Its very big painfull if your site is affected by virus. It happened with us last year. we lost too much business and also lost client faith.
How do you know virus affected your website?
If your site is redirecting some other domain or giving unexpected php code error, please do follow step
1) Download your index.php file and open it in editor, check it.mostly virus do attack in website header pare or ending of page.
2) Please check there if any iframe code that should be not related to your site.
How to find backdoor PHP shell scripts on a server
When hackers get access to your website
server, they sometimes install a backdoor shell script designed to allow
them to regain entry even after you’ve cleaned up the site, repaired
the original security hole that allowed the hack to occur, otherwise
improved site security, and even installed measures to try to lock the
hackers out.
A backdoor script can be called from a browser like any other web page.
It gives its user a web page interface where they can download and
upload, view or modify files, create directories, and otherwise manage
the site using PHP’s ability to read and write files and pass operating
system commands through to the operating system.
One way to find these scripts is by
searching website access logs for the suspicious lines that can be
generated when someone uses the scripts to modify site files.
Backdoor scripts often need to use PHP
commands that most legitimate scripts don’t, so you can search the files
in your site for those commands. There are search utility programs you
can use for finding text in files:
- passthru
- shell_exec
- system
- phpinfo
- base64_decode
- edoced_46esab
- chmod
- mkdir
- “ (backticks with an operating system command between them)
- fopen
- fclose
- readfile
On a Linux server, the grep program is already installed as part of the operating system. The only problem is figuring out how to launch it.
If you have command line access to your
server (SSH), there’s no problem. You can run it from the command line
and have the results displayed to you.
Sample text searches for suspicious PHP code.
Do the search once for each of the suggested PHP keywords listed above.
1
| grep -Rn "mkdir *(" public_html/ |
Or
1
| grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/ |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| #!/usr/bin/perl -w#usage: ./findshell.pl <sensitivity 1-50> <directory to scan>use strict;use File::Find;find(\&backdoor, "$folder");sub backdoor { if ((/\.(php|txt)/)){ <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || <a href="http://perldoc.perl.org/functions/die.html">die</a> "can not open datei $File::Find::name: $!"; my @file = <$IN>; #maybe evil stuffs my $score = <a href="http://perldoc.perl.org/functions/grep.html">grep</a> (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid \(|fileperms\(/i,@file); #probably evil stuffs my $tempscore = <a href="http://perldoc.perl.org/functions/grep.html">grep</a>(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i,
@file); $score += 50 * $tempscore; <a href="http://perldoc.perl.org/functions/print.html">print</a> "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 ); }elsif((/\.(jpg|jpeg|gif|png|tar|zip|gz|rar|pdf)/)){ <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || (<a href="http://perldoc.perl.org/functions/print.html">print</a> "can not open datei $File::Find::name: $!" && next); <a href="http://perldoc.perl.org/functions/print.html">print</a> "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if <a href="http://perldoc.perl.org/functions/grep.html">grep</a> /(\<\?php|include(\ |\())/i, <$IN>; }} |
PHP Script Scanner To Find Backdoor PHP Shell Scripts On A Server
<?phpPETUNJUK :
/* lookforbadguys.php 3-10-2011
--Purpose: iterate through server files looking for hacker code snippets, backdoor scripts,
.htaccess redirects, and suspicious file names.
-- Caveats: Not all things it finds are hacks. Not all hacks are found.
--You should look also for weird files (such as .php files) in your image directories, especially
if your .htaccess has redirects or was made executable.
--Some searches are commented out because they can give too many false positives.
--This script should work the same on a Linux or Windows server.
It runs fast in Linux/Apache/PHP, and very slowly in Windows/Apache/PHP.
*/
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Language" content="en-us">
<title>Looking for bad guys</title>
</head>
<body>
<p>Looking for bad guys. </p>
<p>This script looks for traces of malicious code including code injections,
modified .htaccess that makes images executable, and so on.</p>
<p>
<?php
// SET MAXIMUM EXECUTION TIME TO UNLIMITED (0) BECAUSE THE SCRIPT CAN TAKE A WHILE.
// YOU COULD USE A MORE CONSERVATIVE TIME LIMIT SUCH AS 1 HOUR (3600 SECONDS), JUST IN CASE.
