|
php木马查杀步骤: 1、通过特征码进行木马的查杀 - grep -r --include=*.php '[^a-z]eval($_POST' . > grep.txt
- grep -r --include=*.php 'file_put_contents(.*$_POST\[.*\]);' . > grep.txt
2、进行入侵跟踪 在php.ini中加入一行 - auto_prepend_file = /home/log/log.php
3、vi /home/log/log.php - <?php
- define('LOG_DIR','/home/log/');
- $log_uri = $_SERVER['PHP_SELF'].($_SERVER['QUERY_STRING'] ? '?'.$_SERVER['QUERY_STRING'] : '');
- $log_file_name = LOG_DIR.$_SERVER['HTTP_HOST'].'-'.date('m-d-H').'.txt';
- if($_POST){
- $var_post = var_export($_POST,true)."\r\n";
- }else{
- $var_post = '';
- }
- $log_formate = date('H:i').' '.log_pwGetIp().' '.$log_uri.' '.$_SERVER['HTTP_USER_AGENT']."\r\n".$var_post;
- log_write_over($log_file_name,$log_formate,'ab+');
- function log_write_over($fileName, $data, $method = 'rb+', $ifLock = true, $ifCheckPath = true, $ifChmod = true) {
- // $fileName = Pcv($fileName, $ifCheckPath);
- touch($fileName);
- $handle = fopen($fileName, $method);
- $ifLock && flock($handle, LOCK_EX);
- fwrite($handle, $data);
- $method == 'rb+' && ftruncate($handle, strlen($data));
- fclose($handle);
- $ifChmod && @chmod($fileName, 0777);
- }
- function log_pwGetIp() {
- if ($_SERVER['HTTP_X_FORWARDED_FOR'] && $_SERVER['REMOTE_ADDR']) {
- if (strstr($_SERVER['HTTP_X_FORWARDED_FOR'], ',')) {
- $x = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
- $_SERVER['HTTP_X_FORWARDED_FOR'] = trim(end($x));
- }
- if (preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_X_FORWARDED_FOR'])) {return $_SERVER['HTTP_X_FORWARDED_FOR'];}
- } elseif ($_SERVER['HTTP_CLIENT_IP'] && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CLIENT_IP'])) {return $_SERVER['HTTP_CLIENT_IP'];}
- if (preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['REMOTE_ADDR'])) {return $_SERVER['REMOTE_ADDR'];}
- return 'Unknown';
- }
- function log_getdirname($path = null) {
- if (!empty($path)) {
- if (strpos($path, '\\') !== false) {
- return substr($path, 0, strrpos($path, '\\')) . '/';
- } elseif (strpos($path, '/') !== false) {
- return substr($path, 0, strrpos($path, '/')) . '/';
- }
- }
- return './';
- }
- ?>
4.根据统计信息,找到php的入口。 5.堵住漏洞,进行安全防范
|