PHP Web 木马扫描器
- 发表于
- 周边
scanner.php:
PHP Web 木马扫描器
用户名: 密码: ';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功!";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600);
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
{
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
}
?>
| $version"?> |
| 扫描 | 设定 | 登出 |
0) { foreach($is_user as $key=>$value) $is_user[$key]=trim(str_replace("?","(.)",$value)); $is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))"; } } if($setting['hta']==1) { $is_hta=1; $is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext; $is_ext.="(^\.htaccess$)"; } if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0)) { $is_ext="(.+)"; } $php_code = getCode(); if(!is_readable($dir)) $dir = MYPATH; $count=$scanned=0; scan($dir,$is_ext); $end=mktime(); $spent = ($end - $start); ?>
扫描: 文件 | 发现: 可疑文件 | 耗时: 秒
| No. | 文件 | 更新时间 | 原因 | 特征 | 动作 |
"; //echo $path . $file ."
"; break; } } } } } } closedir( $dh ); } function getSetting() { $Ssetting = array(); if(isset($_COOKIE['t00ls_s'])) { $Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s'])); $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml"; $Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0; $Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1; } else { $Ssetting['user']="php | php? | phtml | shtml"; $Ssetting['all']=0; $Ssetting['hta']=1; setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/"); } return $Ssetting; } function getCode() { return array( '后门特征->cha88.cn'=>'cha88\.cn', '后门特征->c99shell'=>'c99shell', '后门特征->phpspy'=>'phpspy', '后门特征->Scanners'=>'Scanners', '后门特征->cmd.php'=>'cmd\.php', '后门特征->str_rot13'=>'str_rot13', '后门特征->webshell'=>'webshell', '后门特征->EgY_SpIdEr'=>'EgY_SpIdEr', '后门特征->tools88.com'=>'tools88\.com', '后门特征->SECFORCE'=>'SECFORCE', '后门特征->eval("?>'=>'eval\((\'|")\?>', '可疑代码特征->system('=>'system\(', '可疑代码特征->passthru('=>'passthru\(', '可疑代码特征->shell_exec('=>'shell_exec\(', '可疑代码特征->exec('=>'exec\(', '可疑代码特征->popen('=>'popen\(', '可疑代码特征->proc_open'=>'proc_open', '可疑代码特征->eval($'=>'eval\((\'|"|\s*)\\$', '可疑代码特征->assert($'=>'assert\((\'|"|\s*)\\$', '危险MYSQL代码->returns string soname'=>'returnsstringsoname', '危险MYSQL代码->into outfile'=>'intooutfile', '危险MYSQL代码->load_file'=>'select(\s+)(.*)load_file', '加密后门特征->eval(gzinflate('=>'eval\(gzinflate\(', '加密后门特征->eval(base64_decode('=>'eval\(base64_decode\(', '加密后门特征->eval(gzuncompress('=>'eval\(gzuncompress\(', '加密后门特征->eval(gzdecode('=>'eval\(gzdecode\(', '加密后门特征->eval(str_rot13('=>'eval\(str_rot13\(', '加密后门特征->gzuncompress(base64_decode('=>'gzuncompress\(base64_decode\(', '加密后门特征->base64_decode(gzuncompress('=>'base64_decode\(gzuncompress\(', '一句话后门特征->eval($_'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->assert($_'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->require($_'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->require_once($_'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->include($_'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->include_once($_'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->call_user_func("assert"'=>'call_user_func\(("|\')assert("|\')', '一句话后门特征->call_user_func($_'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[', '一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', '上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[', '.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication\/x-httpd-php', '.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file', '.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file' ); } ?>
一个在php环境下扫描php木马的工具,目前可扫出以下特征码
特征码:
后门特征->cha88.cn
后门特征->c99shell
后门特征->phpspy
后门特征->Scanners
后门特征->cmd.php
后门特征->str_rot13
后门特征->webshell
后门特征->EgY_SpIdEr
后门特征->tools88.com
后门特征->SECFORCE
后门特征->eval("?>
可疑代码特征->system(
可疑代码特征->passthru(
可疑代码特征->shell_exec(
可疑代码特征->exec(
可疑代码特征->popen(
可疑代码特征->proc_open
可疑代码特征->eval($
可疑代码特征->assert($
危险MYSQL代码->returns string soname
危险MYSQL代码->into outfile
危险MYSQL代码->load_file
加密后门特征->eval(gzinflate(
加密后门特征->eval(base64_decode(
加密后门特征->eval(gzuncompress(
加密后门特征->gzuncompress(base64_decode(
加密后门特征->base64_decode(gzuncompress(
一句话后门特征->eval($_
一句话后门特征->assert($_
一句话后门特征->require($_
一句话后门特征->require_once($_
一句话后门特征->include($_
一句话后门特征->include_once($_
一句话后门特征->call_user_func("assert"
一句话后门特征->call_user_func($_
一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]
一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE
上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[
.htaccess插马特征->SetHandler application/x-httpd-php
.htaccess插马特征->php_value auto_prepend_file
.htaccess插马特征->php_value auto_append_file
注意: 扫描出来的文件并不一定就是后门,请自行判断、审核、对比原文件。
原文连接:PHP Web 木马扫描器
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
