http://www.zhanghaijun.com/index.php zh-cn http://www.zhanghaijun.com/post// 碟舞飞扬 <webmaster@zhanghaijun.com> Sun, 28 Apr 2013 17:51:52 +0000 http://www.zhanghaijun.com/post// 查找一句话PHP木马：
# find ./ -name "*.php" |xargs egrep "phpspy|c99sh|milw0rm|eval\(gunerpress|eval\(base64_decode|spider_bc"> /tmp/php.txt

# grep -r --include=*.php  '[^a-z]eval($_POST' . > /tmp/eval.txt

# grep -r --include=*.php  'file_put_contents(.*$_POST\[.*\]);' . > /tmp/file_put_contents.txt

# find ./ -name "*.php" -type f -print0 | xargs -0 egrep "(phpspy|c99sh|milw0rm|eval\(gzuncompress\(base64_decode|eval\(base64_decode|spider_bc|gzinflate)" | awk -F: '{print $1}' | sort | uniq

查找最近一天被修改的PHP文件：
#   find -mtime -1 -type f -name \*.php

修改网站的权限：
# find -type f -name \*.php -exec chmod 444 {} \;

# find ./ -type d -exec chmod 555{} \;

建议将php相关危险函数在php.ini里面禁用掉。
disable_functions = system,exec,shell_exec,passthru
Tags - linux , shell , php木马 ]]> http://www.zhanghaijun.com/post//#blogcomment <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://www.zhanghaijun.com/post//#blogcomment