├── README.md
├── index.php
└── reservoir.php


/README.md:
--------------------------------------------------------------------------------
1 | Webshell_finder
2 | ===============
3 | 
4 | 网站木马检测
5 | 本例中的程序会一一扫描指定目录中的文件，采用了正则匹配的方式来查找恶意脚本。与前人产品不同的是，本作品没有使用单一的判别标准。本作品事先定义好在服务器中常见的带有风险的操作和期危险度的权值，在扫描牟文静的过程中，为该文件中出现的所有敏感操作会被全部扫描出，所有敏感操作的危险度的权值会被相加，得到该文件的危险指数。根据设定的危险指数阀值，危险指数大于危险阀值的文件会被报告为“危险”，危险指数大于可疑阀值但小于危险阀值的文件会被报告为“可疑”。
6 | 
7 | 本例与传统的以正则匹配的方式来查找恶意脚本的方式相比，能在漏报率不增加的情况下，大幅度降低误报率。
8 | 


--------------------------------------------------------------------------------
/index.php:
--------------------------------------------------------------------------------
  1 | index.php 
  2 | <?php
  3 | header('Content-type:text/html;charset=gbk3212');
  4 | include("reservoir.php");//特征库
  5 | 
  6 | 
  7 | $realpath = realpath('./');
  8 | $selfpath = $_SERVER['PHP_SELF'];
  9 | $selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
 10 | define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
 11 | define('MYFILE', basename(__FILE__));
 12 | define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/');
 13 | define('MYFULLPATH', str_replace('\\', '/', (__FILE__)));
 14 | define('HOST', "http://".$_SERVER['HTTP_HOST']);
 15 | 
 16 | ?>
 17 | <head>
 18 | <style type="text/css">
 19 | body{ font-family:微软雅黑;} 
 20 | 
 21 | </style>
 22 | </head>
 23 | <title>服务器恶意脚本检测</title>
 24 | <body style="font-family:微软雅黑" >
 25 | 
 26 | <font size="5" ><b style="background-color:White">服务器恶意脚本检测</b></font><br>
 27 | <a href="http://chiruom.blog.163.com/blog/?action=home"><font color="black" >首页</font></a> | <a href="http://chiruom.blog.163.com/blog/?action=scan"><font color="black" >扫描</font></a> |<a href="http://chiruom.blog.163.com/blog/?action=about"><font color="black" >关于</font></a> <br><br>
 28 | 
 29 | <?php
 30 | 
 31 | $action = isset($_GET['action'])?$_GET['action']:"home";
 32 | $setting=array();
 33 | 
 34 | 
 35 | 
 36 | if($action=="scan"){
 37 | $setting = getSetting();
 38 | $dir = isset($_POST['path'])?$_POST['path']:MYPATH;
 39 | $dir = substr($dir,-1)!="/"?$dir."/":$dir;
 40 | ?>
 41 | <form name="scanf" method="post" action="">
 42 | 扫描路径:<input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>"/> &nbsp;<br>
 43 | 文件后缀:<input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"><br>
 44 | <label for="checkall">所有文件</label>
 45 | <input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>><br>
 46 | <label for="checkhta">设置文件</label>
 47 | <input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>><br>
 48 | <input type="submit" name="btnScan" id="btnScan" value="开始扫描">
 49 | 
 50 | </form>
 51 | <?php 
 52 | }
 53 | 
 54 | elseif($action=="about")
 55 | {
 56 | echo "四川大学大学生创新训练计划<br>";
 57 | echo "电子信息学院 信息安全<br>";
 58 | echo "指导老师 方勇<br><br>";
 59 | echo "刘梓溪 1142053001<br>";
 60 | echo "李亚威 1142053025<br>";
 61 | echo "张仁栋 1142053007<br>";
 62 | echo "张航 1142053005<br>";
 63 | }
 64 | elseif($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
 65 | {
 66 | $file = $_GET['file'];
 67 | ob_clean();
 68 | if (@file_exists($file)) {
 69 | header("Content-type: application/octet-stream");
 70 | header("Content-Disposition: filename=\"".basename($file)."\"");
 71 | echo file_get_contents($file);
 72 | }
 73 | exit();
 74 | }
 75 | 
 76 | elseif($action=="home"){
 77 | echo "<img src='http://chiruom.blog.163.com/blog/img.jpg'/><br>";
 78 | echo "四川大学大学生创新训练计划作品<br>";
 79 | }
 80 | 
 81 | if($_POST[btnScan]){
 82 | $Ssetting = array();
 83 | $Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
 84 | $Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
 85 | $Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
 86 | setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
 87 | //
 88 | $start=time();
 89 | $is_user = array();
 90 | $is_ext = "";
 91 | $list = "";
 92 | 
 93 | if(trim($setting['user'])!="")
 94 | {
 95 | $is_user = explode("|",$setting['user']);
 96 | if(count($is_user)>0)
 97 | {
 98 | foreach($is_user as $key=>$value)
