php网站被挂木马后的修复方法总结

2020-03-22 19:32:42

字体：大中小

来源：转载

供稿：网友

本文实例总结了php网站被挂木马后的修复方法。分享给大家供大家参考。具体方法如下：在linux中我们可以使用命令来搜查木马文件,到代码安装目录执行下面命令
复制代码代码如下:find ./ -iname "*.php" | xargs grep -H -n "eval(base64_decode"
搜出来接近100条结果，这个结果列表很重要，木马都在里面，要一个一个文件打开验证是否是木马，如果是，马上删除掉
最后找到10个木马文件，存放在各种目录，都是php webshell，功能很齐全，用base64编码
如果你在windows中查找目录直接使用windows文件搜索就可以了，可以搜索eval或最近修改文件，然后如果是dedecms我们要查看最新dedecms漏洞呀然后修补。下面给个php木马查找工具,直接放到你站点根目录

复制代码代码如下: php
/**************PHP Web木马扫描器************************/
/* [+] 作者: alibaba */
/* [+] MSN: weeming21@hotmail.com */
/* [+] 首发: t00ls.net , 转载请注明t00ls */
/* [+] 版本: v1.0 */
/* [+] 功能: web版php木马扫描工具*/
/* [+] 注意: 扫描出来的文件并不一定就是后门, */
/* 请自行判断、审核、对比原文件。*/
/* 如果你不确定扫出来的文件是否为后门，*/
/* 欢迎你把该文件发给我进行分析。*/
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //设置用户名
$password = "t00ls"; //设置密码
$md5 = md5(md5($username).md5($password));
$version = "PHP Web木马扫描器v1.0";

PHP Web 木马扫描器
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);

html
head
title php echo $version /title
meta http-equiv="Content-Type" content="text/html; charset=gb2312" /
style
body{margin:0px;}
body,td{font: 12px Arial,Tahoma;line-height: 16px;}
a {color: #00f;text-decoration:underline;}
a:hover{color: #f00;text-decoration:none;}
.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}
.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}
.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}
.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}
.head td span{font-weight:normal;}
/style
/head
body
php
if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo ' form id="frmlogin" name="frmlogin" method="post" action="" 用户名: input type="text" name="username" id="username" / 密码: input type="password" name="password" id="password" / input type="submit" name="btnLogin" id="btnLogin" value="登陆" / /form
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功！";
header( 'refresh: 1; url='.MYFILE.' action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action']) $_GET['action']:"";

if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename="".basename($file).""");
echo file_get_contents($file);
}
exit();
}

table border="0" cellpadding="0" cellspacing="0" width="100%"
tbody tr
td php echo $_SERVER['SERVER_ADDR'] span php echo " a href='http://www.t00ls.net/' $version /a " /span /td
/tr
tr
td span =date("Y-m-d H:i:s",mktime()) /span
a href=" action=scan" 扫描 /a |
a href=" action=setting" 设定 /a |
a href=" action=logout" 登出 /a
/td
/tr
/tbody /table
br
php
if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser']) $_POST['checkuser']:"php | php | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on" 1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on" 1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo "设置完成！";
header( 'refresh: 1; url='.MYFILE.' action=setting' );
exit();
}

form name="frmSetting" method="post" action=" action=setting"
FIELDSET
LEGEND 扫描设定 /LEGEND
table width="100%" border="0" cellspacing="0" cellpadding="0"
tr
td width="60" 文件后缀: /td
td width="300" input type="text" name="checkuser" id="checkuser" value=" php echo $setting['user'] " /td
/tr
tr
td label for="checkall" 所有文件 /label /td
td input type="checkbox" name="checkall" id="checkall" php if($setting['all']==1) echo "checked" /td
/tr
tr
td label for="checkhta" 设置文件 /label /td
td input type="checkbox" name="checkhta" id="checkhta" php if($setting['hta']==1) echo "checked" /td
/tr
tr
td /td
td
input type="submit" name="btnsetting" id="btnsetting" value="提交"
/td
/tr
/table
/fieldset
/form
php
}
else
{
$dir = isset($_POST['path']) $_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/" $dir."/":$dir;

form name="frmScan" method="post" action=""
table width="100%%" border="0" cellspacing="0" cellpadding="0"
tr
td width="35" 扫描路径: /td
td width="690"
input type="text" name="path" id="path" value=" php echo $dir "
input type="submit" name="btnScan" id="btnScan" value="开始扫描" /td
/tr
/table(www.phpstudy.net)
/form
php
if(isset($_POST['btnScan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";

if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user) 0)
{
foreach($is_user as $key= $value)
$is_user[$key]=trim(str_replace(" ","(.)",$value));
$is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext) 0 $is_ext."|":$is_ext;
$is_ext.="(^.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}

$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);

div 扫描: php echo $scanned 文件| 发现: php echo $count 可疑文件| 耗时: php echo $spent 秒 /div
table width="100%" border="0" cellspacing="0" cellpadding="0"
tr
td width="15" align="center" No. /td
td width="48%" 文件 /td
td width="12%" 更新时间 /td
td width="10%" 原因 /td
td width="20%" 特征 /td
td 动作 /td
/tr
php echo $list
/table
php
}
}
}
ob_flush();