// THESE HAVE NO EFFECT IF YOU RUN PHP IN "SAFE MODE" (SAFE MODE IS USUALLY UNDESIRABLE ANYWAY).
ini_set('max_execution_time', '0');
ini_set('set_time_limit', '0');
// --------------------------------------------------------------------------------
// UTILITY FUNCTIONS.
// OUTPUT TEXT IN SPECIFIED COLOR, CLEANING IT WITH HTMLENTITIES().
function CleanColorText($text, $color)
{
$outputcolor = 'black';
$color = trim($color);
if(preg_match('/^(red|blue|green|black)$/i', $color))
$outputcolor = $color;
return '<span style="color:' . $outputcolor . ';">' . htmlentities($text, ENT_QUOTES) . '</span>';
}
// --------------------------------------------------------------------------------
// THIS FUNCTION RECURSIVELY FINDS FILES AND PROCESSES THEM THROUGH THE SPECIFIED CALLBACK FUNCTION.
// DIFFERENT TYPES OF FILES NEED TO BE HANDLED BY DIFFERENT CALLBACK FUNCTIONS.
function find_files($path, $pattern, $callback)
{
// CHANGE BACKSLASHES TO FORWARD, WHICH IS OK IN PHP, EVEN IN WINDOWS.
// REMOVE ANY TRAILING SLASHES, THEN ADD EXACTLY ONE.
$path = rtrim(str_replace("\\", "/", $path), '/') . '/';
if(!is_readable($path))
{
echo "Warning: Unable to open and enter directory " . CleanColorText($path, 'blue') .
". Check its owner/group permissions.<br>";
return;
}
$dir = dir($path);
$entries = array();
while(($entry = $dir->read()) !== FALSE)
$entries[] = $entry;
$dir->close();
foreach($entries as $entry)
{
$fullname = $path . $entry;
if(($entry !== '.') && ($entry !== '..') && is_dir($fullname))
find_files($fullname, $pattern, $callback);
else
if(is_file($fullname) && preg_match($pattern, $entry))
call_user_func($callback, $fullname);
}
}
// --------------------------------------------------------------------------------
// CALLBACK FUNCTIONS.
// CALLBACK FUNCTION TO LOOK FOR MALICIOUS CODE - YOU COULD ADD ANY OTHER MALICIOUS CODE SNIPPETS YOU KNOW OF.
function maliciouscodesnippets($filename)
{
if(stripos($filename, "lookforbadguys.php")) // DON'T FLAG THIS FILE WHICH I CALLED lookforbadguys.php
return;
if(!is_readable($filename))
{
echo "Warning: Unable to read " . CleanColorText($filename, 'blue') .
". Check it manually and check its access permissions.<br>";
return;
}
$file = file_get_contents($filename); //READ THE FILE
// PRINTING EVERY FILENAME GENERATES A LOT OF OUTPUT.
//echo CleanColorText($filename, 'green') . " is being examined.<br>";
// TEXT FILES WILL BE SEARCHED FOR THESE SNIPPETS OF SUSPICIOUS TEXT.
// THESE ARE REGULAR EXPRESSIONS WITH THE REQUIRED /DELIMITERS/ AND WITH SPECIAL CHARACTERS ESCAPED.
// /i AT THE END MEANS CASE INSENSITIVE.
$SuspiciousSnippets = array
(
// POTENTIALLY SUSPICIOUS PHP CODE
'/edoced_46esab/i',
'/passthru *\(/i',
'/shell_exec *\(/i',
'/document\.write *\(unescape *\(/i',
// THESE CAN GIVE MANY FALSE POSITIVES WHEN CHECKING WORDPRESS AND OTHER CMS.
// NONETHELESS, THEY CAN BE IMPORTANT TO FIND, ESPECIALLY BASE64_DECODE.
'/base64_decode *\(/i',
'/system *\(/i',
'/`.+`/', // BACKTICK OPERATOR INVOKES SYSTEM FUNCTIONS, SAME AS system()
// '/phpinfo *\(/i',
// '/chmod *\(/i',
// '/mkdir *\(/i',
// '/fopen *\(/i',
// '/fclose *\(/i',
// '/readfile *\(/i',
// SUSPICIOUS NAMES. SOME HACKERS SIGN THEIR SCRIPTS. MANY NAMES COULD GO HERE,
// HERE IS A GENERIC EXAMPLE. YOU CAN FILL IN WHATEVER NAMES YOU WANT.
