php网站被挂木马后的修复方法总结


Posted in PHP onNovember 06, 2014

本文实例总结了php网站被挂木马后的修复方法。分享给大家供大家参考。具体方法如下:

在linux中我们可以使用命令来搜查木马文件,到代码安装目录执行下面命令

find ./ -iname "*.php" | xargs grep -H -n "eval(base64_decode"

搜出来接近100条结果,这个结果列表很重要,木马都在里面,要一个一个文件打开验证是否是木马,如果是,马上删除掉
最后找到10个木马文件,存放在各种目录,都是php webshell,功能很齐全,用base64编码
如果你在windows中查找目录直接使用windows文件搜索就可以了,可以搜索eval或最近修改文件,然后如果是dedecms我们要查看最新dedecms漏洞呀然后修补。

下面给个php木马查找工具,直接放到你站点根目录
 

<?php

/**************PHP Web木马扫描器************************/

/* [+] 作者: alibaba */

/* [+] MSN: weeming21@hotmail.com */

/* [+] 首发: t00ls.net , 转载请注明t00ls */

/* [+] 版本: v1.0 */

/* [+] 功能: web版php木马扫描工具*/

/* [+] 注意: 扫描出来的文件并不一定就是后门, */

/* 请自行判断、审核、对比原文件。*/

/* 如果你不确定扫出来的文件是否为后门,*/

/* 欢迎你把该文件发给我进行分析。*/

/*******************************************************/

ob_start();

set_time_limit(0);

$username = "t00ls"; //设置用户名

$password = "t00ls"; //设置密码

$md5 = md5(md5($username).md5($password));

$version = "PHP Web木马扫描器v1.0";

 

PHP Web 木马扫描器

$realpath = realpath('./');

$selfpath = $_SERVER['PHP_SELF'];

$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));

define('REALPATH', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));

define('MYFILE', basename(__FILE__));

define('MYPATH', str_replace('\', '/', dirname(__FILE__)).'/');

define('MYFULLPATH', str_replace('\', '/', (__FILE__)));

define('HOST', "http://".$_SERVER['HTTP_HOST']);

?>

<html>

<head>

<title><?php echo $version?></title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />

<style>

body{margin:0px;}

body,td{font: 12px Arial,Tahoma;line-height: 16px;}

a {color: #00f;text-decoration:underline;}

a:hover{color: #f00;text-decoration:none;}

.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}

.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}

.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}

.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}

.head td span{font-weight:normal;}

</style>

</head>

<body>

<?php

if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))

{

echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> 密码: <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陆" /></form>';

}

elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

echo "登陆成功!";

header( 'refresh: 1; url='.MYFILE.'?action=scan' );

exit();

}

else

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

$setting = getSetting();

$action = isset($_GET['action'])?$_GET['action']:"";

 

if($action=="logout")

{

setcookie ("t00ls", "", time() - 3600);

Header("Location: ".MYFILE);

exit();

}

if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")

{

$file = $_GET['file'];

ob_clean();

if (@file_exists($file)) {

header("Content-type: application/octet-stream");

header("Content-Disposition: filename="".basename($file).""");

echo file_get_contents($file);

}

exit();

}

?>

<table border="0" cellpadding="0" cellspacing="0" width="100%">

<tbody><tr class="head">

<td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td>

</tr>

<tr class="alt1">

<td><span style="float: right;"><?=date("Y-m-d H:i:s",mktime())?></span>

<a href="?action=scan">扫描</a> |

<a href="?action=setting">设定</a> |

<a href="?action=logout">登出</a>

</td>

</tr>

</tbody></table>

<br>

<?php

if($action=="setting")

{

if(isset($_POST['btnsetting']))

{

$Ssetting = array();

$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";

$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;

$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

echo "设置完成!";

header( 'refresh: 1; url='.MYFILE.'?action=setting' );

exit();

}

?>

<form name="frmSetting" method="post" action="?action=setting">

<FIELDSET style="width:400px">

<LEGEND>扫描设定</LEGEND>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="60">文件后缀:</td>

<td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>

</tr>

<tr>

<td><label for="checkall">所有文件</label></td>

<td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>

</tr>

<tr>

<td><label for="checkhta">设置文件</label></td>

<td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>

</tr>

<tr>

<td> </td>

<td>

<input type="submit" name="btnsetting" id="btnsetting" value="提交">

</td>

</tr>

</table>

</fieldset>

</form>

<?php

}

else

{

$dir = isset($_POST['path'])?$_POST['path']:MYPATH;

$dir = substr($dir,-1)!="/"?$dir."/":$dir;

?>

<form name="frmScan" method="post" action="">

<table width="100%%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="35" style="vertical-align:middle; padding-left:5px;">扫描路径:</td>

