Linux服务器PHP后门查杀
shell脚本一句话查找PHP一句话木马
# find ./ -name "*.php" |xargs egrep "phpspy|c99sh|milw0rm|eval(gunerpress|eval(base64_decoolcode|spider_bc))" > /tmp/php.txt
# grep -r --include=*.php '[^a-z]eval($_POST' . > /tmp/eval.txt
# grep -r --include=*.php 'file_put_contents(.*$_POST[.*]);' . > /tmp/file_put_contents.txt
# find ./ -name "*.php" -type f -print0 | xargs -0 egrep "(phpspy|c99sh|milw0rm|eval(gzuncompress(base64_decoolcode|eval(base64_decoolcode|spider_bc|gzinflate)" | awk -F: '{print $1}' | sort | uniq
python脚本查找PHP一句话木马(注意缩进)
#!/usr/bin/python # -*- coding: utf-8 -*- #blog:www.sinesafe.com import os import sys import re rulelist = [ '(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))', '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))', 'eval\(base64_decode\(', '(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', '(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', '(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', '(wscript\.shell)', '(gethostbyname\()', '(cmd\.exe)', '(shell\.application)', '(documents\s+and\s+settings)', '(system32)', '(serv-u)', '(提权)', '(phpspy)', '(后门)', '(webshell)', '(Program\s+Files)' ] def Scan(path): for root,dirs,files in os.walk(path): for filespath in files: isover = False if '.' in filespath: ext = filespath[(filespath.rindex('.')+1):] if ext=='php': file= open(os.path.join(root,filespath)) filestr = file.read() file.close() for rule in rulelist: result = re.compile(rule).findall(filestr) if result: print '文件:'+os.path.join(root,filespath) print '恶意代码:'+str(result[0]) print '\n\n' break if os.path.lexists(sys.argv[1]): print('\n\n开始扫描:'+sys.argv[1]) print(' 可疑文件 ') print('########################################') Scan(sys.argv[1]) print('提示:扫描完成-- O(∩_∩)O哈哈~') else: print '提示:指定的扫描目录不存在--- 我靠( \'o′)!!凸'
配合find命令查找
查找最近一天被修改的PHP文件
# find -mtime -1 -type f -name *.php
查找最近2小时以内被修改的文件(具有执行权限)
find / -mmin -2 -type f -perm /a=x
修改网站的权限
# find -type f -name *.php -exec chmod 444 {} ;
# find ./ -type d -exec chmod 555{} ;
