php网站被挂木马后的修复方法总结_php技巧

";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."
";
//echo $path . $file ."
";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
'后门特征->cha88.cn'=>'cha88.cn',
'后门特征->c99shell'=>'c99shell',
'后门特征->phpspy'=>'phpspy',
'后门特征->Scanners'=>'Scanners',
'后门特征->cmd.php'=>'cmd.php',
'后门特征->str_rot13'=>'str_rot13',
'后门特征->webshell'=>'webshell',
'后门特征->EgY_SpIdEr'=>'EgY_SpIdEr',
'后门特征->tools88.com'=>'tools88.com',
'后门特征->SECFORCE'=>'SECFORCE',
'后门特征->eval("?>'=>'eval(('|")?>',
'可疑代码特征->system('=>'system(',
'可疑代码特征->passthru('=>'passthru(',
'可疑代码特征->shell_exec('=>'shell_exec(',
'可疑代码特征->exec('=>'exec(',
'可疑代码特征->popen('=>'popen(',
'可疑代码特征->proc_open'=>'proc_open',
'可疑代码特征->eval($'=>'eval(('|"|s*)/$',
'可疑代码特征->assert($'=>'assert(('|"|s*)/$',
'危险MYSQL代码->returns string soname'=>'returnsstringsoname',
'危险MYSQL代码->into outfile'=>'intooutfile',
'危险MYSQL代码->load_file'=>'select(s+)(.*)load_file',
'加密后门特征->eval(gzinflate('=>'eval(gzinflate(',
'加密后门特征->eval(base64_decode('=>'eval(base64_decode(',
'加密后门特征->eval(gzuncompress('=>'eval(gzuncompress(',
'加密后门特征->eval(gzdecode('=>'eval(gzdecode(',
'加密后门特征->eval(str_rot13('=>'eval(str_rot13(',
'加密后门特征->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',
'加密后门特征->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',
'一句话后门特征->eval($_'=>'eval(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->assert($_'=>'assert(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->require($_'=>'require(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->require_once($_'=>'require_once(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->include($_'=>'include(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->include_once($_'=>'include_once(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->call_user_func("assert"'=>'call_user_func(("|')assert("|')',
'一句话后门特征->call_user_func($_'=>'call_user_func(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)/$_(POST|GET|REQUEST|COOKIE)[',
'一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo(file_get_contents(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents(('|"|s*)/$_(POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)/$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs(fopen((.+),('|")w('|")),('|"|s*)/$_(POST|GET|REQUEST|COOKIE)[',
'.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication/x-httpd-php',
'.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'
);
}
?>

