How to Detect WebShell on PHP Web Server
View the access log
See if there’s a file upload (POST method):
The default log format for nginx is:
Find files containing malicious php code
Find the recent changes in the php file
- -type f means that the normal search of normal files
-mtime -7 that 7 * 24 hours to modify the file
The results may be as follows:
Find out if there is any suspected code in the file
Note: Many commands do not support pipelining parameters, but in fact need this, so it used the xargs command, the command can be used to pipe transmission parameters; grep-l said that only contains a string of file names, if removed – L The contents of the line matching the specified string are displayed
The meaning of several special strings:
eval()
The string in accordance with the PHP code to implement, is the most common php Trojansbase64_decode()
Will be the base64 string decoding, attack time payload is base64 encoding, then this function is uselessgzinflate()
The string decompression processing, when the attack with gzdeflate payload compression, the use of this function for decompressionstr_rot13()
The string is encoded with rot13
Regular expressions can also be used to search for documents, can find code:
mail()
Can be used to send spam to the site userfsockopen()
Open a network connection or a Unix socket connection that can be used to send remote requests for payloadpfsockopen()
And fsockopen () role similarexec()
Command execution functionsystem()
With the exec ()passthru()
With the exec ()stream_socket_client()
To establish a remote connection, examples are as follows:
preg_replace()
When the regular expression is modified by the modifier “e”, the replacement string needs to be executed in accordance with the php code before the substitution. This also needs to be taken into account. In this case,
Compares the code file
This situation requires a clean code, the code and the code being used to compare. E.g
The above example compares wordpress-clean / and wordpress-comprised directories, and the directory wp-content / subdirectory does not compare.
Search for writable directories
Look at the list of whether there are suspicious files, the following script to find the permissions for the 777 directory exists php file
Hackers often insert jpg php code in the document, so when inquiries in these directories have to query jpg files:
Note: -iname said the file name is not case-sensitive, grep-i also said that case-insensitive
The iframe tag is detected
Hackers often do is to embed iframe tags, so you can view the source code of the page, and search for the existence of iframe tags, you can use the following command:
For dynamically generated pages can be used ff of Live HTTP Headers plug-in, and then downloaded to the source to find out whether the presence of iframe tag
Finds if there is a sensitive string in the database
Including% base64 _%,% eval (% <and so on some of the above-mentioned keywords
0x07 Examine the .htaccess file
Whether it contains auto_prepend_file and auto_append_file, use the following command
Auto_prepend_file role is to load the current script file before loading the php script auto_append_file role is to load the current script file, and then load the php script. Hackers if so modified. Htaccess file, you can access. Htaccess directory php script, you want to load the load on the malicious script.
Htaccess file can also be used to hijack the traffic to the site to the hacker’s Web site,
沒有留言:
張貼留言