'/hacked by /i',
// OTHER SUSPICIOUS TEXT STRINGS
'/web[\s-]*shell/i', // TO FIND BACKDOOR WEB SHELL SCRIPTS.
'/c99/i', // THE NAMES OF TWO POPULAR WEB SHELLS.
'/r57/i',
// YOU COULD ADD IN THE SPACE BELOW SOME REGULAR EXPRESSIONS TO MATCH THE NAMES OF MALICIOUS DOMAINS
// AND IP ADDRESSES MENTIONED IN YOUR GOOGLE SAFEBROWSING DIAGNOSTIC REPORT. SOME EXAMPLES:
'/gumblar\.cn/i',
'/martuz\.cn/i',
'/beladen\.net/i',
'/gooqle/i', // NOTE THIS HAS A Q IN IT.
// THESE 2 ARE THE WORDPRESS CODE INJECTION IN FRONT OF EVERY INDEX.PHP AND SOME OTHERS
'/_analist/i',
'/anaiytics/i' // THE LAST ENTRY IN THE LIST MUST HAVE NO COMMA AFTER IT.
);
foreach($SuspiciousSnippets as $i)
{
// STRPOS/STRIPOS WERE A LITTLE FASTER BUT LESS FLEXIBLE
if(preg_match($i, $file))
echo CleanColorText($filename, 'blue') . ' MATCHES REGEX: ' . CleanColorText($i, 'red') . '<br>';
}
if(!strpos($filename,"network.php") && !strpos($filename,"rewrite.php") && stripos($file,"RewriteRule"))
echo CleanColorText($filename, 'blue') . " contains " . CleanColorText("RewriteRule", 'red') .
" - check it manually for malicious redirects.<br>";
/*
// THIS FINDS ALL JAVASCRIPT CODE. IF ENABLED, IT WILL GIVE *MANY* FALSE POSITIVES IN MOST WEBSITES.
if($p = stripos($file, "<script "))
echo CleanColorText($filename, 'blue') . ' contains SCRIPT:<br>' .
CleanColorText(substr($file, $p, 100), 'red') . '<br><br>';
*/
/*
// THIS FINDS ALL IFRAMES. IF ENABLED, IT CAN GIVE MANY FALSE POSITIVES IN SOME WEBSITES.
if($p = stripos($file, "<iframe "))
echo CleanColorText($filename, 'blue') . ' contains IFRAME:<br>' .
CleanColorText(substr($file, $p, 100), 'red') . '<br><br>';
*/
if(stripos($file, "AddHandler"))
{
// THIS IS HOW THEY MAKE THE IMAGE FILES EXECUTABLE.
echo CleanColorText($filename, 'blue') . " contains " . CleanColorText('AddHandler', 'red') .
" - make sure it does not make ordinary files like images executable.<br>";
// IF YOU FIND NINE ZILLION OF THESE, UNCOMMENT IT BECAUSE IT IS A PAIN TO DELETE THEM BY HAND.
// BUT CHECK THE LIST CAREFULLY FIRST TO MAKE SURE YOU REALLY WANT TO DELETE
// ALL THE FILES AND NONE OF THEM ARE FALSE POSITIVES.
//unlink($filename); // THIS DELETES THE FILE WITHOUT GIVING YOU THE OPTION OF EXAMINING IT!
}
}
// CALLBACK FUNCTION TO REPORT PHARMA LINK HACKS.
function pharma($filename)
{
echo CleanColorText($filename, 'blue') . " is most likely a " . CleanColorText('pharma hack', 'red') . ".<br>";
}
// CALLBACK FUNCTION TO REPORT FILES WHOSE NAMES ARE SUSPICIOUS.
function badnames($filename)
{
echo CleanColorText($filename, 'blue') . " is a " . CleanColorText('suspicious file name', 'red') . ".<br>";
}
// --------------------------------------------------------------------------------
// SET UP THE SEARCH CRITERIA.
// SEARCHES WILL BE DONE IN THIS DIRECTORY AND ALL DIRS INSIDE IT.
// './' MEANS CURRENT DIRECTORY, WHERE THIS SCRIPT IS NOW.
// THUS, TO SEARCH EVERYTHING INSIDE PUBLIC_HTML, THAT'S WHERE THIS FILE SHOULD BE PUT.
