php网站被挂木马后的修复方法总结


Posted in PHP onNovember 06, 2014

本文实例总结了php网站被挂木马后的修复方法。分享给大家供大家参考。具体方法如下:

在linux中我们可以使用命令来搜查木马文件,到代码安装目录执行下面命令

find ./ -iname "*.php" | xargs grep -H -n "eval(base64_decode"

搜出来接近100条结果,这个结果列表很重要,木马都在里面,要一个一个文件打开验证是否是木马,如果是,马上删除掉
最后找到10个木马文件,存放在各种目录,都是php webshell,功能很齐全,用base64编码
如果你在windows中查找目录直接使用windows文件搜索就可以了,可以搜索eval或最近修改文件,然后如果是dedecms我们要查看最新dedecms漏洞呀然后修补。

下面给个php木马查找工具,直接放到你站点根目录
 

<?php

/**************PHP Web木马扫描器************************/

/* [+] 作者: alibaba */

/* [+] MSN: weeming21@hotmail.com */

/* [+] 首发: t00ls.net , 转载请注明t00ls */

/* [+] 版本: v1.0 */

/* [+] 功能: web版php木马扫描工具*/

/* [+] 注意: 扫描出来的文件并不一定就是后门, */

/* 请自行判断、审核、对比原文件。*/

/* 如果你不确定扫出来的文件是否为后门,*/

/* 欢迎你把该文件发给我进行分析。*/

/*******************************************************/

ob_start();

set_time_limit(0);

$username = "t00ls"; //设置用户名

$password = "t00ls"; //设置密码

$md5 = md5(md5($username).md5($password));

$version = "PHP Web木马扫描器v1.0";

 

PHP Web 木马扫描器

$realpath = realpath('./');

$selfpath = $_SERVER['PHP_SELF'];

$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));

define('REALPATH', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));

define('MYFILE', basename(__FILE__));

define('MYPATH', str_replace('\', '/', dirname(__FILE__)).'/');

define('MYFULLPATH', str_replace('\', '/', (__FILE__)));

define('HOST', "http://".$_SERVER['HTTP_HOST']);

?>

<html>

<head>

<title><?php echo $version?></title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />

<style>

body{margin:0px;}

body,td{font: 12px Arial,Tahoma;line-height: 16px;}

a {color: #00f;text-decoration:underline;}

a:hover{color: #f00;text-decoration:none;}

.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}

.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}

.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}

.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}

.head td span{font-weight:normal;}

</style>

</head>

<body>

<?php

if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))

{

echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> 密码: <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陆" /></form>';

}

elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

echo "登陆成功!";

header( 'refresh: 1; url='.MYFILE.'?action=scan' );

exit();

}

else

{

setcookie("t00ls", $md5, time()+60*60*24*365,"/");

$setting = getSetting();

$action = isset($_GET['action'])?$_GET['action']:"";

 

if($action=="logout")

{

setcookie ("t00ls", "", time() - 3600);

Header("Location: ".MYFILE);

exit();

}

if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")

{

$file = $_GET['file'];

ob_clean();

if (@file_exists($file)) {

header("Content-type: application/octet-stream");

header("Content-Disposition: filename="".basename($file).""");

echo file_get_contents($file);

}

exit();

}

?>

<table border="0" cellpadding="0" cellspacing="0" width="100%">

<tbody><tr class="head">

<td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td>

</tr>

<tr class="alt1">

<td><span style="float: right;"><?=date("Y-m-d H:i:s",mktime())?></span>

<a href="?action=scan">扫描</a> |

<a href="?action=setting">设定</a> |

<a href="?action=logout">登出</a>

</td>

</tr>

</tbody></table>

<br>

<?php

if($action=="setting")

{

if(isset($_POST['btnsetting']))

{

$Ssetting = array();

$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";

$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;

$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

echo "设置完成!";

header( 'refresh: 1; url='.MYFILE.'?action=setting' );

exit();

}

?>

<form name="frmSetting" method="post" action="?action=setting">

<FIELDSET style="width:400px">

<LEGEND>扫描设定</LEGEND>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="60">文件后缀:</td>

<td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>

</tr>

<tr>

<td><label for="checkall">所有文件</label></td>

<td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>

</tr>

<tr>

<td><label for="checkhta">设置文件</label></td>

<td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>

</tr>

<tr>

<td> </td>

<td>

<input type="submit" name="btnsetting" id="btnsetting" value="提交">

</td>

</tr>

</table>

</fieldset>

</form>

<?php

}

else

{

$dir = isset($_POST['path'])?$_POST['path']:MYPATH;

$dir = substr($dir,-1)!="/"?$dir."/":$dir;