/body
/html
php
function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","n","r","t");
$dh = @opendir( $path ); while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$content=file_get_contents($current);
$content= str_replace($replace,"",$content);
foreach($php_code as $key = $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('Y-m-d H:i:s',filemtime($current));
$reason = explode("- ",$key);
$url = str_replace(REALPATH,HOST,$current);
preg_match("/$value/i",$content,$arr);
$list.="
tr onmouseout='this.className="alt$j";'
td $count /td
td a href='$url' target='_blank' $current /a /td
td $filetime /td
td font color=red $reason[0] /font /td
td font color=#090 $reason[1] /font /td
td a href=' action=download&file=$current' target='_blank' 下载 /a /td
/tr
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ." br /
//echo $path . $file ." br /
break;
}
}
}
}
}
}
closedir( $dh );
}
function getSetting()
{
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
$Ssetting['user']=isset($Ssetting['user']) $Ssetting['user']:"php | php | phtml | shtml";
$Ssetting['all']=isset($Ssetting['all']) intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta']) intval($Ssetting['hta']):1;
}
else
{
$Ssetting['user']="php | php | phtml | shtml";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function getCode()
{
return array(
'后门特征- cha88.cn'= 'cha88.cn',
'后门特征- c99shell'= 'c99shell',
'后门特征- phpspy'= 'phpspy',
'后门特征- Scanners'= 'Scanners',
'后门特征- cmd.php'= 'cmd.php',
'后门特征- str_rot13'= 'str_rot13',
'后门特征- webshell'= 'webshell',
'后门特征- EgY_SpIdEr'= 'EgY_SpIdEr',
'后门特征- tools88.com'= 'tools88.com',
'后门特征- SECFORCE'= 'SECFORCE',
'后门特征- eval(" '= 'eval(('|") ',
'可疑代码特征- system('= 'system(',
'可疑代码特征- passthru('= 'passthru(',
'可疑代码特征- shell_exec('= 'shell_exec(',
'可疑代码特征- exec('= 'exec(',
'可疑代码特征- popen('= 'popen(',
'可疑代码特征- proc_open'= 'proc_open',
'可疑代码特征- eval($'= 'eval(('|"|s*)$',
'可疑代码特征- assert($'= 'assert(('|"|s*)$',
'危险MYSQL代码- returns string soname'= 'returnsstringsoname',
'危险MYSQL代码- into outfile'= 'intooutfile',
'危险MYSQL代码- load_file'= 'select(s+)(.*)load_file',
'加密后门特征- eval(gzinflate('= 'eval(gzinflate(',
'加密后门特征- eval(base64_decode('= 'eval(base64_decode(',
'加密后门特征- eval(gzuncompress('= 'eval(gzuncompress(',
'加密后门特征- eval(gzdecode('= 'eval(gzdecode(',
'加密后门特征- eval(str_rot13('= 'eval(str_rot13(',
'加密后门特征- gzuncompress(base64_decode('= 'gzuncompress(base64_decode(',
'加密后门特征- base64_decode(gzuncompress('= 'base64_decode(gzuncompress(',
'一句话后门特征- eval($_'= 'eval(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征- assert($_'= 'assert(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征- require($_'= 'require(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征- require_once($_'= 'require_once(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征- include($_'= 'include(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征- include_once($_'= 'include_once(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征- call_user_func("assert"'= 'call_user_func(("|')assert("|')',
'一句话后门特征- call_user_func($_'= 'call_user_func(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'一句话后门特征- $_POST/GET/REQUEST/COOKIE[ ]($_POST/GET/REQUEST/COOKIE[ ]'= '$_(POST|GET|REQUEST|COOKIE)[([^]]+)](('|"|s*)$_(POST|GET|REQUEST|COOKIE)[',
'一句话后门特征- echo(file_get_contents($_POST/GET/REQUEST/COOKIE'= 'echo(file_get_contents(('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征- file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'= 'file_put_contents(('|"|s*)$_(POST|GET|REQUEST|COOKIE)[([^]]+)],('|"|s*)$_(POST|GET|REQUEST|COOKIE)',
'上传后门特征- fputs(fopen(" ","w"),$_POST/GET/REQUEST/COOKIE['= 'fputs(fopen((.+),('|")w('|")),('|"|s*)$_(POST|GET|REQUEST|COOKIE)[',
'.htaccess插马特征- SetHandler application/x-httpd-php'= 'SetHandlerapplication/x-httpd-php',
'.htaccess插马特征- php_value auto_prepend_file'= 'php_valueauto_prepend_file',
'.htaccess插马特征- php_value auto_append_file'= 'php_valueauto_append_file'
);
}
希望本文所述对大家基于php的网站安全建设有所帮助。PHP教程

郑重声明：本文版权归原作者所有，转载文章仅为传播更多信息之目的，如作者信息标记有误，请第一时间联系我们修改或删除，多谢。

上一篇：PHP如何使用比特币Coinbase钱包库开发应用（详细步

下一篇：PHP 正则表达式推荐