grep整个服务器的shell hacks / malware

We host 1000s of domains on multiple servers. We have problems with massive amount of malware and phpshell's. The usage of many scanners had no effect in taking them down. maybe we got 10/20 vague results from those scanners

so i build my own little bash file to find those scripts. It found 148 phpshells this weekend ( im not that good at creating .SH files).



My question The grep is terrible slow, it will run for days. how can i make this script more efficient?

array=(
    "base64_decode(" 
    "substr(md5(strrev(" 
    "cwd = @getcwd();" 
    "chr((ord(" 
    "gzinflate(base64_decode(" 
    "php_uname()" "] = chr(ord(" 
    "cwd[strlen($cwd)" 
    "ini_get('safe_mode');" 
    "=\"\x62\"" 
    "\"+ r + \"&r=\" + document.referrer;\"" 
    "if(strtoupper(substr(PHP_OS, 0, 3) ) == \"WIN\")" 
    "window.top.location.href=\"http://" 
    "@ini_get(\"disable_functions\")" 
    "$g3='';$g3.=$r;$g3.=$h;$g3.=$y"
    "hacked"
)

for value in "${array[@]}"
do
    printf "
[$value] [start => $(date +"%T")]
"
        grep -l -inr "$value" "/home/"
    printf "
[end => $(date +"%T")]
"
done



FINAL RESULT

#!/bin/bash
LC_ALL=C grep -F -n -r -f /root/scanner/pattern.txt "/home/"

Pattern.txt

eval($___($__));
eval(stripslashes(@$_POST[
eval(stripslashes(array_pop(
eval(base64_decode(
eval(gzinflate(str_rot13(base64_decode(
gzinflate(base64_decode(
Array(base64_decode(
sha1(base64_decode(
print(base64_decode(
wsoScandir($dir)
substr(current(array_keys(
cwd = @getcwd();
$OOO000000=urldecode(
$l___l_='base'.(32*2)
substr(md5(strrev(
cwd[strlen($cwd)
="x62
+ r + "&r=" + document.referrer;
if(strtoupper(substr(PHP_OS, 0, 3) ) == "WIN")
){if(@copy(
copy("endless.html
system("wget
symlink("/","sym/root");
@copy($_FILES['file']['tmp_name']
error_reporting(0);if(
x6C\x28\x67\x7A\x69
"/.*/e","\x28\x65\x76\x61
preg_replace("/.*/e",
Windows-1251";preg_replace(
); exit(); } if(isset(
system("$cmd"); die;}
rtrim($security_code, "/");
doushi3803
doushi3803 一个建议,它不会节省太多时间,但它会有所帮助。如果只需要文件名,则无需关心要检测的规则。所以在列表中找到一个之后,也许你可以在下一轮循环中排除它或排除整个域。
6 年多之前 回复
dongzhansong5785
dongzhansong5785 确定,你可以配置PHP来解释你想要的任何文件结束,但我仍然认为调查每个文件不是要走的路。首先尝试php,txt,htm,html,js,然后对其他文件进行运行。或者,如果您拥有这么多域名,请购买像WatchGuard这样的东西。
6 年多之前 回复
dongxia026531
dongxia026531 根据我的经验,图像文件也用于放入代码。
6 年多之前 回复
douxugu5836
douxugu5836 您可以将脚本限制为仅查看文本文件,因此它会跳过图片。
6 年多之前 回复
dongyun6835
dongyun6835 是的,我也想要那样。只有我需要脚本完全结束。现在它已经达到50%并且流程陷入困境。我还发现了使用php'touch'命令更改文件的'datemodified'字段的shellhacks。
6 年多之前 回复
doudu6100
doudu6100 执行完整扫描一次之后可能会更好地执行完全扫描,然后跟踪已更改的文件并仅扫描这些文件。
6 年多之前 回复

1个回答

Store your search strings as a single multiline string, and run fgrep once instead of in a loop:

values="eval(base64_decode(
gzinflate(base64_decode(
cwd = @getcwd();
chr((ord(
substr(md5(strrev(
chr(ord(
cwd[strlen(\$cwd)
ini_get('safe_mode');
=\"\x62\"
\"+ r + \"&r=\" + document.referrer;\"
if(strtoupper(substr(PHP_OS, 0, 3) ) == \"WIN\")
window.top.location.href=\"http://
@ini_get(\"disable_functions\")
){if(@copy(
eval(\$___(\$__));
copy(\"endless.html\"
system(\"wget
symlink(\"/\",\"sym/root\");
@copy(\$_FILES['file']['tmp_name']
error_reporting(0);if(
x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74
hacked"

LC_ALL=C fgrep -nr --include  \*.php "$values" *

This version runs 22x faster than the original (0.535s vs 11.817s on one fairly large site). Noncoincidentally, you have 22 search strings.

PS: Don't forget to \ your $ inside of "", or you won't find your 15th and 19th search strings. I would create a test file that has all the strings you're searching for, and verify that the fgrep "$values" successfully matches each of them.

doushui20090526
doushui20090526 实际上,你的回答是更好的,因为你避免了\'s和$ s :)
6 年多之前 回复
doukong1391
doukong1391 我的结果看起来很像你的! 我在成功清洁后贴了它,即使是护表也没有将它们移除。 有点好玩:)
6 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问