PHP implements Linux server Trojan detection and reinforcement functions, Linux reinforcement

php implements Linux server Trojan detection and reinforcement functions, Linux reinforcement

The website is frequently hacked? Make some improvements and basically solve this problem. Because there are loopholes in programs such as discuz Trojan horse.

Find and strengthen from the following aspects (if you can disable the membership function, do not provide any upload entrance, protect the background password, and strengthen PHP, there will generally be no problem).

1. Search based on feature code:

php Trojans generally contain

Copy code The code is as follows:

find /wwwroot/* -type f -name "*.php" |xargs grep "eval(" > /wwwroot/scan.txt

As a result, many obvious webshells were found, and they were all hidden in directories such as attachment

2. Use a php code on the Internet to search for recently modified files

scandir.php
The content is as follows:

Copy code The code is as follows:

set_time_limit(0);//Prevent timeout
/**
*
* Enhanced version of php directory scanning monitoring
*
* @author lssbing (lssbing#gmail.com)
* @date 2010-1-18
* @license BSD
* @version 1.0
*
The following variables need to be set manually before use
*
**/
/*====================== Program configuration=====================*/
$pass="12345";//Set password
$jkdir="."; //Set the directory for monitoring and scanning. The current directory is '.' and the upper-level directory is '..'. You can also set an absolute path. Do not add a slash after it. The default is the current directory
$logfilename="./m.log";//Set the path to store the log, which can be placed anywhere
$exclude=array('data','images');//Exclude directory
$danger='eval|cmd|passthru|gzuncompress';//Set the dangerous function to be found to determine whether it is a Trojan horse file
$suffix='php|inc';//Set the suffix of the files to be scanned
/*===================== End of configuration=====================*/

$filename=$_GET['filename'];
$check=$_GET['check'];
$jumpoff=false;
$url = $_SERVER['PHP_SELF'];
$thisfile = end(explode('/',$url));
$jump="{$thisfile}|".implode('|',$exclude);
$jkdir_num=$file_num=$danger_num=0;
define('M_PATH',$jkdir);
define('M_LOG',$logfilename);
if ($check=='check')
{
$safearr = explode("|",$jump);
$start_time=microtime(true);
safe_check($jkdir);
$end_time=microtime(true);
$total=$end_time-$start_time;
$file_num=$file_num-$jkdir_num;
$message= "Number of files:".$file_num;
$message.= "Number of folders:".$jkdir_num;
$message.= "Number of suspicious files:".$danger_num;
$message.= "Execution time:".$total;
echo $message;
}else{
if ($_GET['m']=="del") Delete();//Processing file deletion
//Read file content
if(isset($_GET['readfile'])){
//Output the view password. After the password is verified correctly, the file content will be output
if(emptyempty($_POST['passchack'])){
echo""
."";
exit;
}elseif(isset($_POST['passchack'])&&$_POST['passchack']==$pass){
$code=file_get_contents($_GET['readfile']);
echo"

{$code}< ;/textarea>"; 
exit; 
}else{ 
exit; 
} 
 
}else{ 
record_md5(M_PATH); 
if(file_exists(M_LOG)){ 
          $log = unserialize(file_get_contents(M_LOG)); 
}else{ 
          $log = array(); 
} 
 
if($_GET['savethis']==1){ 
//Save the current file md5 to the log file 
@unlink(M_LOG); 
file_put_contents(M_LOG,serialize($file_list)); 
echo "<a href='scandir.php'>Save successfully! Click to return</a>"; 
exit; 
} 
if(emptyempty($log)){ 
echo "No log file has been created yet! Click [Save Current] to create a log file!"; 
}else{ 
if($file_list==$log){ 
echo "No changes have been made to this folder!"; 
}else{ 
If(count($file_list) > 0 ){ 
foreach($file_list as $file => $md5){ 
If(!isset($log[$file])){ 
echo "New file:<a href={$file} target='_blank'>".$file."</a>"." Creation time:".date("Y-m-d H:i:s ",filectime($file))." Modification time: ".date("Y-m-d H:i:s",filemtime($file))." <a href=?readfile={$file} target='_blank '>Source code</a><a href='?m=del&filename={$file}' target='_blank'>Delete</a> " ; 
}else{ 
If($log[$file] != $md5){ 
echo "Modify file:<a href={$file} target='_blank'>".$file."</a>"." Creation time:".date("Y-m-d H:i:s" ,filectime($file))." Modification time: ".date("Y-m-d H:i:s",filemtime($file))." <a href=?readfile={$file} target='_blank' >Source code</a> "; 
 
 unset($log[$file]); 
}else{      unset($log[$file]); 
     } 
    } 
    } 
   } 
   if(count($log)>0){ 
    foreach($log as $file => $md5){ 
    echo "删除文件：<a href={$file} target='_blank'>".$file."</a> "; 
    } 
   } 
    } 
} 
} 
} 
  
//计算md5 
function record_md5($jkdir){ 
        global $file_list,$exclude; 
        if(is_dir($jkdir)){ 
                $file=scandir($jkdir); 
                foreach($file as $f){ 
                        if($f!='.' && $f!='..' && !in_array($f, $exclude)){ 
                                $path = $jkdir.'/'.$f; 
                                if(is_dir($path)){ 
                                        record_md5($path); 
                                }else{ 
                                        $file_list[$path]=md5_file($path); 
                                } 
                        } 
                } 
        } 
} 
  
function Safe_Check($jkdir)//遍历文件 
{ 
global $danger ,$suffix ,$jkdir_num ,$file_num ,$danger_num; 
  
