欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

php网站被挂木马后的修复方法总结

程序员文章站 2023-04-06 08:23:40
本文实例总结了php网站被挂木马后的修复方法。分享给大家供大家参考。具体方法如下: 在linux中我们可以使用命令来搜查木马文件,到代码安装目录执行下面命令 复制代码...

本文实例总结了php网站被挂木马后的修复方法。分享给大家供大家参考。具体方法如下:

在linux中我们可以使用命令来搜查木马文件,到代码安装目录执行下面命令

复制代码 代码如下:
find ./ -iname "*.php" | xargs grep -h -n "eval(base64_decode"

搜出来接近100条结果,这个结果列表很重要,木马都在里面,要一个一个文件打开验证是否是木马,如果是,马上删除掉
最后找到10个木马文件,存放在各种目录,都是php webshell,功能很齐全,用base64编码
如果你在windows中查找目录直接使用windows文件搜索就可以了,可以搜索eval或最近修改文件,然后如果是dedecms我们要查看最新dedecms漏洞呀然后修补。

下面给个php木马查找工具,直接放到你站点根目录
 

复制代码 代码如下:
<?php
/**************php web木马扫描器************************/
/* [+] 作者: alibaba */
/* [+] msn: weeming21@hotmail.com */
/* [+] 首发: t00ls.net , 转载请注明t00ls */
/* [+] 版本: v1.0 */
/* [+] 功能: web版php木马扫描工具*/
/* [+] 注意: 扫描出来的文件并不一定就是后门, */
/* 请自行判断、审核、对比原文件。*/
/* 如果你不确定扫出来的文件是否为后门,*/
/* 欢迎你把该文件发给我进行分析。*/
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //设置用户名
$password = "t00ls"; //设置密码
$md5 = md5(md5($username).md5($password));
$version = "php web木马扫描器v1.0";
 
php web 木马扫描器
$realpath = realpath('./');
$selfpath = $_server['php_self'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('realpath', str_replace('//','/',str_replace('\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('myfile', basename(__file__));
define('mypath', str_replace('\', '/', dirname(__file__)).'/');
define('myfullpath', str_replace('\', '/', (__file__)));
define('host', "http://".$_server['http_host']);
?>
<html>
<head>
<title><?php echo $version?></title>
<meta http-equiv="content-type" content="text/html; charset=gb2312" />
<style>
body{margin:0px;}
body,td{font: 12px arial,tahoma;line-height: 16px;}
a {color: #00f;text-decoration:underline;}
a:hover{color: #f00;text-decoration:none;}
.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}
.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}
.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}
.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}
.head td span{font-weight:normal;}
</style>
</head>
<body>
<?php
if(!(isset($_cookie['t00ls']) && $_cookie['t00ls'] == $md5) && !(isset($_post['username']) && isset($_post['password']) && (md5(md5($_post['username']).md5($_post['password']))==$md5)))
{
echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> 密码: <input type="password" name="password" id="password" /> <input type="submit" name="btnlogin" id="btnlogin" value="登陆" /></form>';
}
elseif(isset($_post['username']) && isset($_post['password']) && (md5(md5($_post['username']).md5($_post['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功!";
header( 'refresh: 1; url='.myfile.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getsetting();
$action = isset($_get['action'])?$_get['action']:"";
 