<td width="690">

<input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>">

  <input type="submit" name="btnScan" id="btnScan" value="开始扫描"></td>

</tr>

</table(3water.com)>

</form>

<?php

if(isset($_POST['btnScan']))

{

$start=mktime();

$is_user = array();

$is_ext = "";

$list = "";

 

if(trim($setting['user'])!="")

{

$is_user = explode("|",$setting['user']);

if(count($is_user)>0)

{

foreach($is_user as $key=>$value)

$is_user[$key]=trim(str_replace("?","(.)",$value));

$is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))";

}

}

if($setting['hta']==1)

{

$is_hta=1;

$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;

$is_ext.="(^.htaccess$)";

}

if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))

{

$is_ext="(.+)";

}

 

$php_code = getCode();

if(!is_readable($dir))

$dir = MYPATH;

$count=$scanned=0;

scan($dir,$is_ext);

$end=mktime();

$spent = ($end - $start);

?>

<div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件| 发现: <?php echo $count?> 可疑文件| 耗时: <?php echo $spent?> 秒</div>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr class="head">

<td width="15" align="center">No.</td>

<td width="48%">文件</td>

<td width="12%">更新时间</td>

<td width="10%">原因</td>

<td width="20%">特征</td>

<td>动作</td>

</tr>

<?php echo $list?>

</table>

<?php

}

}

}

ob_flush();

?>

</body>

</html>

<?php

function scan($path = '.',$is_ext){

global $php_code,$count,$scanned,$list;

$ignore = array('.', '..' );

$replace=array(" ","n","r","t");

$dh = @opendir( $path );
while(false!==($file=readdir($dh))){

if( !in_array( $file, $ignore ) ){

if( is_dir( "$path$file" ) ){

scan("$path$file/",$is_ext);

} else {

$current = $path.$file;

if(MYFULLPATH==$current) continue;

if(!preg_match("/$is_ext/i",$file)) continue;

if(is_readable($current))

{

$scanned++;

$content=file_get_contents($current);

$content= str_replace($replace,"",$content);

foreach($php_code as $key => $value)

{

if(preg_match("/$value/i",$content))

{

$count++;

$j = $count % 2 + 1;

$filetime = date('Y-m-d H:i:s',filemtime($current));

$reason = explode("->",$key);

$url = str_replace(REALPATH,HOST,$current);

preg_match("/$value/i",$content,$arr);

$list.="

<tr class='alt$j' onmouseover='this.className="focus";' onmouseout='this.className="alt$j";'>

<td>$count</td>

<td><a href='$url' target='_blank'>$current</a></td>

<td>$filetime</td>

<td><font color=red>$reason[0]</font></td>

<td><font color=#090>$reason[1]</font></td>

<td><a href='?action=download&file=$current' target='_blank'>下载</a></td>

</tr>";

//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";

//echo $path . $file ."<br />";

break;

}

}

}

}

}

}

closedir( $dh );

}

function getSetting()

{

$Ssetting = array();

if(isset($_COOKIE['t00ls_s']))

{

$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));

$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";

$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;

$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;

}

else

{

$Ssetting['user']="php | php? | phtml | shtml";

$Ssetting['all']=0;

$Ssetting['hta']=1;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

}

return $Ssetting;

}

function getCode()

{

return array(

'后门特征->cha88.cn'=>'cha88.cn',

'后门特征->c99shell'=>'c99shell',

'后门特征->phpspy'=>'phpspy',

'后门特征->Scanners'=>'Scanners',

'后门特征->cmd.php'=>'cmd.php',

'后门特征->str_rot13'=>'str_rot13',

'后门特征->webshell'=>'webshell',

'后门特征->EgY_SpIdEr'=>'EgY_SpIdEr',

'后门特征->tools88.com'=>'tools88.com',

'后门特征->SECFORCE'=>'SECFORCE',

'后门特征->eval("?>'=>'eval(('|")?>',

'可疑代码特征->system('=>'system(',

'可疑代码特征->passthru('=>'passthru(',

'可疑代码特征->shell_exec('=>'shell_exec(',

'可疑代码特征->exec('=>'exec(',

'可疑代码特征->popen('=>'popen(',

'可疑代码特征->proc_open'=>'proc_open',

'可疑代码特征->eval($'=>'eval(('|"|s*)\$',

'可疑代码特征->assert($'=>'assert(('|"|s*)\$',

'危险MYSQL代码->returns string soname'=>'returnsstringsoname',

'危险MYSQL代码->into outfile'=>'intooutfile',

'危险MYSQL代码->load_file'=>'select(s+)(.*)load_file',

'加密后门特征->eval(gzinflate('=>'eval(gzinflate(',

'加密后门特征->eval(base64_decode('=>'eval(base64_decode(',

'加密后门特征->eval(gzuncompress('=>'eval(gzuncompress(',

'加密后门特征->eval(gzdecode('=>'eval(gzdecode(',

'加密后门特征->eval(str_rot13('=>'eval(str_rot13(',

'加密后门特征->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',

'加密后门特征->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',

'一句话后门特征->eval($_'=>'eval(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->assert($_'=>'assert(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->require($_'=>'require(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->require_once($_'=>'require_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->include($_'=>'include(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->include_once($_'=>'include_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->call_user_func("assert"'=>'call_user_func(("|')assert("|')',

