PHP website is hanging Trojan Repair method Summary, PHP hangs Trojan summary _php tutorial

Source: Internet
Author: User
Tags assert filetime mysql code php website setcookie

PHP website is hanging Trojan Repair method Summary, PHP hanging Trojan Summary


In Linux we can use the command to search the Trojan file, to the code installation directory to execute the following command

Code to copy code as follows
Find./-iname "*.php" | Xargs grep-h-N "eval (base64_decode")

Search out close to 100 results, this list of results is very important, the Trojan is inside, to a file open to verify whether it is a trojan, if it is, delete immediately

Finally found 10 trojan files, stored in various directories, are PHP Webshell, function is complete, with base64 code

If you look up a directory in Windows directly using Windows File Search, you can search for eval or recently modified file, then if it is dedecms we want to check the latest dedecms bug and then fix it.


Here is a PHP Trojan find tool, directly to your site root directory

Code to copy code as follows

/**************php Web Trojan scanner ************************/

/* [+] Author: Alibaba */

/* [+] qq:1499281192 * www.111cn.net/

/* [+] msn:weeming21@hotmail.com */

/* [+] Starter: t00ls.net, reprint please specify T00LS * *

/* [+] Version: v1.0 */

/* [+] Features: Web version of the PHP Trojan scan Tool */

/* [+] Note: The scanned file is not necessarily the back door, */

/* Please judge, review and compare the original documents. */

/* If you're not sure if the file you swept is a backdoor, */

/* You are welcome to send me the document for analysis. */

/*******************************************************/

Ob_start ();

Set_time_limit (0);

$username = "T00ls"; Set User name

$password = "T00ls"; Set Password

$MD 5 = MD5 (MD5 ($USERNAME). MD5 ($password));

$version = "PHP Web Trojan Scanner v1.0";

PHP Web Trojan Scanner

$realpath = Realpath ('./');

$selfpath = $_server[' php_self ');

$selfpath = substr ($selfpath, 0, Strrpos ($selfpath, '/'));

Define (' Realpath ', str_replace ('//', '/', str_replace (' \ ', '/', substr ($realpath, 0, strlen ($realpath)-strlen ($ Selfpath)));

Define (' MYFILE ', basename (__file__));

Define (' MYPATH ', str_replace (' \ ', '/', dirname (__file__)). ' /');

Define (' Myfullpath ', str_replace (' \ ', '/', (__file__)));

Define (' HOST ', "http://". $_server[' Http_host ');

?>

<?php Echo $version?>

if (! ( Isset ($_cookie[' t00ls ')) && $_cookie[' t00ls '] = = $MD 5) &&! (Isset ($_post[' username ')) && isset ($_post[' password ']) && (MD5 (MD5 ($_post[' username ')). MD5 ($_post [' Password '])) = = $MD 5)))

{

Echo ';

}

ElseIf (isset ($_post[' username ')) && isset ($_post[' password ']) && (MD5 (MD5 ($_post[' username ')). MD5 ( $_post[' password ')) (= = $MD 5)))

{

Setcookie ("T00ls", $md 5, Time () +60*60*24*365, "/");

echo "landed successfully! ";

Header (' refresh:1; Url= '. MYFILE. '? Action=scan ');

Exit ();

}

Else

{

Setcookie ("T00ls", $md 5, Time () +60*60*24*365, "/");

$setting = GetSetting ();

$action = Isset ($_get[' action '])? $_get[' action ']: "";

if ($action = = "Logout")

{

Setcookie ("T00ls", "", Time ()-3600);

Header ("Location:".) MYFILE);

Exit ();

}

if ($action = = "Download" && isset ($_get[' file ']) && trim ($_get[' file '])! = "")

{

$file = $_get[' file '];

Ob_clean ();

if (@file_exists ($file)) {

Header ("Content-type:application/octet-stream");

Header ("Content-disposition:filename=". BaseName ($file). "" ");

Echo file_get_contents ($file);

}

Exit ();

}

?>

Scan |

Settings |

Log out


if ($action = = "setting")

{

if (Isset ($_post[' btnsetting '))

{

$Ssetting = Array ();

$Ssetting [' User ']=isset ($_post[' checkuser ')? $_post[' checkuser ']: "PHP | php? | Phtml ";

$Ssetting [' All ']=isset ($_post[' checkall ') &&$_post[' Checkall ']== "on"? 1:0;

$Ssetting [' HTA ']=isset ($_post[' Checkhta ') &&$_post[' Checkhta ']== "on"? 1:0;

Setcookie ("t00ls_s", Base64_encode (Serialize ($Ssetting)), Time () +60*60*24*365, "/");

echo "Setup is complete! ";