?>

<form name="frmScan" method="post" action="">

<table width="100%%" border="0" cellspacing="0" cellpadding="0">

<tr>

<td width="35" style="vertical-align:middle; padding-left:5px;">扫描路径:</td>

<td width="690">

<input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>">

  <input type="submit" name="btnScan" id="btnScan" value="开始扫描"></td>

</tr>

</table(3water.com)>

</form>

<?php

if(isset($_POST['btnScan']))

{

$start=mktime();

$is_user = array();

$is_ext = "";

$list = "";

 

if(trim($setting['user'])!="")

{

$is_user = explode("|",$setting['user']);

if(count($is_user)>0)

{

foreach($is_user as $key=>$value)

$is_user[$key]=trim(str_replace("?","(.)",$value));

$is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))";

}

}

if($setting['hta']==1)

{

$is_hta=1;

$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;

$is_ext.="(^.htaccess$)";

}

if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))

{

$is_ext="(.+)";

}

 

$php_code = getCode();

if(!is_readable($dir))

$dir = MYPATH;

$count=$scanned=0;

scan($dir,$is_ext);

$end=mktime();

$spent = ($end - $start);

?>

<div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件| 发现: <?php echo $count?> 可疑文件| 耗时: <?php echo $spent?> 秒</div>

<table width="100%" border="0" cellspacing="0" cellpadding="0">

<tr class="head">

<td width="15" align="center">No.</td>

<td width="48%">文件</td>

<td width="12%">更新时间</td>

<td width="10%">原因</td>

<td width="20%">特征</td>

<td>动作</td>

</tr>

<?php echo $list?>

</table>

<?php

}

}

}

ob_flush();

?>

</body>

</html>

<?php

function scan($path = '.',$is_ext){

global $php_code,$count,$scanned,$list;

$ignore = array('.', '..' );

$replace=array(" ","n","r","t");

$dh = @opendir( $path );
while(false!==($file=readdir($dh))){

if( !in_array( $file, $ignore ) ){

if( is_dir( "$path$file" ) ){

scan("$path$file/",$is_ext);

} else {

$current = $path.$file;

if(MYFULLPATH==$current) continue;

if(!preg_match("/$is_ext/i",$file)) continue;

if(is_readable($current))

{

$scanned++;

$content=file_get_contents($current);

$content= str_replace($replace,"",$content);

foreach($php_code as $key => $value)

{

if(preg_match("/$value/i",$content))

{

$count++;

$j = $count % 2 + 1;

$filetime = date('Y-m-d H:i:s',filemtime($current));

$reason = explode("->",$key);

$url = str_replace(REALPATH,HOST,$current);

preg_match("/$value/i",$content,$arr);

$list.="

<tr class='alt$j' onmouseover='this.className="focus";' onmouseout='this.className="alt$j";'>

<td>$count</td>

<td><a href='$url' target='_blank'>$current</a></td>

<td>$filetime</td>

<td><font color=red>$reason[0]</font></td>

<td><font color=#090>$reason[1]</font></td>

<td><a href='?action=download&file=$current' target='_blank'>下载</a></td>

</tr>";

//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";

//echo $path . $file ."<br />";

break;

}

}

}

}

}

}

closedir( $dh );

}

function getSetting()

{

$Ssetting = array();

if(isset($_COOKIE['t00ls_s']))

{

$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));

$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";

$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;

$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;

}

else

{

$Ssetting['user']="php | php? | phtml | shtml";

$Ssetting['all']=0;

$Ssetting['hta']=1;

setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");

}

return $Ssetting;

}

function getCode()

{

return array(

'后门特征->cha88.cn'=>'cha88.cn',

'后门特征->c99shell'=>'c99shell',

'后门特征->phpspy'=>'phpspy',

'后门特征->Scanners'=>'Scanners',

'后门特征->cmd.php'=>'cmd.php',

'后门特征->str_rot13'=>'str_rot13',

'后门特征->webshell'=>'webshell',

'后门特征->EgY_SpIdEr'=>'EgY_SpIdEr',

'后门特征->tools88.com'=>'tools88.com',

'后门特征->SECFORCE'=>'SECFORCE',

'后门特征->eval("?>'=>'eval(('|")?>',

'可疑代码特征->system('=>'system(',

'可疑代码特征->passthru('=>'passthru(',

'可疑代码特征->shell_exec('=>'shell_exec(',

'可疑代码特征->exec('=>'exec(',

'可疑代码特征->popen('=>'popen(',

'可疑代码特征->proc_open'=>'proc_open',

'可疑代码特征->eval($'=>'eval(('|"|s*)\$',

'可疑代码特征->assert($'=>'assert(('|"|s*)\$',

'危险MYSQL代码->returns string soname'=>'returnsstringsoname',

'危险MYSQL代码->into outfile'=>'intooutfile',

'危险MYSQL代码->load_file'=>'select(s+)(.*)load_file',

'加密后门特征->eval(gzinflate('=>'eval(gzinflate(',

'加密后门特征->eval(base64_decode('=>'eval(base64_decode(',

'加密后门特征->eval(gzuncompress('=>'eval(gzuncompress(',

'加密后门特征->eval(gzdecode('=>'eval(gzdecode(',

'加密后门特征->eval(str_rot13('=>'eval(str_rot13(',

'加密后门特征->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',

'加密后门特征->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',

'一句话后门特征->eval($_'=>'eval(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->assert($_'=>'assert(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->require($_'=>'require(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->require_once($_'=>'require_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->include($_'=>'include(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->include_once($_'=>'include_once(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->call_user_func("assert"'=>'call_user_func(("|')assert("|')',

