Search for webshell Trojans using grep in Linux

Source: Internet
Author: User
Tags egrep
Grep (globalsearchregularexpression (RE) andprintouttheline, full search for regular expressions and print out rows) is a powerful text search tool that can use regular expressions to search for text, and print the matched rows. Unix grep families include grep, egrep, and fgrep. Using the grep command, we can find Grep (global search regular expression (RE) and print outtheline, full search for regular expressions and print out rows) is a powerful text search tool that can use regular expressions to search for text, and print the matched rows. Unix grep families include grep, egrep, and fgrep.

Using the grep command, we can find common vulnerabilities, webshells, and other malicious files. The grep version used in this article is 2.9. if you use a grep lower than 2.5.4, some commands in this article may not work properly. You can use grep-v or grep-version to determine the version. You can also use grep? Help to view more information. For example:


Common methods for discovering vulnerabilities:
Why do most web applications discover insecure code because they call insecure functions without filtering them. For example, commands injection or remote code execution can execute parameters passed by the client. The shell_exec function is often used here. We can use the grep command to search for the shell_exec function in the file, as shown below:
Grep-Rn "shell_exec * ("/var/www


.
Another example: both include requireinclude_once and require_once may have problems, which may cause local file inclusion vulnerabilities. We can use grep to find the place where the function appears and then test and judge it, as shown below:
Grep-Rn "include * ("/var/www
Grep-Rn "require * ("/var/www
Grep-Rn "include_once * ("/var/www
Grep-Rn "require_once * ("/var/www


The above two simple examples can be used as a reference for white box mining vulnerabilities. The following describes how to find webshell and other malicious files:
Common webshells include some functions, such as executing commands, downloading files, editing files, and rebounding connections. In addition to common shell_exec, base64_decode and eval, there are also some other features, such as phpspy2006 will contain "Version: 2006, proxycontents", phpspy2008 will contain "phpspypass, goaction ('backconnect "and so on. There are also some common features:
Phpinfo
System
Php_uname
Chmod
Fopen
Flclose
Readfile
Edoced_46esab
Passthru
We can use grep to search for files containing these functions, as shown below:
Grep-Rn "shell_exec * ("/var/www
Grep-Rn "base64_decode * ("/var/www
Grep-Rn "phpinfo * ("/var/www
Grep-Rn "system * ("/var/www
Grep-Rn "php_uname * ("/var/www
Grep-Rn "chmod * ("/var/www
Grep-Rn "fopen * ("/var/www
Grep-Rn "fclose * ("/var/www
Grep-Rn "readfile * ("/var/www
Grep-Rn "edoced_46esab * ("/var/www
Grep-Rn "eval * ("/var/www
Grep-Rn "passthru * ("/var/www




Of course, these can be combined into a command, as shown below:
Grep-RPn (passthru | shell_exec | system | phpinfo | base64_decode | chmod | mkdir | fopen | fclose | readfile | php_uname | eval | tcpflood | udpflood | edoced_46esab) * \ ("/var/www
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.