将以下文件上传到网站的根目录,然后访问这个文件即可;
<?php define("WEBSCAN_KEY", "4996c09effad40fcbdcdaaf1f589895a"); date_default_timezone_set('GMT'); ini_set('display_errors', '0'); class scan{ private $directory = '.'; private $extension = array('php'); private $_files = array(); private $filelimit = 5000; private $scan_hidden = true; private $_self = ''; private $_regex ='(preg_replace.*\/e|`.*?\$.*?`|\bcreate_function\b|\bpassthru\b|\bshell_exec\b|\bexec\b|\bbase64_decode\b|\bedoced_46esab\b|\beval\b|\bsystem\b|\bproc_open\b|\bpopen\b|\bcurl_exec\b|\bcurl_multi_exec\b|\bparse_ini_file\b|\bshow_source\b|cmd\.exe|KAdot@ngs\.ru|小组专用大马|提权|PHP\s?反弹|shell\s?加强版|WScript\.shell|PHP\s?Shell|Eval\sPHP\sCode|Udp1-fsockopen|xxddos|Send\sFlow|fsockopen\("(udp|tcp)|SYN\sFlood)'; private $_shellcode=''; private $_shellcode_line=array(); private $_log_array= array(); private $_log_count=0; private $webscan_url="http://safe.webscan.360.cn/webshell/upload"; private $action=''; private $taskid=0; private $_tmp=''; function __construct(){ if (isset($_POST['action'])&&isset($_POST['key'])&&$_POST['key']==WEBSCAN_KEY&&isset($_POST['task'])) { $this->action = $_POST['action']; $this->taskid = $_POST['task']; } if (is_writable('./')) { $this->_tmp='./'; } elseif (is_writable(sys_get_temp_dir())) { $this->_tmp=substr(sys_get_temp_dir(), -1)=='/'||substr(sys_get_temp_dir(), -1)=='\\' ? sys_get_temp_dir() : sys_get_temp_dir().'/'; } } private function is__writable($path) { if ($path{strlen($path)-1}=='/') return is__writable($path.uniqid(mt_rand()).'.tmp'); if (file_exists($path)) { if (!($f = @fopen($path, 'r+'))) return false; fclose($f); return true; } if (!($f = @fopen($path, 'w'))) return false; fclose($f); @unlink($path); return true; } private function ck_state(){ $a=fopen($this->_tmp.'scan_lock.tmp', 'w+'); fwrite($a, "scannig"); fclose($a); } public function del_state(){ $a=fopen($this->_tmp.'scan_lock.tmp', 'w+'); fwrite($a, ''); fclose($a); @unlink($this->_tmp.'scan_lock.tmp'); $this->post($this->webscan_url,array('state'=>'1','key'=>WEBSCAN_KEY,'task'=>$this->taskid)); } private function is_utf8($word) { if (preg_match("/^([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){1}/",$word) == true || preg_match("/([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){1}$/",$word) == true || preg_match("/([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){2,}/",$word) == true) { return true; } else { return false; } } private function check_environment() { $r = array("status"=>1,"allow_url_fopen"=>0,"writeable"=>0); if (ini_get('allow_url_fopen')||function_exists('curl_init')) { $r["allow_url_fopen"] = 1; } if ($this->is__writable($this->_tmp.'test.tmp')) { $r["writeable"] = 1; } if($r["allow_url_fopen"] && $r["writeable"]) { $r["status"] = 1; } echo json_encode($r); exit; } private function webscan_curl($url , $postdata = array()){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_TIMEOUT, 15); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata); $response = curl_exec($ch); $httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE); curl_close($ch); return array('httpcode'=>$httpcode,'response'=>$response); } private function post($url,$log=array()){ if(! function_exists('curl_init')) { $postdata = http_build_query($log); $context = stream_context_create(array('http' => array('method' => 'POST', 'header' => "Content-type: application/x-www-form-urlencoded\r\n",'content' => $postdata))); $server_version = @file_get_contents($url, 0, $context); } else{ $this->webscan_curl($url,$log); } } private function findstr($filepath,$shellstr){ $a=false; $text=@file_get_contents($filepath); if(!$this->is_utf8($text)){ $text=iconv("GBK","UTF-8",$text); } $_content = explode("\n", $text); for ($line = 0; $line < count($_content); $line++) { $date = preg_match_all("/".$shellstr."/i", $_content[$line],$matches); if($date){ $this->_shellcode[$line+1]=$_content[$line]; $a=true; } } return $a; } private function upload_log($a = array()) { if($this->_log_count==50){ $this->post($this->webscan_url,array('log' => json_encode($this->_log_array),'key'=>WEBSCAN_KEY,'task'=>$this->taskid)); $this->_log_count=0; $this->_log_array=array(); } else{ $this->_log_array[]=$a; $this->_log_count++; } } private function listdir($dir) { $handle = @opendir($dir); if ($this->filelimit > 0) { if (count($this->_files) > $this->filelimit) { return true; } } while (($file = @readdir($handle)) !== false) { if ($file == '.' || $file == '..') { continue; } $filepath = $dir == '.' ? $file : $dir . '/' . $file; if (is_link($filepath)) { continue; } if (is_file($filepath)) { if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) { $extension = pathinfo($filepath); if (is_string($this->extension) && $this->extension == '*') { if ($this->filelimit > 0) { $this->_files[] = $filepath; } } else { if (isset($extension['extension']) && in_array($extension['extension'], $this->extension)) { if ($this->_self != basename($filepath)) { if ($this->filelimit > 0) { $this->_files[] = $filepath; } } } } } } else if (is_dir($filepath)) { if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) { if (is_readable($filepath)) { $this->listdir($filepath); } } } } closedir($handle); } private function anaylize() { foreach ($this->_files as $file) { if(!$this->is_utf8($file)){ $filename=@iconv("GBK","UTF-8",$file); } if($this->findstr($file,$this->_regex)) { self::upload_log(array($filename => array('Trojan' => 1,'time' => date("Y-m-d H:i:s",filemtime($file)),'md5'=>md5(file_get_contents($file)),'size'=>filesize($file),'shellcode'=>$this->_shellcode) )); $this->_shellcode=array(); } /* else{ self::upload_log(array($filename => array('Trojan' => 0))); } */ } if ($this->_log_count>0) { $this->post($this->webscan_url,array('log' => json_encode($this->_log_array),'key'=>WEBSCAN_KEY,'task'=>$this->taskid)); } sleep(5); $this->del_state(); } public function start() { if($this->action=='del_state'){ $this->del_state(); } if (@file_get_contents(($this->_tmp.'scan_lock.tmp'))=='scannig') { exit("scannig"); } switch ($this->action) { case 'check_environment': $this->check_environment(); break; case 'shell_scan': set_time_limit(0); ignore_user_abort(); register_shutdown_function(array($this,"del_state")); $this->ck_state(); $this->listdir($this->directory); $this->anaylize(); $this->del_state(); break; default: echo "360webscan v1.4"; break; } } } $a=new scan(); $a->start(); ?>
1. 下载木马查杀插件 
2. 将该插件解压后上传到:http://tiaowode.com
3. 用浏览器访问 http://domain.com/scan.php,确认安装成功
