Home >Backend Development >PHP Tutorial >PHP implements Linux server Trojan detection and reinforcement functions, Linux reinforcement_PHP tutorial

PHP implements Linux server Trojan detection and reinforcement functions, Linux reinforcement_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 10:10:361998browse

php implements Linux server Trojan detection and reinforcement functions, Linux reinforcement

The website is frequently hacked? Make some improvements and basically solve this problem. Because there are loopholes in programs such as discuz Trojan horse.

Find and strengthen from the following aspects (if you can disable the membership function, do not provide any upload entrance, protect the background password, and strengthen PHP, there will generally be no problem).

1. Search based on feature code:

php Trojans generally contain

Copy code The code is as follows:



or
Copy code The code is as follows:

find /wwwroot/* -type f -name "*.php" |xargs grep "eval(" > /wwwroot/scan.txt

As a result, many obvious webshells were found, and they were all hidden in directories such as attachment

2. Use a php code on the Internet to search for recently modified files

scandir.php
The content is as follows:

Copy code The code is as follows:

set_time_limit(0);//Prevent timeout
/**
*
* Enhanced version of php directory scanning monitoring
*
* @author lssbing (lssbing#gmail.com)
* @date 2010-1-18
* @license BSD
* @version 1.0
*
The following variables need to be set manually before use
*
**/
/*====================== Program configuration=====================*/
$pass="12345";//Set password
$jkdir="."; //Set the directory for monitoring and scanning. The current directory is '.' and the upper-level directory is '..'. You can also set an absolute path. Do not add a slash after it. The default is the current directory
$logfilename="./m.log";//Set the path to store the log, which can be placed anywhere
$exclude=array('data','images');//Exclude directory
$danger='eval|cmd|passthru|gzuncompress';//Set the dangerous function to be found to determine whether it is a Trojan horse file
$suffix='php|inc';//Set the suffix of the files to be scanned
/*===================== End of configuration=====================*/

$filename=$_GET['filename'];
$check=$_GET['check'];
$jumpoff=false;
$url = $_SERVER['PHP_SELF'];
$thisfile = end(explode('/',$url));
$jump="{$thisfile}|".implode('|',$exclude);
$jkdir_num=$file_num=$danger_num=0;
define('M_PATH',$jkdir);
define('M_LOG',$logfilename);
if ($check=='check')
{
$safearr = explode("|",$jump);
$start_time=microtime(true);
safe_check($jkdir);
$end_time=microtime(true);
$total=$end_time-$start_time;
$file_num=$file_num-$jkdir_num;
$message= "Number of files:".$file_num;
$message.= "Number of folders:".$jkdir_num;
$message.= "Number of suspicious files:".$danger_num;
$message.= "Execution time:".$total;
echo $message;
}else{
if ($_GET['m']=="del") Delete();//Processing file deletion
//Read file content
if(isset($_GET['readfile'])){
//Output the view password. After the password is verified correctly, the file content will be output
if(emptyempty($_POST['passchack'])){
echo"
"
. " "
. " "
. "
"
."";
exit;
}elseif(isset($_POST['passchack'])&&$_POST['passchack']==$pass){
$code=file_get_contents($_GET['readfile']);
echo"rn";
exit();
}
function Delete()//Delete file
{ global $filename,$pass;
if(emptyempty($_POST['passchack'])){
echo"
"
. " "
. " "
. "
"
."";
exit;
}elseif(isset($_POST['passchack'])&&$_POST['passchack']==$pass){
(is_file($filename))?($mes=unlink($filename)?'Delete successfully':'Delete failed View permissions'):'';
echo $mes;
exit();
}else{
echo 'Wrong password! ';
exit;
}
}
function Jump($file)//Skip file
{
global $jump,$safearr;
if($jump != '')
{
foreach($safearr as $v)
{
If($v=='') continue;
If( eregi($v,$file) ) return true ;
}
}
return false;
}
?>
[View file changes]|[Save current file fingerprint] |[Scan for suspicious files]

After execution, you can see the recently modified files, which is valuable to participate

3. Modify php.ini and restrict the following functions

Copy code The code is as follows:

disable_functions = phpinfo,passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocke,popen,proc_close, curl_exec,curl_multi_exec,parse_ini_file,show_source,dl,escapeshellarg,escapeshellcmd

4. Modify nginx.conf and restrict the execution of php files in some directories

Copy code The code is as follows:

server
{
    listen       80;
    server_name  www.***.com;
    index   index.htm index.html index.php;
    root  /wwwroot/;
    
 
      
    rewrite ^([^.]*)/topic-(.+).html$ $1/portal.php?mod=topic&topic=$2 last;
    rewrite ^([^.]*)/article-([0-9]+)-([0-9]+).html$ $1/portal.php?mod=view&aid=$2&page=$3 last;
    rewrite ^([^.]*)/forum-(w+)-([0-9]+).html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;
    rewrite ^([^.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+).html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;
    rewrite ^([^.]*)/group-([0-9]+)-([0-9]+).html$ $1/forum.php?mod=group&fid=$2&page=$3 last;
    rewrite ^([^.]*)/space-(username|uid)-(.+).html$ $1/home.php?mod=space&$2=$3 last;
    rewrite ^([^.]*)/([a-z]+)-(.+).html$ $1/$2.php?rewrite=$3 last;
    rewrite ^([^.]*)/topic-(.+).html$ $1/portal.php?mod=topic&topic=$2 last;
        
 
        location ~ ^/images/.*.(php|php5)$
                {
              deny all;
                }
 
        location ~ ^/static/.*.(php|php5)$
                {
               deny all;
                }
 
        location ~* ^/data/(attachment|avatar)/.*.(php|php5)$
            {
                deny all;
            }
 
    location ~ .*.(php|php5)?$
    {      
      fastcgi_pass  127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }
    
        
 
error_page  400 /404.html;
error_page  403 /404.html;
error_page  404 /404.html;
error_page  405 /404.html;
error_page  408 /404.html;
error_page  410 /404.html;
error_page  411 /404.html;
error_page  412 /404.html;
error_page  413 /404.html;
error_page  414 /404.html;
error_page  415 /404.html;
error_page  500 /404.html;
error_page  501 /404.html;
error_page  502 /404.html;
error_page  503 /404.html;
error_page  506 /404.html;
 
 
log_format  acclog    "$remote_addr $request_time $http_x_readtime [$time_local] "$request_method http://$host$request_uri" $status $body_bytes_sent "$http_referer" "$http_user_agent"";
        access_log  /logs/access.log  acclog;
}

此处需要注意的是

复制代码 代码如下:

location ~ ^/images/.*.(php|php5)$
{
  deny all;
}

这些目录的限制必须写在

复制代码 代码如下:

location ~ .*.(php|php5)?$
{      
  fastcgi_pass  127.0.0.1:9000;
  fastcgi_index index.php;
  include fcgi.conf;
}

, otherwise the restriction will not take effect.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/934924.htmlTechArticlephp implements Linux server Trojan detection and reinforcement functions. Linux reinforcement websites are frequently hung by horses. Some improvements can basically be made. Solve this problem, because programs such as discuz
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn