php網站被掛木馬修複方法總結

來源:互聯網
上載者:User

在linux中我們可以使用命令來搜查木馬檔案,到代碼安裝目錄執行下面命令

 代碼如下 複製代碼

find ./ -iname "*.php" | xargs grep -H -n "eval(base64_decode"

搜出來接近100條結果,這個結果清單很重要,木馬都在裡面,要一個一個檔案開啟驗證是否是木馬,如果是,馬上刪除掉

最後找到10個木馬檔案,存放在各種目錄,都是php webshell,功能很齊全,用base64編碼

如果你在windows中尋找目錄直接使用windows檔案搜尋就可以了,可以搜尋eval或最近修改檔案,然後如果是dedecms我們要查看最新dedecms漏洞呀然後修補。


下面給個php木馬尋找工具,直接放到你網站根目錄

 代碼如下 複製代碼

<?php

/**************PHP Web木馬掃描器************************/

/* [+] 作者: alibaba */

/* [+] QQ: 1499281192 * www.111cn.net/

/* [+] MSN: weeming21@hotmail.com */

/* [+] 首發: t00ls.net , 轉載請註明t00ls */

/* [+] 版本: v1.0 */

/* [+] 功能: web版php木馬掃描工具*/

/* [+] 注意: 掃描出來的檔案並不一定就是後門, */

/* 請自行判斷、審核、對比原檔案。*/

/* 如果你不確定掃出來的檔案是否為後門,*/

/* 歡迎你把該檔案發給我進行分析。*/

/*******************************************************/

ob_start();

set_time_limit(0);

$username = "t00ls"; //設定使用者名稱

$password = "t00ls"; //設定密碼

$md5 = md5(md5($username).md5($password));

$version = "PHP Web木馬掃描器v1.0";

 

PHP Web 木馬掃描器

$realpath = realpath('./');

$selfpath = $_SERVER['PHP_SELF'];

$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));

define('REALPATH', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));

define('MYFILE', basename(__FILE__));

define('MYPATH', str_replace('\', '/', dirname(__FILE__)).'/');

define('MYFULLPATH', str_replace('\', '/', (__FILE__)));

define('HOST', "http://".$_SERVER['HTTP_HOST']);

?>

<html>

<head>

<title><?php echo $version?></title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />

<style>

body{margin:0px;}

body,td{font: 12px Arial,Tahoma;line-height: 16px;}

a {color: #00f;text-decoration:underline;}

a:hover{color: #f00;text-decoration:none;}

.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}

.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}

.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}

.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}

.head td span{font-weight:normal;}

</style>

</head>

<body>

<?php

if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))

{

echo '<form id="frmlogin" name="frmlogin" method="post" action="">使用者名稱: <input type="text" name="username" id="username" /> 密碼: <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陸" /></form>';

}

elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

echo "登陸成功!";

header( 'refresh: 1; url='.MYFILE.'?action=scan' );

exit();

}

else

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

$setting = getSetting();

$action = isset($_GET['action'])?$_GET['action']:"";

 

if($action=="logout")

{

setcookie ("t00ls", "", time() - 3600);

Header("Location: ".MYFILE);

exit();

}

if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")

{

$file = $_GET['file'];

ob_clean();

if (@file_exists($file)) {

header("Content-type: application/octet-stream");

header("Content-Disposition: filename="".basename($file).""");

echo file_get_contents($file);

}

exit();

}

?>

<table border="0" cellpadding="0" cellspacing="0" width="100%">

<tbody><tr class="head">

<td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td>

</tr>

<tr class="alt1">

<td><span style="float: right;"><?=date("Y-m-d H:i:s",mktime())?></span>

<a href="?action=scan">掃描</a> |

<a href="?action=setting">設定</a> |

<a href="?action=logout">登出</a>

</td>

</tr>

</tbody></table>

<br>

<?php

if($action=="setting")

{

if(isset($_POST['btnsetting']))

{

$Ssetting = array();

$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";

$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;

$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

echo "設定完成!";

header( 'refresh: 1; url='.MYFILE.'?action=setting' );

exit();

}

?>

<form name="frmSetting" method="post" action="?action=setting">

<FIELDSET style="width:400px">

<LEGEND>掃描設定</LEGEND>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="60">檔案尾碼:</td>

<td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>

</tr>

<tr>

<td><label for="checkall">所有檔案</label></td>

<td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>

</tr>

<tr>

<td><label for="checkhta">設定檔案</label></td>

<td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>

</tr>

<tr>

<td>&nbsp;</td>

<td>

<input type="submit" name="btnsetting" id="btnsetting" value="提交">

</td>

</tr>

</table>

</fieldset>

</form>

<?php

}

else

{

$dir = isset($_POST['path'])?$_POST['path']:MYPATH;

$dir = substr($dir,-1)!="/"?$dir."/":$dir;

?>

<form name="frmScan" method="post" action="">

<table width="100%%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="35" style="vertical-align:middle; padding-left:5px;">掃描路徑:</td>

<td width="690">

<input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>">

&nbsp;&nbsp;<input type="submit" name="btnScan" id="btnScan" value="開始掃描"></td>

</tr>

</table>

</form>

<?php

if(isset($_POST['btnScan']))

{

$start=mktime();

$is_user = array();

$is_ext = "";

$list = "";

 

if(trim($setting['user'])!="")

{

$is_user = explode("|",$setting['user']);

if(count($is_user)>0)

{

foreach($is_user as $key=>$value)

$is_user[$key]=trim(str_replace("?","(.)",$value));

$is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))";

}

}

if($setting['hta']==1)

