = ' = ' Popen (',
' Suspicious code features->proc_open ' = ' proc_open ',
' Suspicious code feature->eval ($ ' = ' eval (' | ' | s*) \$ ',
' Suspicious code feature->assert ($ ' = ' = ' Assert (' | ' | s*) \$ ',
' Dangerous MySQL code->returns string soname ' = ' returnsstringsoname ',
' Dangerous MySQL code->into outfile ' = ' intooutfile ',
' Dangerous mysql code->load_file ' = ' + ' Select (s+) (. *) Load_file ',
' Encrypt backdoor feature->eval (gzinflate (' = ' + ' eval (gzinflate (',
' Encrypt backdoor feature->eval (base64_decode (' = ' + ' eval (Base64_decode (',
' Encrypt backdoor feature->eval (gzuncompress (' = ' + ' eval (gzuncompress (',
' Encrypt backdoor feature->eval (gzdecode (' = ' + ' eval (Gzdecode (',
' Encrypt backdoor feature->eval (str_rot13 (' = ' + ' eval (str_rot13 (',
' Encrypt backdoor feature->gzuncompress (base64_decode (' = ' = ' gzuncompress ' (Base64_decode (',
' Encrypt backdoor feature->base64_decode (gzuncompress (' = ' = ' Base64_decode ' (gzuncompress (',
' One word back door feature->eval ($_ ' = + ' eval (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' One word Backdoor feature->assert ($_ ' = ' = ' Assert (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' One word Backdoor feature->require ($_ ' = ' require ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' One word Backdoor feature->require_once ($_ ' = ' require_once ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' One word Backdoor feature->include ($_ ' + ' include (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' One word Backdoor feature->include_once ($_ ' = ' include_once ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' One word back door feature->call_user_func ("assert" ' = ' + ' Call_user_func (' | ') Assert ("| ') ',
' One word Backdoor feature->call_user_func ($_ ' = ' call_user_func ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' A word of the backdoor features->$_post/get/request/cookie[? ' ($_post/get/request/cookie[?] ' = ' $_ (post| Get| Request| cookies) [([^]]+)] ((' | ' | s*) \$_ (post| Get| Request| Cookies) [',
' One word back door feature->echo (file_get_contents ($_post/get/request/cookie ' = ' "Echo (file_get_contents (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' Upload backdoor feature->file_put_contents ($_post/get/request/cookie,$_post/get/request/cookie ' = ' file_put_contents ' (' | ' | s*) \$_ (post| Get| Request| cookies) [([^]]+)], (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',
' Upload backdoor feature->fputs (fopen ("?", "W"), $_post/get/request/cookie[' = ' fputs (fopen ((. +), (' | ') W (' | ")), (' | ' | s*) \$_ (post| Get| Request| Cookies) [',
'. htaccess features->sethandler application/x-httpd-php ' = ' sethandlerapplication/x-httpd-php ',
'. htaccess features->php_value auto_prepend_file ' = ' php_valueauto_prepend_file ',
'. htaccess features->php_value auto_append_file ' = ' php_valueauto_append_file '
);
}
?>
From:http://www.111cn.net/phper/phpanqn/52711.htm
Today, my website is on a Trojan horse.
It is Kaspersky's false alarm, has solved the tactic, I also, entered the safe mode to have been engaged for a long time did not fix, later manually updates Kaspersky's virus storehouse to be good.
Here is a notice about the matter:
May 19 15:20 P.M., CNZZ received the latest update of Kaspersky Chinese virus Database notification, the other party has resolved the CNZZ statistics of false positives, CNZZ statistical services are now back to normal in the first time. If some users are still reporting poison, please update Kaspersky virus database manually.
The website has been hanged the Trojan, as long as the indexphp will not open
Under normal circumstances, computer poisoning or Trojan horse or virus, Trojan virus will destroy the system, the general anti-virus software is not able to solve these problems, recommend you use Jinshan Network shield or Jinshan first aid box and other system repair tools to repair the system, I solve the problem.
Suggest your best solution
The first step: Download Jinshan poison PA 2011 "Baidu Search Jinshan Poison Bully" Select the official download
After the installation of the second step, open the Golden Hill poison PA, click "Total Avira"
http://www.bkjia.com/PHPjc/905902.html www.bkjia.com true http://www.bkjia.com/PHPjc/905902.html techarticle PHP website is hanging Trojan Repair method Summary, PHP hanging trojan summary in Linux we can use the command to search the Trojan file, to the code installation directory to execute the following command code to copy code as follows ...