Home >Backend Development >PHP Tutorial >PHP webshell scanning backdoor Trojan example program_PHP tutorial
This article will introduce you to a php webshell scanning backdoor Trojan example program. This can scan the Trojan program on your website. This provides great convenience for everyone to find website Trojans. Friends in need can refer to it.
The code is as follows | Copy code |
/************************** php scanning backdoor **********************/ error_reporting(E_ERROR); ini_set('max_execution_time',20000); ini_set('memory_limit','512M'); header("content-Type: text/html; charset=gb2312"); $matches = array( '/function\_exists\s*\(\s*[\'|\"](popen|exec|proc\_open|system|passthru)+[\'|\"]\s*\)/i', '/(exec|shell\_exec|system|passthru)+\s*\(\s*\$\_(\w+)\[(.*)\]\s*\)/i', '/((udp|tcp)\:\/\/(.*)\;)+/i', '/preg\_replace\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i', '/preg\_replace\s*\((.*)\(base64\_decode\(\$/i', '/(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*(base64\_decode|str\_rot13|gz(\w+)|file\_(\w+) \_contents|(.*)php\:\/\/input)+/i', '/(eval|assert|include|require|include\_once|require\_once|array\_map|array\_walk)+\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER |SESSION)+\[(.*)\]\s*\)/i', '/eval\s*\(\s*\(\s*\$\$(\w+)/i', '/(include|require|include\_once|require\_once)+\s*\(\s*[\'|\"](\w+)\.(jpg|gif|ico|bmp|png|txt| zip|rar|htm|css|js)+[\'|\"]\s*\)/i', '/\$\_(\w+)(.*)(eval|assert|include|require|include\_once|require\_once)+\s*\(\s*\$(\w+)\s*\ )/i', '/\(\s*\$\_FILES\[(.*)\]\[(.*)\]\s*\,\s*\$\_(GET|POST|REQUEST|FILES)+\ [(.*)\]\[(.*)\]\s*\)/i', '/(fopen|fwrite|fputs|file\_put\_contents)+\s*\((.*)\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]( .*)\)/i', '/echo\s*curl\_exec\s*\(\s*\$(\w+)\s*\)/i', '/new com\s*\(\s*[\'|\"]shell(.*)[\'|\"]\s*\)/i', '/\$(.*)\s*\((.*)\/e(.*)\,\s*\$\_(.*)\,(.*)\)/i', '/\$\_\=(.*)\$\_/i', '/\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\(\s*\$(.*)\)/i', '/\$(\w+)\s*\(\s*\$\_(GET|POST|REQUEST|COOKIE|SERVER)+\[(.*)\]\s*\)/i', '/\$(\w+)\(\$\{(.*)\}/i' ); function antivirus($dir,$exs,$matches) { if(($handle = @opendir($dir)) == NULL) return false; while(false !== ($name = readdir($handle))) { If($name == '.' || $name == '..') continue; $path = $dir.$name; If(is_dir($path)) { If(is_readable($path)) antivirus($path.'/',$exs,$matches); } elseif(strpos($name,';') > -1 || strpos($name,'%00') > -1 || strpos($name,'/') > -1) { echo ' Features '.$path.' '; flush(); ob_flush( );} else { If(!preg_match($exs,$name)) continue; If(filesize($path) > 10000000) continue; $fp = fopen($path,'r'); $code = fread($fp,filesize($path)); fclose($fp); If(empty($code)) continue; foreach($matches as $matche) { $array = array(); preg_match($matche,$code,$array); if(!$array) continue; If(strpos($array[0],"\x24\x74\x68\x69\x73\x2d\x3e")) continue; $len = strlen($array[0]); if($len > 10 && $len < 1500) { echo ' 特征 '.$path.' ';flush(); ob_flush(); break; } } unset($code,$array); } } closedir($handle); return true; } function strdir($str) { return str_replace(array('\\','//','//'),array('/','/','/'),chop($str)); } echo ''; if(file_exists($_POST['dir']) && $_POST['exs']) { $dir = strdir($_POST['dir'].'/'); $exs = '/('.str_replace('.','\\.',$_POST['exs']).')/i'; echo antivirus($dir,$exs,$matches) ? ' 扫描完毕 ' : '扫描中断 ';} ?> |