Header (' refresh:1; Url= '. MYFILE. '? Action=setting ');

Exit ();

}

?>

}

Else

{

$dir = isset ($_post[' path ')? $_post[' path ']:mypath;

$dir = substr ($dir, -1)! = "/"? $dir. " /": $dir;

?>

if (Isset ($_post[' Btnscan '))

{

$start =mktime ();

$is _user = Array ();

$is _ext = "";

$list = "";

if (Trim ($setting [' user '])! = "")

{

$is _user = explode ("|", $setting [' user ']);

if (count ($is _user) >0)

{

foreach ($is _user as $key = $value)

$is _user[$key]=trim (Str_replace ("?", "(.)", $value));

$is _ext = "(."). Implode ("($|.)) | (. ", $is _user)." ($|.))";

}

}

if ($setting [' HTA ']==1)

{

$is _hta=1;

$is _ext = strlen ($is _ext) >0 $is _ext. "|": $is _ext;

$is _ext.= "(^.htaccess$)";

}

if ($setting [' All ']==1 | | (Strlen ($is _ext) ==0 && $setting [' HTA ']==0])

{

$is _ext= "(. +)";

}

$php _code = GetCode ();

if (!is_readable ($dir))

$dir = MYPATH;

$count = $scanned = 0;

Scan ($dir, $is _ext);

$end =mktime ();

$spent = ($end-$start);

?>

Scan: file | discovery: Suspicious File | time: seconds

No. File Update Time Reason Characteristics Action

}

}

}

Ob_flush ();

?>

function Scan ($path = '. ', $is _ext) {

Global $php _code, $count, $scanned, $list;

$ignore = Array ('. ', '.. ');

$replace =array ("", "N", "R", "T");

$DH = @opendir ($path);

while (false!== ($file =readdir ($DH))) {

if (!in_array ($file, $ignore)) {

if (Is_dir ("$path $file")) {

Scan ("$path $file/", $is _ext);

} else {

$current = $path. $file;

if (myfullpath== $current) continue;

if (!preg_match ("/$is _ext/i", $file)) continue;

if (is_readable ($current))

{

$scanned + +;

$content =file_get_contents ($current);

$content = Str_replace ($replace, "", $content);

foreach ($php _code as $key = $value)

{

if (Preg_match ("/$value/I", $content))

{

$count + +;

$j = $count% 2 + 1;

$filetime = Date (' y-m-d h:i:s ', Filemtime ($current));

$reason = Explode (",", $key);

$url = Str_replace (Realpath,host, $current);

Preg_match ("/$value/I", $content, $arr);

$list. = "

$count

$current

$filetime

$reason [0]

$reason [1]

Download

";

Echo $key. "-" . $path. $file. " (" . $arr [0]. ")" ."
";

Echo $path. $file. "
";

Break

}

}

}

}

}

}

Closedir ($DH);

}

function GetSetting ()

{

$Ssetting = Array ();

if (Isset ($_cookie[' t00ls_s '))

{

$Ssetting = Unserialize (Base64_decode ($_cookie[' t00ls_s '));

$Ssetting [' User ']=isset ($Ssetting [' user '])? $Ssetting [' User ']: PHP | php? | phtml | sHTML ";

$Ssetting [' All ']=isset ($Ssetting ["All"])? Intval ($Ssetting [' All ']): 0;

$Ssetting [' HTA ']=isset ($Ssetting [' HTA '])? intval ($Ssetting [' HTA ']): 1;

}

Else

{

$Ssetting [' user ']= php | php? | phtml | sHTML ";

$Ssetting [' All ']=0;

$Ssetting [' HTA ']=1;

Setcookie ("t00ls_s", Base64_encode (Serialize ($Ssetting)), Time () +60*60*24*365, "/");

}

return $Ssetting;

}

function GetCode ()