希望本文所述对大家基于php的网站安全建设有所帮助。

本文实例总结了php网站被挂木马后的修复方法。分享给大家供大家参考。具体方法如下： 在linux中我们可以使用命令来搜查木马文件,到代码安装目录执行下面命令 复制代码 代码如下:find ./ -iname "*.php" | xargs grep -H -n "eval(base64_decode" 搜出来接近100条结果，这个结果列表很重要，木马都在里面，要一个一个文件打开验证是否是木马，如果是，马上删除掉 最后找到10个木马文件，存放在各种目录，都是php webshell，功能很齐全，用base64编码 如果你在windows中查找目录直接使用windows文件搜索就可以了，可以搜索eval或最近修改文件，然后如果是dedecms我们要查看最新dedecms漏洞呀然后修补。 下面给个php木马查找工具,直接放到你站点根目录 复制代码 代码如下:<?php /**************PHP Web木马扫描器************************/ /* [+] 作者: alibaba */ /* [+] MSN: weeming21@hotmail.com */ /* [+] 首发: t00ls.net , 转载请注明t00ls */ /* [+] 版本: v1.0 */ /* [+] 功能: web版php木马扫描工具*/ /* [+] 注意: 扫描出来的文件并不一定就是后门, */ /* 请自行判断、审核、对比原文件。*/ /* 如果你不确定扫出来的文件是否为后门，*/ /* 欢迎你把该文件发给我进行分析。*/ /*******************************************************/ ob_start(); set_time_limit(0); $username = "t00ls"; //设置用户名 $password = "t00ls"; //设置密码 $md5 = md5(md5($username).md5($password)); $version = "PHP Web木马扫描器v1.0"; PHP Web 木马扫描器 $realpath = realpath('./'); $selfpath = $_SERVER['PHP_SELF']; $selfpath = substr($selfpath, 0, strrpos($selfpath,'/')); define('REALPATH', str_replace('//','/',str_replace('/','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath))))); define('MYFILE', basename(__FILE__)); define('MYPATH', str_replace('/', '/', dirname(__FILE__)).'/'); define('MYFULLPATH', str_replace('/', '/', (__FILE__))); define('HOST', "http://".$_SERVER['HTTP_HOST']); ?> <?php if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))) { echo ' 用户名: 密码: '; } elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)) { setcookie("t00ls", $md5, time()+60*60*24*365,"/"); echo "登陆成功！"; header( 'refresh: 1; url='.MYFILE.'?action=scan' ); exit(); } else { setcookie("t00ls", $md5, time()+60*60*24*365,"/"); $setting = getSetting(); $action = isset($_GET['action'])?$_GET['action']:""; if($action=="logout") { setcookie ("t00ls", "", time() - 3600); Header("Location: ".MYFILE); exit(); } if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="") { $file = $_GET['file']; ob_clean(); if (@file_exists($file)) { header("Content-type: application/octet-stream"); header("Content-Disposition: filename="".basename($file)."""); echo file_get_contents($file); } exit(); } ?> <?php echo $_SERVER['SERVER_ADDR']?><?php echo "$version"?> <?=date("Y-m-d H:i:s",mktime())?> 扫描 | 设定 | 登出 <?php if($action=="setting") { if(isset($_POST['btnsetting'])) { $Ssetting = array(); $Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml"; $Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0; $Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0; setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/"); echo "设置完成！"; header( 'refresh: 1; url='.MYFILE.'?action=setting' ); exit(); } ?> 扫描设定 文件后缀: 所有文件 > 设置文件 > <?php } else { $dir = isset($_POST['path'])?$_POST['path']:MYPATH; $dir = substr($dir,-1)!="/"?$dir."/":$dir; ?> <?php if(isset($_POST['btnScan'])) { $start=mktime(); $is_user = array(); $is_ext = ""; $list = ""; if(trim($setting['user'])!="") { $is_user = explode("|",$setting['user']); if(count($is_user)>0) { foreach($is_user as $key=>$value) $is_user[$key]=trim(str_replace("?","(.)",$value)); $is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))"; } } if($setting['hta']==1) { $is_hta=1; $is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext; $is_ext.="(^.htaccess$)"; } if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0)) { $is_ext="(.+)"; } $php_code = getCode(); if(!is_readable($dir)) $dir = MYPATH; $count=$scanned=0; scan($dir,$is_ext); $end=mktime(); $spent = ($end - $start); ?> 扫描: <?php echo $scanned?> 文件| 发现: <?php echo $count?> 可疑文件| 耗时: <?php echo $spent?> 秒 扫描路径: <?php echo $list?> No. 文件 更新时间 原因 特征 动作 <?php } } } ob_flush(); ?> <?php function scan($path = '.',$is_ext){ global $php_code,$count,$scanned,$list; $ignore = array('.', '..' ); $replace=array(" ","n","r","t"); $dh = @opendir( $path ); while(false!==($file=readdir($dh))){ if( !in_array( $file, $ignore ) ){ if( is_dir( "$path$file" ) ){ scan("$path$file/",$is_ext); } else { $current = $path.$file; if(MYFULLPATH==$current) continue; if(!preg_match("/$is_ext/i",$file)) continue; if(is_readable($current)) { $scanned++; $content=file_get_contents($current); $content= str_replace($replace,"",$content); foreach($php_code as $key => $value) { if(preg_match("/$value/i",$content)) { $count++; $j = $count % 2 + 1; $filetime = date('Y-m-d H:i:s',filemtime($current)); $reason = explode("->",$key); $url = str_replace(REALPATH,HOST,$current); preg_match("/$value/i",$content,$arr); $list.="
$count	$current	$filetime	$reason[0]	$reason[1]	下载