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
header("location: ".myfile);
exit();
}
if($action=="download" && isset($_get['file']) && trim($_get['file'])!="")
{
$file = $_get['file'];
ob_clean();
if (@file_exists($file)) {
header("content-type: application/octet-stream");
header("content-disposition: filename="".basename($file).""");
echo file_get_contents($file);
}
exit();
}
?>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr class="head">
<td><?php echo $_server['server_addr']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td>
</tr>
<tr class="alt1">
<td><span style="float: right;"><?=date("y-m-d h:i:s",mktime())?></span>
<a href="?action=scan">扫描</a> |
<a href="?action=setting">设定</a> |
<a href="?action=logout">登出</a>
</td>
</tr>
</tbody></table>
<br>
<?php
if($action=="setting")
{
if(isset($_post['btnsetting']))
{
$ssetting = array();
$ssetting['user']=isset($_post['checkuser'])?$_post['checkuser']:"php | php? | phtml";
$ssetting['all']=isset($_post['checkall'])&&$_post['checkall']=="on"?1:0;
$ssetting['hta']=isset($_post['checkhta'])&&$_post['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($ssetting)), time()+60*60*24*365,"/");
echo "设置完成!";
header( 'refresh: 1; url='.myfile.'?action=setting' );
exit();
}
?>
<form name="frmsetting" method="post" action="?action=setting">
<fieldset style="width:400px">
<legend>扫描设定</legend>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="60">文件后缀:</td>
<td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>
</tr>
<tr>
<td><label for="checkall">所有文件</label></td>
<td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>
</tr>
<tr>
<td><label for="checkhta">设置文件</label></td>
<td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>
</tr>
<tr>
<td> </td>
<td>
<input type="submit" name="btnsetting" id="btnsetting" value="提交">
</td>
</tr>
</table>
</fieldset>
</form>
<?php
}
else
{
$dir = isset($_post['path'])?$_post['path']:mypath;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>
<form name="frmscan" method="post" action="">
<table width="100%%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="35" style="vertical-align:middle; padding-left:5px;">扫描路径:</td>
<td width="690">
<input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>">
  <input type="submit" name="btnscan" id="btnscan" value="开始扫描"></td>
</tr>
</table(www.jb51.net)>
</form>
<?php
if(isset($_post['btnscan']))
{
$start=mktime();
$is_user = array();
$is_ext = "";
$list = "";
 
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(.".implode("($|.))|(.",$is_user)."($|.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
 
$php_code = getcode();
if(!is_readable($dir))
$dir = mypath;
$count=$scanned=0;
scan($dir,$is_ext);
$end=mktime();
$spent = ($end - $start);
?>
<div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件| 发现: <?php echo $count?> 可疑文件| 耗时: <?php echo $spent?> 秒</div>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr class="head">
<td width="15" align="center">no.</td>
<td width="48%">文件</td>
<td width="12%">更新时间</td>
<td width="10%">原因</td>
<td width="20%">特征</td>
<td>动作</td>
</tr>
<?php echo $list?>
</table>
<?php
}
}
}
ob_flush();
?>
</body>
</html>
<?php
function scan($path = '.',$is_ext){
global $php_code,$count,$scanned,$list;
$ignore = array('.', '..' );
$replace=array(" ","n","r","t");
$dh = @opendir( $path );