{

Return Array (

' Backdoor features->cha88.cn ' = ' cha88.cn ',

' Backdoor features->c99shell ' = ' C99shell ',

' Backdoor features->phpspy ' = ' phpspy ',

' Backdoor features->scanners ' = ' scanners ',

' Backdoor features->cmd.php ' = ' cmd.php ',

' Backdoor features->str_rot13 ' = ' str_rot13 ',

' Backdoor features->webshell ' = ' Webshell ',

' Backdoor features->egy_spider ' = ' egy_spider ',

' Backdoor features->tools88.com ' = ' tools88.com ',

' Backdoor features->secforce ' = ' secforce ',

' Back door feature->eval ('?> ' + ' eval (' | ')? > ',

' Suspicious code feature->system (' = = ' System (',

' Suspicious code features->passthru (' = ' = ' PassThru (',

' Suspicious code features->shell_exec (' = ' = ' shell_exec (',

' Suspicious code feature->exec (' = ' + ' EXEC (',

' Suspicious code features->popen (' = ' = ' Popen (',

' Suspicious code features->proc_open ' = ' proc_open ',

' Suspicious code feature->eval ($ ' = ' eval (' | ' | s*) \$ ',

' Suspicious code feature->assert ($ ' = ' = ' Assert (' | ' | s*) \$ ',

' Dangerous MySQL code->returns string soname ' = ' returnsstringsoname ',

' Dangerous MySQL code->into outfile ' = ' intooutfile ',

' Dangerous mysql code->load_file ' = ' + ' Select (s+) (. *) Load_file ',

' Encrypt backdoor feature->eval (gzinflate (' = ' + ' eval (gzinflate (',

' Encrypt backdoor feature->eval (base64_decode (' = ' + ' eval (Base64_decode (',

' Encrypt backdoor feature->eval (gzuncompress (' = ' + ' eval (gzuncompress (',

' Encrypt backdoor feature->eval (gzdecode (' = ' + ' eval (Gzdecode (',

' Encrypt backdoor feature->eval (str_rot13 (' = ' + ' eval (str_rot13 (',

' Encrypt backdoor feature->gzuncompress (base64_decode (' = ' = ' gzuncompress ' (Base64_decode (',

' Encrypt backdoor feature->base64_decode (gzuncompress (' = ' = ' Base64_decode ' (gzuncompress (',

' One word back door feature->eval ($_ ' = + ' eval (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' One word Backdoor feature->assert ($_ ' = ' = ' Assert (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' One word Backdoor feature->require ($_ ' = ' require ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' One word Backdoor feature->require_once ($_ ' = ' require_once ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' One word Backdoor feature->include ($_ ' + ' include (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' One word Backdoor feature->include_once ($_ ' = ' include_once ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' One word back door feature->call_user_func ("assert" ' = ' + ' Call_user_func (' | ') Assert ("| ') ',

' One word Backdoor feature->call_user_func ($_ ' = ' call_user_func ' (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' A word of the backdoor features->$_post/get/request/cookie[? ' ($_post/get/request/cookie[?] ' = ' $_ (post| Get| Request| cookies) [([^]]+)] ((' | ' | s*) \$_ (post| Get| Request| Cookies) [',

' One word back door feature->echo (file_get_contents ($_post/get/request/cookie ' = ' "Echo (file_get_contents (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' Upload backdoor feature->file_put_contents ($_post/get/request/cookie,$_post/get/request/cookie ' = ' file_put_contents ' (' | ' | s*) \$_ (post| Get| Request| cookies) [([^]]+)], (' | ' | s*) \$_ (post| Get| Request| COOKIE) ',

' Upload backdoor feature->fputs (fopen ("?", "W"), $_post/get/request/cookie[' = ' fputs (fopen ((. +), (' | ') W (' | ")), (' | ' | s*) \$_ (post| Get| Request| Cookies) [',

'. htaccess features->sethandler application/x-httpd-php ' = ' sethandlerapplication/x-httpd-php ',

'. htaccess features->php_value auto_prepend_file ' = ' php_valueauto_prepend_file ',

'. htaccess features->php_value auto_append_file ' = ' php_valueauto_append_file '

);

}

?>

From:http://www.111cn.net/phper/phpanqn/52711.htm


Today, my website is on a Trojan horse.

It is Kaspersky's false alarm, has solved the tactic, I also, entered the safe mode to have been engaged for a long time did not fix, later manually updates Kaspersky's virus storehouse to be good.
Here is a notice about the matter:
May 19 15:20 P.M., CNZZ received the latest update of Kaspersky Chinese virus Database notification, the other party has resolved the CNZZ statistics of false positives, CNZZ statistical services are now back to normal in the first time. If some users are still reporting poison, please update Kaspersky virus database manually.

The website has been hanged the Trojan, as long as the indexphp will not open

Under normal circumstances, computer poisoning or Trojan horse or virus, Trojan virus will destroy the system, the general anti-virus software is not able to solve these problems, recommend you use Jinshan Network shield or Jinshan first aid box and other system repair tools to repair the system, I solve the problem.
Suggest your best solution

The first step: Download Jinshan poison PA 2011 "Baidu Search Jinshan Poison Bully" Select the official download

After the installation of the second step, open the Golden Hill poison PA, click "Total Avira"

http://www.bkjia.com/PHPjc/905902.html www.bkjia.com true http://www.bkjia.com/PHPjc/905902.html techarticle PHP website is hanging Trojan Repair method Summary, PHP hanging trojan summary in Linux we can use the command to search the Trojan file, to the code installation directory to execute the following command code to copy code as follows ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.