{

$is_hta=1;

$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;

$is_ext.="(^.htaccess$)";

}

if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))

{

$is_ext="(.+)";

}

 

$php_code = getCode();

if(!is_readable($dir))

$dir = MYPATH;

$count=$scanned=0;

scan($dir,$is_ext);

$end=mktime();

$spent = ($end - $start);

?>

<div style="padding:10px; background-color:#ccc">掃描: <?php echo $scanned?> 檔案| 發現: <?php echo $count?> 可疑檔案| 耗時: <?php echo $spent?> 秒</div>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr class="head">

<td width="15" align="center">No.</td>

<td width="48%">檔案</td>

<td width="12%">更新時間</td>

<td width="10%">原因</td>

<td width="20%">特徵</td>

<td>動作</td>

</tr>

<?php echo $list?>

</table>

<?php

}

}

}

ob_flush();

?>

</body>

</html>

<?php

function scan($path = '.',$is_ext){

global $php_code,$count,$scanned,$list;

$ignore = array('.', '..' );

$replace=array(" ","n","r","t");

$dh = @opendir( $path );

 

 

while(false!==($file=readdir($dh))){

if( !in_array( $file, $ignore ) ){

if( is_dir( "$path$file" ) ){

scan("$path$file/",$is_ext);

} else {

$current = $path.$file;

if(MYFULLPATH==$current) continue;

if(!preg_match("/$is_ext/i",$file)) continue;

if(is_readable($current))

{

$scanned++;

$content=file_get_contents($current);

$content= str_replace($replace,"",$content);

foreach($php_code as $key => $value)

{

if(preg_match("/$value/i",$content))

{

$count++;

$j = $count % 2 + 1;

$filetime = date('Y-m-d H:i:s',filemtime($current));

$reason = explode("->",$key);

$url = str_replace(REALPATH,HOST,$current);

preg_match("/$value/i",$content,$arr);

$list.="

<tr class='alt$j' onmouseover='this.className="focus";' onmouseout='this.className="alt$j";'>

<td>$count</td>

<td><a href='$url' target='_blank'>$current</a></td>

<td>$filetime</td>

<td><font color=red>$reason[0]</font></td>

<td><font color=#090>$reason[1]</font></td>

<td><a href='?action=download&file=$current' target='_blank'>下載</a></td>

</tr>";

//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";

//echo $path . $file ."<br />";

break;

}

}

}

}

}

}

closedir( $dh );

}

function getSetting()

{

$Ssetting = array();

if(isset($_COOKIE['t00ls_s']))

{

$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));

$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";

$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;

$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;

}

else

{

$Ssetting['user']="php | php? | phtml | shtml";

$Ssetting['all']=0;

$Ssetting['hta']=1;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

}

return $Ssetting;

}

function getCode()

{

return array(

'後門特徵->cha88.cn'=>'cha88.cn',

'後門特徵->c99shell'=>'c99shell',

'後門特徵->phpspy'=>'phpspy',

'後門特徵->Scanners'=>'Scanners',

'後門特徵->cmd.php'=>'cmd.php',

'後門特徵->str_rot13'=>'str_rot13',

'後門特徵->webshell'=>'webshell',

'後門特徵->EgY_SpIdEr'=>'EgY_SpIdEr',

'後門特徵->tools88.com'=>'tools88.com',

'後門特徵->SECFORCE'=>'SECFORCE',

'後門特徵->eval("?>'=>'eval(('|")?>',

'可疑代碼特徵->system('=>'system(',

'可疑代碼特徵->passthru('=>'passthru(',

'可疑代碼特徵->shell_exec('=>'shell_exec(',

'可疑代碼特徵->exec('=>'exec(',

'可疑代碼特徵->popen('=>'popen(',

'可疑代碼特徵->proc_open'=>'proc_open',

'可疑代碼特徵->eval($'=>'eval(('|"|s*)\$',

'可疑代碼特徵->assert($'=>'assert(('|"|s*)\$',

'危險MYSQL代碼->returns string soname'=>'returnsstringsoname',

'危險MYSQL代碼->into outfile'=>'intooutfile',

'危險MYSQL代碼->load_file'=>'select(s+)(.*)load_file',

'加密後門特徵->eval(gzinflate('=>'eval(gzinflate(',

'加密後門特徵->eval(base64_decode('=>'eval(base64_decode(',

'加密後門特徵->eval(gzuncompress('=>'eval(gzuncompress(',

'加密後門特徵->eval(gzdecode('=>'eval(gzdecode(',

'加密後門特徵->eval(str_rot13('=>'eval(str_rot13(',

'加密後門特徵->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',

'加密後門特徵->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',

'一句話後門特徵->eval($_'=>'eval(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句話後門特徵->assert($_'=>'assert(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句話後門特徵->require($_'=>'require(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句話後門特徵->require_once($_'=>'require_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句話後門特徵->include($_'=>'include(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句話後門特徵->include_once($_'=>'include_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句話後門特徵->call_user_func("assert"'=>'call_user_func(("|')assert("|')',

'一句話後門特徵->call_user_func($_'=>'call_user_func(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句話後門特徵->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',

'一句話後門特徵->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'上傳後門特徵->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'上傳後門特徵->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")),('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',

'.htaccess插馬特徵->SetHandler application/x-httpd-php'=>'SetHandlerapplication/x-httpd-php',

'.htaccess插馬特徵->php_value auto_prepend_file'=>'php_valueauto_prepend_file',

'.htaccess插馬特徵->php_value auto_append_file'=>'php_valueauto_append_file'

);

}

?>

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.