'一句话后门特征->call_user_func($_'=>'call_user_func(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',

'一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")),('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',

'.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication/x-httpd-php',

'.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',

'.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'

);

}

?>

希望本文所述对大家基于php的网站安全建设有所帮助。

PHP 相关文章推荐
也谈 PHP 和 MYSQL
Oct 09 PHP
163的邮件用phpmailer发送(实例详解)
Jun 24 PHP
php设计模式之单例模式使用示例
Jan 20 PHP
PHP批量删除、清除UTF-8文件BOM头的代码实例
Apr 14 PHP
ThinkPHP应用模式扩展详解
Jul 16 PHP
php向js函数传参的几种方法
Aug 10 PHP
php将文本文件转换csv输出的方法
Dec 31 PHP
php实现插入排序
Mar 29 PHP
php实现中文转数字
Feb 18 PHP
Thinkphp框架中D方法与M方法的区别
Dec 23 PHP
php 猴子摘桃的算法
Jun 20 PHP
PHP attributes()函数讲解
Feb 03 PHP
调试PHP程序的多种方法介绍
Nov 06 #PHP
php实现singleton()单例模式实例
Nov 06 #PHP
php使用session二维数组实例
Nov 06 #PHP
php函数serialize()与unserialize()用法实例
Nov 06 #PHP
php实现webservice实例
Nov 06 #PHP
php的dl函数用法实例
Nov 06 #PHP
PHP写日志的实现方法
Nov 05 #PHP
You might like
php比较多维数组中值的大小排序实现代码
2012/09/08 PHP
基于jQuery实现点击同时更改两个iframe的网址
2010/07/01 Javascript
Jquery之Ajax运用 学习运用篇
2011/09/26 Javascript
Prototype源码浅析 String部分(三)之HTML字符串处理
2012/01/15 Javascript
JS中setInterval、setTimeout不能传递带参数的函数的解决方案
2013/04/28 Javascript
js 实现的可折叠留言板(附源码下载)
2014/07/01 Javascript
JS根据年月获得当月天数的实现代码
2014/07/03 Javascript
基于NodeJS的前后端分离的思考与实践(二)模版探索
2014/09/26 NodeJs
JavaScript onkeydown事件入门实例(键盘某个按键被按下)
2014/10/17 Javascript
JavaScript插件化开发教程 (二)
2015/01/27 Javascript
javascript实现点击单选按钮链接转向对应网址的方法
2015/08/12 Javascript
js实现页面a向页面b传参的方法
2016/05/29 Javascript
js封装tab标签页实例分享
2016/12/19 Javascript
vuex中使用对象展开运算符的示例
2017/09/25 Javascript
Vuex提升学习篇
2018/01/11 Javascript
微信小程序引入VANT组件的方法步骤
2019/09/19 Javascript
vue 对axios get pust put delete封装的实例代码
2020/01/05 Javascript
python 测试实现方法
2008/12/24 Python
使用python实现BLAST
2018/02/12 Python
Django基础三之视图函数的使用方法
2019/07/18 Python
树莓派3 搭建 django 服务器的实例
2019/08/29 Python
Python获取、格式化当前时间日期的方法
2020/02/10 Python
Pycharm 使用 Pipenv 新建的虚拟环境(图文详解)
2020/04/16 Python
Django如何实现密码错误报错提醒
2020/09/04 Python
浅析Python的命名空间与作用域
2020/11/25 Python
SCHIESSER荷兰官方网站:德国内衣专家
2020/10/09 全球购物
在校实习生求职信
2014/06/18 职场文书
护士辞职信怎么写
2015/02/27 职场文书
小学教师岗位职责
2015/04/02 职场文书
刑事起诉书范文
2015/05/19 职场文书
高中物理教学反思
2016/02/19 职场文书
高三物理教学反思
2016/02/20 职场文书
车辆挂靠协议书
2016/03/23 职场文书
Pygame Event事件模块的详细示例
2021/11/17 Python
SQL Server2019数据库备份与还原脚本,数据库可批量备份
2021/11/20 SQL Server
CSS精灵图的原理与使用方法介绍
2022/03/17 HTML / CSS