$hand=@dir($jkdir) or die('文件夹不存在') ; 
while ($file=$hand->read()) 
{ 
    $filename=$jkdir.'/'.$file; 
    if (!$jumpoff) { 
   if(Jump($filename))continue; 
    } 
    if(@is_dir($filename) && $file != '.' && $file!= '..'&& $file!='./..') 
    {   $jkdir_num++; 
    Safe_Check($filename); 
    } 
    if (preg_match_all ("/.($suffix)/i",$filename,$out)) 
    { 
  
   $str=''; 
   $fp = @fopen($filename,'r')or die('没有权限'); 
   while(!feof($fp)) 
   { 
   $str .= fgets($fp,1024); 
   } 
   fclose($fp); 
   if( preg_match_all ("/($danger)[ rnt]{0,}([[(])/i",$str,$out)) 
   { 
   echo "可疑文件：{$filename}"." 创建时间：".date("Y-m-d H:i:s",filectime($filename))." 修改时间：".date("Y-m-d H:i:s",filemtime($filename))." <a href='?readfile={$filename}' target='_blank'>查看代码</a> <a href='?m=del&filename=$filename' target='_blank'>删除</a> "; 
   $danger_num++; 
   } 
    } 
    $file_num++; 
} 
} 
function Edit()//查看可疑文件 
{ 
global $filename; 
$filename = str_replace("..","",$filename); 
$file = $filename; 
$content = ""; 
if(is_file($file)) 
{ 
    $fp = fopen($file,"r")or die('没有权限'); $content = fread($fp,filesize($file)); 
fclose($fp); 
$content = htmlspecialchars($content); 
 
} 
echo "<textarea name='str' style='width:100%;height:450px;background:#cccccc;'>$content

rn";
exit();
}
function Delete()//Delete file
{ global $filename,$pass;
if(emptyempty($_POST['passchack'])){
echo""
."";
exit;
}elseif(isset($_POST['passchack'])&&$_POST['passchack']==$pass){
(is_file($filename))?($mes=unlink($filename)?'Delete successfully':'Delete failed View permissions'):'';
echo $mes;
exit();
}else{
echo 'Wrong password! ';
exit;
}
}
function Jump($file)//Skip file
{
global $jump,$safearr;
if($jump != '')
{
foreach($safearr as $v)
{
If($v=='') continue;
If( eregi($v,$file) ) return true ;
}
}
return false;
}
?>
[View file changes]|[Save current file fingerprint] |[Scan for suspicious files]

After execution, you can see the recently modified files, which is valuable to participate

3. Modify php.ini and restrict the following functions

Copy code The code is as follows:

disable_functions = phpinfo,passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocke,popen,proc_close, curl_exec,curl_multi_exec,parse_ini_file,show_source,dl,escapeshellarg,escapeshellcmd

4. Modify nginx.conf and restrict the execution of php files in some directories

Copy code The code is as follows:

server
{
    listen       80;
    server_name www.***.com;
    index   index.htm index.html index.php;
    root /wwwroot/;



    rewrite ^([^.]*)/topic-(.+).html$ $1/portal.php?mod=topic&topic=$2 last;
    rewrite ^([^.]*)/article-([0-9]+)-([0-9]+).html$ $1/portal.php?mod=view&aid=$2&page=$3 last;
    rewrite ^([^.]*)/forum-(w+)-([0-9]+).html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;
    rewrite ^([^.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+).html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;
    rewrite ^([^.]*)/group-([0-9]+)-([0-9]+).html$ $1/forum.php?mod=group&fid=$2&page=$3 last;
    rewrite ^([^.]*)/space-(username|uid)-(.+).html$ $1/home.php?mod=space&$2=$3 last;
    rewrite ^([^.]*)/([a-z]+)-(.+).html$ $1/$2.php?rewrite=$3 last;
    rewrite ^([^.]*)/topic-(.+).html$ $1/portal.php?mod=topic&topic=$2 last;


        location ~ ^/images/.*.(php|php5)$
                {
              deny all;
                }

        location ~ ^/static/.*.(php|php5)$
                {
               deny all;
                }

        location ~* ^/data/(attachment|avatar)/.*.(php|php5)$
            {
                deny all;
            }

    location ~ .*.(php|php5)?$
    {
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      include fcgi.conf;
    }



error_page 400 /404.html;
error_page 403 /404.html;
error_page 404 /404.html;
error_page 405 /404.html;
error_page 408 /404.html;
error_page 410 /404.html;
error_page 411 /404.html;
error_page 412 /404.html;
error_page 413 /404.html;
error_page 414 /404.html;
error_page 415 /404.html;
error_page 500 /404.html;
error_page 501 /404.html;
error_page 502 /404.html;
error_page 503 /404.html;
error_page 506 /404.html;

log_format acclog    "$remote_addr $request_time $http_x_readtime [$time_local] "$request_method http://$host$request_uri" $status $body_bytes_sent "$http_referer" "$http_user_agent"";
        access_log /logs/access.log acclog;
}

此处需要注意的是

复制代码代码如下:

location ~ ^/images/.*.(php|php5)$
{
deny all;
}

这些目录的限制必须写在

复制代码代码如下:

location ~ .*.(php|php5)?$
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
}

, otherwise the restriction will not take effect.