网站频繁被挂马?做一些改进,基本上能把这个问题解决,因为discuz x等程序存在漏洞,被上传了websehll,每次被删除过段时间又出来了,最终查到所有的木马。
从以下几个方面查找并加强(如果能不开启会员功能,不给任何上传入口,保护好后台密码,加固好PHP,一般就没什么问题了)。
1.根据特征码查找:
php木马一般含有
<br /><br />
或者
<br /></p><p>find /wwwroot/* -type f -name "*.php" |xargs grep "eval(" > /wwwroot/scan.txt<br />
结果就查出很多明显的webshell,并且发现都藏在attachment等目录下
2.利用网上的一个php代码,搜索最近被修改的文件
scandir.php
内容如下:
<br /><?php <br />set_time_limit(0);//防止超时 <br />/** <br />* <br />* php目录扫描监控增强版 <br />* <br />* @author lssbing (lssbing#gmail.com) <br />* @date 2010-1-18 <br />* @license BSD <br />* @version 1.0 <br />* <br />下面几个变量使用前需要手动设置 <br />* <br />**/ <br />/*===================== 程序配置 =====================*/ <br />$pass="12345";//设置密码 <br />$jkdir="."; //设置监控扫描的目录,当前目录为'.',上一级目录为'..',也可以设置绝对路径,后面不要加斜杠,默认为当前目录 <br />$logfilename="./m.log";//设置存储log的路径,可以放置在任意位置 <br />$exclude=array('data','images');//排除目录 <br />$danger='eval|cmd|passthru|gzuncompress';//设置要查找的危险的函数 以确定是否木马文件 <br />$suffix='php|inc';//设置要扫描文件的后缀 <br />/*===================== 配置结束 =====================*/ <br /> <br />$filename=$_GET['filename']; <br />$check=$_GET['check']; <br />$jumpoff=false; <br />$url = $_SERVER['PHP_SELF']; <br />$thisfile = end(explode('/',$url)); <br />$jump="{$thisfile}|".implode('|',$exclude); <br />$jkdir_num=$file_num=$danger_num=0; <br />define('M_PATH',$jkdir); <br />define('M_LOG',$logfilename); <br />if ($check=='check') <br />{ <br />$safearr = explode("|",$jump); <br />$start_time=microtime(true); <br />safe_check($jkdir); <br />$end_time=microtime(true); <br />$total=$end_time-$start_time; <br />$file_num=$file_num-$jkdir_num; <br />$message= " 文件数:".$file_num; <br />$message.= " 文件夹数:".$jkdir_num; <br />$message.= " 可疑文件数:".$danger_num; <br />$message.= " 执行时间:".$total; <br />echo $message; <br />}else{ <br />if ($_GET['m']=="del") Delete();//处理文件删除 <br />//读取文件内容 <br />if(isset($_GET['readfile'])){ <br />//输出查看密码,密码校验正确以后输出文件内容 <br />if(emptyempty($_POST['passchack'])){ <br /> echo"" <br /> . " <label>pass" <br /> . " " <br /> . " </label>" <br /> . " " <br /> . "" <br /> .""; <br /> exit; <br />}elseif(isset($_POST['passchack'])&&$_POST['passchack']==$pass){ <br /> $code=file_get_contents($_GET['readfile']); <br /> echo"<textarea name="code" cols="150" rows="30" id="code" style='width:100%;height:450px;background:#cccccc'>{$code}</textarea>"; <br /> exit; <br />}else{ <br /> exit; <br />} <br /> <br />}else{ <br />record_md5(M_PATH); <br />if(file_exists(M_LOG)){ <br /> $log = unserialize(file_get_contents(M_LOG)); <br />}else{ <br /> $log = array(); <br />} <br /> <br />if($_GET['savethis']==1){ <br />//保存当前文件md5到日志文件 <br />@unlink(M_LOG); <br />file_put_contents(M_LOG,serialize($file_list)); <br />echo "保存成功!点击返回"; <br />exit; <br />} <br />if(emptyempty($log)){ <br />echo "当前还没有创建日志文件!点击[保存当前]创建日志文件!"; <br />}else{ <br />if($file_list==$log){ <br /> echo "本文件夹没有做过任何改动!"; <br />}else{ <br /> if(count($file_list) > 0 ){ <br /> foreach($file_list as $file => $md5){ <br /> if(!isset($log[$file])){ <br /> echo "新增文件:".$file.""." 创建时间:".date("Y-m-d H:i:s",filectime($file))." 修改时间:".date("Y-m-d H:i:s",filemtime($file))." 源码删除</u><br />"; <br /> }else{ <br /> if($log[$file] != $md5){ <br /> echo "修改文件:".$file.""." 创建时间:".date("Y-m-d H:i:s",filectime($file))." 修改时间:".date("Y-m-d H:i:s",filemtime($file))." 源码<br />"; <br /> <br /> unset($log[$file]); <br /> }else{ <br /> unset($log[$file]); <br /> } <br /> } <br /> } <br /> } <br /> if(count($log)>0){ <br /> foreach($log as $file => $md5){ <br /> echo "删除文件:".$file."<br />"; <br /> } <br /> } <br /> } <br />} <br />} <br />} <br /> <br />//计算md5 <br />function record_md5($jkdir){ <br /> global $file_list,$exclude; <br /> if(is_dir($jkdir)){ <br /> $file=scandir($jkdir); <br /> foreach($file as $f){ <br /> if($f!='.' && $f!='..' && !in_array($f, $exclude)){ <br /> $path = $jkdir.'/'.$f; <br /> if(is_dir($path)){ <br /> record_md5($path); <br /> <mark>(本文来)源gaodaimacom搞#^代%!码&网(</mark><pre>搞gaodaima代码
}else{
$file_list[$path]=md5_file($path);
}
}
}
}
}
function Safe_Check($jkdir)//遍历文件
{
global $danger ,$suffix ,$jkdir_num ,$file_num ,$danger_num;
$hand=@dir($jkdir) or die(‘文件夹不存在’) ;
while ($file=$hand->read())
{
$filename=$jkdir.’/’.$file;
if (!$jumpoff) {
if(Jump($filename))continue;
}
if(@is_dir($filename) && $file != ‘.’ && $file!= ‘..’&& $file!=’./..’)