// TO SEARCH OUTSIDE PUBLIC_HTML, OR TO SEARCH A FOLDER OTHER THAN WHERE THIS SCRIPT IS STORED,
// CHANGE THIS TO THE FULL PATHNAME, SUCH AS /home/userid/ OR /home/userid/public_html/somefolder/
// USE FORWARD SLASHES FOR PATH. WINDOWS EXAMPLE: C:/wamp/apache2/htdocs/test/
$StartPath = './';
// ENTRIES IN THE FOLLOWING 3 ARRAYS ARE REGULAR EXPRESSIONS, WHICH IS THE REASON FOR THE /DELIMITERS/.
// FILES WHOSE NAMES MATCH THESE REGEXES WILL HAVE THEIR TEXT SEARCHED FOR MALICIOUS CODE.
$FiletypesToSearch = array
(
'/\.htaccess$/i',
'/\.php[45]?$/i',
'/\.html?$/i',
'/\.aspx?$/i',
'/\.inc$/i',
'/\.cfm$/i',
'/\.js$/i',
'/\.css$/i'
);
// FILES OR FOLDERS WITH THESE STRINGS IN THEIR *NAMES* WILL BE REPORTED AS SUSPICIOUS.
$SuspiciousFileAndPathNames = array
(
// '/root/i',
// '/kit/i',
'/c99/i',
'/r57/i',
'/gifimg/i'
);
// FILENAMES RELATED TO WORDPRESS PHARMA HACK, USING THE NAMING CONVENTIONS
// DESCRIBED AT http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php
// FILES MATCHING THESE NAMES WILL BE REPORTED AS POSSIBLE PHARMA HACK FILES.
$PharmaFilenames = array
(
'/^\..*(cache|bak|old)\.php/i', // HIDDEN FILES WITH PSEUDO-EXTENSIONS IN THE MIDDLE OF THE FILENAME
'/^db-.*\.php/i',
// PERMIT THE STANDARD WORDPRESS FILES THAT START WITH CLASS-, BUT FLAG ALL OTHERS AS SUSPICIOUS.
// THE (?!) IS CALLED A NEGATIVE LOOKAHEAD ASSERTION. IT MEANS "NOT FOLLOWED BY..."
'/^class-(?!snoopy|smtp|feed|pop3|IXR|phpmailer|json|simplepie|phpass|http|oembed|ftp-pure|wp-filesystem-ssh2|wp-filesystem-ftpsockets|ftp|wp-filesystem-ftpext|pclzip|wp-importer|wp-upgrader|wp-filesystem-base|ftp-sockets|wp-filesystem-direct)\.php/i'
);
// --------------------------------------------------------------------------------
// FINALLY, DO THE SEARCHES, USING THE ABOVE ARRAYS AS THE STRING DATA SOURCES.
// REPORT FILES WITH SUSPICIOUS NAMES
foreach($SuspiciousFileAndPathNames as $i)
find_files($StartPath, $i, 'badnames');
// REPORT FILES WITH SUSPICIOUS PHARMA-RELATED NAMES
foreach($PharmaFilenames as $i)
find_files($StartPath, $i, 'pharma');
// REPORT FILES CONTAINING SUSPICIOUS CODE OR TEXT
foreach($FiletypesToSearch as $i)
find_files($StartPath, $i, 'maliciouscodesnippets');
echo "<br>Done<br>";
?>
</p>
</body>
</html>
1. Save as lookforbadguys.php
2. Upload pada public_html lalu jalankan pada browser, misal http://situskamu.com/lookforbadguys.php
3. Untuk melindungi file ini dijalankan oleh pengunjung lain, letakkan code berikut pada file .htaccess
Files lookforbadguys.php>Contoh dari hasil scanning pada file yang mengandung Backdoor PHP Shell Scripts :
order deny,allow
deny from all
#GANTI DENGAN IP ADDRESS ANDA
allow from 111.222.333.444
</Files>
./shell.php MATCHES REGEX: /r57/i
./shell.php MATCHES REGEX: /c99/i
./shell.php MATCHES REGEX: /passthru *\(/i
./shell.php MATCHES REGEX: /shell_exec *\(/i
./shell.php MATCHES REGEX: /system *\(/i
./shell.php MATCHES REGEX: /`.+`/
./shell.php MATCHES REGEX: /web[\s-]*shell/i
Nice blog... PHP malicious code scanner is very good tool for malicious code scan.
ReplyDeleteThanks for sharing Remove malware virus from website great post.
ReplyDeletephp development melbourne