'一句话后门特征->call_user_func($_'=>'call_user_func(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',

'一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents(('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)\$_(POST|GET|REQUEST|COOKIE)',

'上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")),('|"|s*)\$_(POST|GET|REQUEST|COOKIE)[',

'.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication/x-httpd-php',

'.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',

'.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'

);

}

?>

希望本文所述对大家基于php的网站安全建设有所帮助。

PHP 相关文章推荐
拼音码表的生成
Oct 09 PHP
编译php 5.2.14+fpm+memcached(具体操作详解)
Jun 18 PHP
解析PHP中一些可能会被忽略的问题
Jun 21 PHP
又一个PHP实现的冒泡排序算法分享
Aug 21 PHP
php文件缓存类汇总
Nov 21 PHP
PHP获取文件行数的方法
Jun 10 PHP
学习php设计模式 php实现模板方法模式
Dec 08 PHP
PHP连接MYSQL数据库实例代码
Jan 20 PHP
谈谈php对接芝麻信用踩的坑
Dec 01 PHP
php微信开发之谷歌测距
Jun 14 PHP
thinkphp5.0整合phpsocketio完整攻略(绕坑)
Oct 12 PHP
PHP安装扩展mcrypt以及相关依赖项深入讲解
Mar 04 PHP
调试PHP程序的多种方法介绍
Nov 06 #PHP
php实现singleton()单例模式实例
Nov 06 #PHP
php使用session二维数组实例
Nov 06 #PHP
php函数serialize()与unserialize()用法实例
Nov 06 #PHP
php实现webservice实例
Nov 06 #PHP
php的dl函数用法实例
Nov 06 #PHP
PHP写日志的实现方法
Nov 05 #PHP
You might like
main.php
2006/12/09 PHP
PHP四大安全策略
2014/03/12 PHP
浅析php中json_encode()和json_decode()
2014/05/25 PHP
php实现解析xml并生成sql语句的方法
2018/02/03 PHP
php 替换文章中的图片路径,下载图片到本地服务器的方法
2018/02/06 PHP
PHP调用接口用post方法传送json数据的实例
2018/05/31 PHP
JS模拟的QQ面板上的多级可展开的菜单
2009/10/10 Javascript
jquery检测input checked 控件是否被选中的方法
2014/03/26 Javascript
教你用AngularJS框架一行JS代码实现控件验证效果
2014/06/23 Javascript
javascript实现切换td中的值
2014/12/05 Javascript
jQuery实现表单步骤流程导航代码分享
2015/08/28 Javascript
js类式继承与原型式继承详解
2016/04/07 Javascript
JavaScript浏览器对象之一Window对象详解
2016/06/03 Javascript
详解JavaScript权威指南之对象
2016/09/27 Javascript
js canvas实现QQ拨打电话特效
2017/05/10 Javascript
详解如何运行vue项目
2019/04/15 Javascript
Vue3 源码导读(推荐)
2019/10/14 Javascript
[03:11]不朽宝藏三外观展示
2020/09/18 DOTA
python 中split 和 strip的实例详解
2017/07/12 Python
Flask Web开发入门之文件上传(八)
2018/08/17 Python
对Python3+gdal 读取tiff格式数据的实例讲解
2018/12/04 Python
Python中super函数用法实例分析
2019/03/18 Python
python+Django实现防止SQL注入的办法
2019/10/31 Python
Python如何根据时间序列数据作图
2020/05/12 Python
修复iPhone的safari浏览器上submit按钮圆角bug
2012/12/24 HTML / CSS
使用CSS3设计地图上的雷达定位提示效果
2016/04/05 HTML / CSS
vivo智能手机官方商城:vivo
2016/09/22 全球购物
英国马匹装备和马术用品购物网站:Equine Superstore
2019/03/03 全球购物
最好的商品表达自己:Cafepress
2019/09/04 全球购物
用C#语言写出与SQLSERVER访问时的具体过程
2013/04/16 面试题
超市5.1促销活动
2014/01/15 职场文书
公司会议策划方案
2014/05/17 职场文书
学生干部培训方案
2014/06/12 职场文书
公司员工活动策划方案
2014/08/20 职场文书
语文课外活动总结
2014/08/27 职场文书
Python如何解决secure_filename对中文不支持问题
2021/07/16 Python