{ $jkdir_num++;
Safe_Check($filename);
}
if (preg_match_all (“/\.($suffix)/i”,$filename,$out))
{
$str=”;
$fp = @fopen($filename,’r’)or die(‘没有权限’);
while(!feof($fp))
{
$str .= fgets($fp,1024);
}
fclose($fp);
if( preg_match_all (“/($danger)[ \r\n\t]{0,}([\[\(])/i”,$str,$out))
{
echo “可疑文件:{$filename}“.” 创建时间:”.date(“Y-m-d H:i:s”,filectime($filename)).” 修改时间:”.date(“Y-m-d H:i:s”,filemtime($filename)).” 查看代码 删除
“;
$danger_num++;
}
}
$file_num++;
}
}
function Edit()//查看可疑文件
{
global $filename;
$filename = str_replace(“..”,””,$filename);
$file = $filename;
$content = “”;
if(is_file($file))
{
$fp = fopen($file,”r”)or die(‘没有权限’);
$content = fread($fp,filesize($file));
fclose($fp);
$content = htmlspecialchars($content);
}
echo “\r\n”;
exit();
}
function Delete()//删除文件
{ global $filename,$pass;
if(emptyempty($_POST[‘passchack’])){
echo””
. ” ”
. ” ”
. “”
.””;
exit;
}elseif(isset($_POST[‘passchack’])&&$_POST[‘passchack’]==$pass){
(is_file($filename))?($mes=unlink($filename)?’删除成功’:’删除失败 查看权限’):”;
echo $mes;
exit();
}else{
echo ‘密码错误!’;
exit;
}
}
function Jump($file)//跳过文件
{
global $jump,$safearr;
if($jump != ”)
{
foreach($safearr as $v)
{
if($v==”) continue;
if( eregi($v,$file) ) return true ;
}
}
return false;
}
?>
[查看文件改动]|[保存当前文件指纹]|[扫描可疑文件]
执行后能看到最近被修改的文件,具有参加价值
3.修改php.ini,限制以下函数
<br />disable_functions = phpinfo,passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocke,popen,proc_close,curl_exec,curl_multi_exec,parse_ini_file,show_source,dl,escapeshellarg,escapeshellcmd <br />
4.修改nginx.conf ,限制一些目录执行php文件
<br />server <br />{ <br /> listen 80; <br /> server_name www.***.com; <br /> index index.htm index.html index.php; <br /> root /wwwroot/; <br /> <br /> <br /> <br /> rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last; <br /> rewrite ^([^\.]*)/article-([0-9]+)-([0-9]+)\.html$ $1/portal.php?mod=view&aid=$2&page=$3 last; <br /> rewrite ^([^\.]*)/forum-(\w+)-([0-9]+)\.html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last; <br /> rewrite ^([^\.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last; <br /> rewrite ^([^\.]*)/group-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=group&fid=$2&page=$3 last; <br /> rewrite ^([^\.]*)/space-(username|uid)-(.+)\.html$ $1/home.php?mod=space&$2=$3 last; <br /> rewrite ^([^\.]*)/([a-z]+)-(.+)\.html$ $1/$2.php?rewrite=$3 last; <br /> rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last; <br /> <br /> <br /> location ~ ^/images/.*\.(php|php5)$ <br /> { <br /> deny all; <br /> } <br /> <br /> location ~ ^/static/.*\.(php|php5)$ <br /> { <br /> deny all; <br /> } <br /> <br /> location ~* ^/data/(attachment|avatar)/.*\.(php|php5)$ <br /> { <br /> deny all; <br /> } <br /> <br /> location ~ .*\.(php|php5)?$ <br /> { <br /> fastcgi_pass 127.0.0.1:9000; <br /> fastcgi_index index.php; <br /> include fcgi.conf; <br /> } <br /> <br /> <br /> <br />error_page 400 /404.html; <br />error_page 403 /404.html; <br />error_page 404 /404.html; <br />error_page 405 /404.html; <br />error_page 408 /404.html; <br />error_page 410 /404.html; <br />error_page 411 /404.html; <br />error_page 412 /404.html; <br />error_page 413 /404.html; <br />error_page 414 /404.html; <br />error_page 415 /404.html; <br />error_page 500 /404.html; <br />error_page 501 /404.html; <br />error_page 502 /404.html; <br />error_page 503 /404.html; <br />error_page 506 /404.html; <br /> <br /> <br />log_format acclog "$remote_addr $request_time $http_x_readtime [$time_local] \"$request_method http://$host$request_uri\" $status $body_bytes_sent \"$http_referer\" \"$http_user_agent\""; <br /> access_log /logs/access.log acclog; <br />} <br />
此处需要注意的是
<br />location ~ ^/images/.*\.(php|php5)$ <br />{ <br /> deny all; <br />} <br />
这些目录的限制必须写在
<br />location ~ .*\.(php|php5)?$ <br />{ <br /> fastcgi_pass 127.0.0.1:9000; <br /> fastcgi_index index.php; <br /> include fcgi.conf; <br />} <br />
的前面,否则限制不生效。
转载请注明原文链接:php实现Linux服务器木马排查及加固功能_php技巧
