dongwu9170 2014-04-07 07:27
浏览 37
已采纳

grep整个服务器的shell hacks / malware

We host 1000s of domains on multiple servers. We have problems with massive amount of malware and phpshell's. The usage of many scanners had no effect in taking them down. maybe we got 10/20 vague results from those scanners

so i build my own little bash file to find those scripts. It found 148 phpshells this weekend ( im not that good at creating .SH files).



My question The grep is terrible slow, it will run for days. how can i make this script more efficient?

array=(
    "base64_decode(" 
    "substr(md5(strrev(" 
    "cwd = @getcwd();" 
    "chr((ord(" 
    "gzinflate(base64_decode(" 
    "php_uname()" "] = chr(ord(" 
    "cwd[strlen($cwd)" 
    "ini_get('safe_mode');" 
    "=\"\x62\"" 
    "\"+ r + \"&r=\" + document.referrer;\"" 
    "if(strtoupper(substr(PHP_OS, 0, 3) ) == \"WIN\")" 
    "window.top.location.href=\"http://" 
    "@ini_get(\"disable_functions\")" 
    "$g3='';$g3.=$r;$g3.=$h;$g3.=$y"
    "hacked"
)

for value in "${array[@]}"
do
    printf "
[$value] [start => $(date +"%T")]
"
        grep -l -inr "$value" "/home/"
    printf "
[end => $(date +"%T")]
"
done



FINAL RESULT

#!/bin/bash
LC_ALL=C grep -F -n -r -f /root/scanner/pattern.txt "/home/"

Pattern.txt

eval($___($__));
eval(stripslashes(@$_POST[
eval(stripslashes(array_pop(
eval(base64_decode(
eval(gzinflate(str_rot13(base64_decode(
gzinflate(base64_decode(
Array(base64_decode(
sha1(base64_decode(
print(base64_decode(
wsoScandir($dir)
substr(current(array_keys(
cwd = @getcwd();
$OOO000000=urldecode(
$l___l_='base'.(32*2)
substr(md5(strrev(
cwd[strlen($cwd)
="x62
+ r + "&r=" + document.referrer;
if(strtoupper(substr(PHP_OS, 0, 3) ) == "WIN")
){if(@copy(
copy("endless.html
system("wget
symlink("/","sym/root");
@copy($_FILES['file']['tmp_name']
error_reporting(0);if(
x6C\x28\x67\x7A\x69
"/.*/e","\x28\x65\x76\x61
preg_replace("/.*/e",
Windows-1251";preg_replace(
); exit(); } if(isset(
system("$cmd"); die;}
rtrim($security_code, "/");
  • 写回答

1条回答 默认 最新

  • dtebrq0245 2014-04-15 01:36
    关注

    Store your search strings as a single multiline string, and run fgrep once instead of in a loop:

    values="eval(base64_decode(
    gzinflate(base64_decode(
    cwd = @getcwd();
    chr((ord(
    substr(md5(strrev(
    chr(ord(
    cwd[strlen(\$cwd)
    ini_get('safe_mode');
    =\"\x62\"
    \"+ r + \"&r=\" + document.referrer;\"
    if(strtoupper(substr(PHP_OS, 0, 3) ) == \"WIN\")
    window.top.location.href=\"http://
    @ini_get(\"disable_functions\")
    ){if(@copy(
    eval(\$___(\$__));
    copy(\"endless.html\"
    system(\"wget
    symlink(\"/\",\"sym/root\");
    @copy(\$_FILES['file']['tmp_name']
    error_reporting(0);if(
    x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74
    hacked"
    
    LC_ALL=C fgrep -nr --include  \*.php "$values" *
    

    This version runs 22x faster than the original (0.535s vs 11.817s on one fairly large site). Noncoincidentally, you have 22 search strings.

    PS: Don't forget to \ your $ inside of "", or you won't find your 15th and 19th search strings. I would create a test file that has all the strings you're searching for, and verify that the fgrep "$values" successfully matches each of them.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?