WebShell查杀

Windows

D盾

Linux

命令查找

$ find  /site/* -type f -name "*.php"  |xargs grep "eval"
$ find /site/* -type f -name "*.php" |xargs grep "base64_decode"
$ find /site/* -type f -name "*.php" |xargs grep "@$"
$ find /www/ -name "*.php" |xargs egrep 'assert|phpspy|c99sh|milw0rm|eval|\(gunerpress|\(base64_decoolcode|spider_bc|shell_exec|passthru|\(\$\_\POST\[|eval \(str_rot13|\.chr\(|\$\{\"\_P|eval\(\$\_R|file_put_contents\(\.\*\$\_|base64_decode'

查找24小时内被修改的PHP文件：

$ find ./ -mtime 0 -name "*.php"

工具

河马深信服Webshell网站后门检测工具

创建Audit审计规则

$ vim /etc/audit/audit.rules
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exit,always -F arch=b64 -F uid=48 -S execve -k webshell

Previous拒绝服务攻击 Next日志分析

Last updated 5 years ago

Was this helpful?