 99 | $is_user[$key]=trim(str_replace("?","(.)",$value));
100 | $is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
101 | }
102 | }
103 | if($setting['hta']==1)
104 | {
105 | $is_hta=1;
106 | $is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
107 | $is_ext.="(^\.htaccess$)";
108 | }
109 | if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
110 | {
111 | $is_ext="(.+)";
112 | }
113 | 
114 | $php_code = getCode();
115 | if(!is_readable($dir))
116 | $dir = MYPATH;
117 | $count=$scanned=0;
118 | scan($dir,$is_ext);
119 | $end=time();
120 | $spent = ($end - $start);
121 | ?>
122 | 
123 | <div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件 | 发现: <?php echo $count?> 处可疑代码 | 耗时: <?php echo $spent?> 秒</div>
124 | <table width="100%" border="0" cellspacing="0" cellpadding="0">
125 | <tr class="head">
126 | 
127 | <td width="48%">文件</td>
128 | <td width="19%">更新时间</td>
129 | <td width="10%">结论</td>
130 | <td width="10%">危险指数</td>
131 | <td width="10%">细节</td>
132 | <td>动作</td>
133 | </tr>
134 | <?php echo $list?>
135 | </table>
136 | <?php
137 | 
138 | }
139 | 
140 | 
141 | 
142 | function scan($path = '.',$is_ext){
143 | global $php_code,$count,$scanned,$list;
144 | $ignore = array('.', '..' );
145 | $replace=array(" ","\n","\r","\t");
146 | $dh = @opendir( $path );
147 | 
148 | while(false!==($file=readdir($dh))){
149 | if( !in_array( $file, $ignore ) ){ 
150 | if( is_dir( "$path$file" ) ){
151 | scan("$path$file/",$is_ext); 
152 | } else {
153 | if ($file=="reservoir.php")
154 | continue;
155 | $current = $path.$file;//
156 | if(MYFULLPATH==$current) continue;
157 | if(!preg_match("/$is_ext/i",$file)) continue;
158 | if(is_readable($current))
159 | {
160 | $scanned++;
161 | $content=file_get_contents($current);
162 | $content= str_replace($replace,"",$content);
163 | $weight=0;
164 | $sum_reason="";
165 | $detail="";
166 | foreach($php_code as $key => $value)
167 | { 
168 | //global $weight;
169 | //echo $value;
170 | //echo " ";
171 | //echo "$weight";
172 | //echo " <br>";
173 | if(preg_match("/$value/i",$content))
174 | {
175 | 
176 | $count++;
177 | $j = $count % 2 + 1;
178 | $filetime = date('Y-m-d H:i:s',filemtime($current));
179 | $reason = explode("->",$key);
180 | $weight=$weight+$reason[2];//权重相加（可以替换为其他算法）
181 | //$sum_reason=$sum_reason." ".$reason[0]."<br>";
182 | $detail=$detail.$reason[0]."——".$reason[1]."——".$reason[2]."<br>";
183 | 
184 | }
185 | }
186 | //特征库匹配完毕
187 | //判断是否为恶意脚本↓
188 | if($weight>100){
189 | //echo "weight is ".$weight;
190 | //echo "<br>"; 
191 | $url = str_replace(REALPATH,HOST,$current);
192 | preg_match("/$value/i",$content,$arr);
193 | $list_clour="IndianRed";
194 | if ($weight<250)
195 | $list_clour="Orange";
196 | $result="危险";
197 | if ($weight<250)
198 | $result="可疑";
199 | $list.="
200 | <tr bgcolor=".$list_clour." bordercolor='White ' class='alt$j' onmouseover='this.className=\"focus\";' onmouseout='this.className=\"alt$j\";'>
201 | 
202 | <td><a href='http://chiruom.blog.163.com/blog/$url' target='_blank'><font color='Black'>$current</font></a></td>
203 | <td>$filetime</td>
204 | <td>$result</td>
205 | <td>$weight</td>
206 | <td><a href='http://chiruom.blog.163.com/blog/detail.php?filename=".$current."&&filetime=".$filetime."&&detail=".$detail."'>点击查看</a></td>
207 | <td><a href='http://chiruom.blog.163.com/blog/?action=download&file=$current' target='_blank'><font color='Black'>下载</font></a></td>
208 | </tr>";
209 | 
210 | 
211 | }
212 | 
213 | }
214 | }
215 | }
216 | }
217 | closedir( $dh );
218 | } 
219 | function getSetting()
220 | {
221 | $Ssetting = array();
222 | if(isset($_COOKIE['3s']))
223 | {
224 | $Ssetting = unserialize(base64_decode($_COOKIE['3s']));
225 | $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
226 | $Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
227 | $Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
228 | }
229 | else
230 | {
231 | $Ssetting['user']="php | php? | phtml | shtml";
232 | $Ssetting['all']=0;
233 | $Ssetting['hta']=1;