while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(myfullpath==$current) continue;
if(!preg_match("/$is_ext/i",$file)) continue;
if(is_readable($current))
{
$scanned++;
$content=file_get_contents($current);
$content= str_replace($replace,"",$content);
foreach($php_code as $key => $value)
{
if(preg_match("/$value/i",$content))
{
$count++;
$j = $count % 2 + 1;
$filetime = date('y-m-d h:i:s',filemtime($current));
$reason = explode("->",$key);
$url = str_replace(realpath,host,$current);
preg_match("/$value/i",$content,$arr);
$list.="
<tr class='alt$j' onmouseover='this.classname="focus";' onmouseout='this.classname="alt$j";'>
<td>$count</td>
<td><a href='$url' target='_blank'>$current</a></td>
<td>$filetime</td>
<td><font color=red>$reason[0]</font></td>
<td><font color=#090>$reason[1]</font></td>
<td><a href='?action=download&file=$current' target='_blank'>下载</a></td>
</tr>";
//echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";
//echo $path . $file ."<br />";
break;
}
}
}
}
}
}
closedir( $dh );
}
function getsetting()
{
$ssetting = array();
if(isset($_cookie['t00ls_s']))
{
$ssetting = unserialize(base64_decode($_cookie['t00ls_s']));
$ssetting['user']=isset($ssetting['user'])?$ssetting['user']:"php | php? | phtml | shtml";
$ssetting['all']=isset($ssetting['all'])?intval($ssetting['all']):0;
$ssetting['hta']=isset($ssetting['hta'])?intval($ssetting['hta']):1;
}
else
{
$ssetting['user']="php | php? | phtml | shtml";
$ssetting['all']=0;
$ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($ssetting)), time()+60*60*24*365,"/");
}
return $ssetting;
}
function getcode()
{
return array(
'后门特征->cha88.cn'=>'cha88.cn',
'后门特征->c99shell'=>'c99shell',
'后门特征->phpspy'=>'phpspy',
'后门特征->scanners'=>'scanners',
'后门特征->cmd.php'=>'cmd.php',
'后门特征->str_rot13'=>'str_rot13',
'后门特征->webshell'=>'webshell',
'后门特征->egy_spider'=>'egy_spider',
'后门特征->tools88.com'=>'tools88.com',
'后门特征->secforce'=>'secforce',
'后门特征->eval("?>'=>'eval(('|")?>',
'可疑代码特征->system('=>'system(',
'可疑代码特征->passthru('=>'passthru(',
'可疑代码特征->shell_exec('=>'shell_exec(',
'可疑代码特征->exec('=>'exec(',
'可疑代码特征->popen('=>'popen(',
'可疑代码特征->proc_open'=>'proc_open',
'可疑代码特征->eval($'=>'eval(('|"|s*)\$',
'可疑代码特征->assert($'=>'assert(('|"|s*)\$',
'危险mysql代码->returns string soname'=>'returnsstringsoname',
'危险mysql代码->into outfile'=>'intooutfile',
'危险mysql代码->load_file'=>'select(s+)(.*)load_file',
'加密后门特征->eval(gzinflate('=>'eval(gzinflate(',
'加密后门特征->eval(base64_decode('=>'eval(base64_decode(',
'加密后门特征->eval(gzuncompress('=>'eval(gzuncompress(',
'加密后门特征->eval(gzdecode('=>'eval(gzdecode(',
'加密后门特征->eval(str_rot13('=>'eval(str_rot13(',
'加密后门特征->gzuncompress(base64_decode('=>'gzuncompress(base64_decode(',
'加密后门特征->base64_decode(gzuncompress('=>'base64_decode(gzuncompress(',
'一句话后门特征->eval($_'=>'eval(('|"|s*)\$_(post|get|request|cookie)',
'一句话后门特征->assert($_'=>'assert(('|"|s*)\$_(post|get|request|cookie)',
'一句话后门特征->require($_'=>'require(('|"|s*)\$_(post|get|request|cookie)',
'一句话后门特征->require_once($_'=>'require_once(('|"|s*)\$_(post|get|request|cookie)',
'一句话后门特征->include($_'=>'include(('|"|s*)\$_(post|get|request|cookie)',
'一句话后门特征->include_once($_'=>'include_once(('|"|s*)\$_(post|get|request|cookie)',
'一句话后门特征->call_user_func("assert"'=>'call_user_func(("|')assert("|')',
'一句话后门特征->call_user_func($_'=>'call_user_func(('|"|s*)\$_(post|get|request|cookie)',
'一句话后门特征->$_post/get/request/cookie[?]($_post/get/request/cookie[?]'=>'$_(post|get|request|cookie)[([^]]+)](('|"|s*)\$_(post|get|request|cookie)[',
'一句话后门特征->echo(file_get_contents($_post/get/request/cookie'=>'echo(file_get_contents(('|"|s*)\$_(post|get|request|cookie)',
'上传后门特征->file_put_contents($_post/get/request/cookie,$_post/get/request/cookie'=>'file_put_contents(('|"|s*)\$_(post|get|request|cookie)[([^]]+)],('|"|s*)\$_(post|get|request|cookie)',
'上传后门特征->fputs(fopen("?","w"),$_post/get/request/cookie['=>'fputs(fopen((.+),('|")w('|")),('|"|s*)\$_(post|get|request|cookie)[',
'.htaccess插马特征->sethandler application/x-httpd-php'=>'sethandlerapplication/x-httpd-php',
'.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
'.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'
);
}
?>

希望本文所述对大家基于php的网站安全建设有所帮助。