234 | setcookie("3s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
235 | }
236 | return $Ssetting;
237 | }
238 | 
239 | ?>
240 | </body>
241 | 


--------------------------------------------------------------------------------
/reservoir.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | function getCode()
 3 | {
 4 | return array(
 5 | '后门特征->cha88.cn->1010'=>'cha88\.cn',
 6 | '后门特征->c99shell->1010'=>'c99shell',
 7 | '后门特征->phpspy->1010'=>'phpspy',
 8 | '后门特征->Scanners->60'=>'Scanners',
 9 | '后门特征->cmd.php->70'=>'cmd\.php',
10 | '可疑的编码方式->str_rot13->101'=>'str_rot13',
11 | '后门特征->webshell->10'=>'webshell',
12 | '后门特征->EgY_SpIdEr->101'=>'EgY_SpIdEr',
13 | '后门特征->tools88.com->1010'=>'tools88\.com',
14 | '后门特征->SECFORCE->101'=>'SECFORCE',
15 | '后门特征->eval_r(->70'=>'eval\((\'|")\?',
16 | '后门特征->eval($_->1000'=>'eval\(\$_',
17 | '可疑代码特征->system(->30'=>'system\(',
18 | '可疑代码特征->scandir(->20'=>'scandir\(',
19 | '可疑代码特征->getmygid(->10'=>'getmygid\(',
20 | '可疑代码特征->get_current_user(->10'=>'get_current_user\(',
21 | '可疑代码特征->posix_getpwuid(->25'=>'posix_getpwuid\(',
22 | '可疑代码特征->passthru(->30'=>'passthru\(',
23 | '可疑代码特征->shell_exec(->70'=>'shell_exec\(',
24 | '可疑代码特征->exec(->70'=>'exec\(',
25 | '可疑代码特征->chmod(->35'=>'chmod\(',
26 | '可疑代码特征->unlink(->35'=>'unlind\(',
27 | '可疑代码特征->rmdir(->35'=>'rmdir\(',
28 | '可疑代码特征->popen(->20'=>'popen\(',
29 | '可疑代码特征->is_writable(->15'=>'is_writable\(',
30 | '可疑代码特征->gethostbyname->15'=>'gethostbyname\(',
31 | '可疑代码特征->filemtime(->10'=>'filemtime\(',
32 | '可疑代码特征->disk_free_space(->40'=>'disk_free_space\(',
33 | '可疑代码特征->disk_total_space(->40'=>'disk_total_space\(',
34 | '可疑代码特征->proc_open->30'=>'proc_open',
35 | '可疑代码特征->eval_r($->70'=>'eval\((\'|"|\s*)\\$',
36 | '可疑代码特征->assert($->101'=>'assert\((\'|"|\s*)\\$',
37 | '危险MYSQL代码->returns string soname->101'=>'returnsstringsoname',
38 | '危险MYSQL代码->into outfile->101'=>'intooutfile',
39 | '危险MYSQL代码->load_file->101'=>'select(\s+)(.*)load_file',
40 | '加密后门特征->eval_r(gzinflate(->999'=>'eval\(gzinflate\(',
41 | '加密后门特征->eval_r(base64_decode(->999'=>'eval\(base64_decode\(',
42 | '加密后门特征->eval_r(gzuncompress(->999'=>'eval\(gzuncompress\(',
43 | '加密后门特征->eval_r(gzdecode(->999'=>'eval\(gzdecode\(',
44 | '加密后门特征->eval_r(str_rot13(->999'=>'eval\(str_rot13\(',
45 | '可疑的字符串解码->gzuncompress(base64_decode(->101'=>'gzuncompress\(base64_decode\(',
46 | '可以的字符串解码->base64_decode(gzuncompress(->101'=>'base64_decode\(gzuncompress\(',
47 | '一句话后门特征->eval_r($_->260'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
48 | '一句话后门特征->assert($_->260'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
49 | '一句话后门特征->require($_->269'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
50 | '一句话后门特征->require_once($_->260'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
51 | '一句话后门特征->include($_->260'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
52 | '一句话后门特征->include_once($_->260'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
53 | '一句话后门特征->call_user_func("assert"->260'=>'call_user_func\(("|\')assert("|\')', 
54 | '一句话后门特征->call_user_func($_->260'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
55 | '一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]->260'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[', 
56 | '一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE->101'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
57 | '上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE->200'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
58 | '上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[->200'=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
59 | '.htaccess插马特征->SetHandler application/x-httpd-php->260'=>'SetHandlerapplication\/x-httpd-php',
60 | '.htaccess插马特征->php_value auto_prepend_file->260'=>'php_valueauto_prepend_file',
61 | '.htaccess插马特征->php_value auto_append_file->260'=>'php_valueauto_append_file'
62 | ); 
63 | }
64 | ?>
65 | 


--------------------------------------------------------------------------------