1. 首頁
  2. 問答
  3. 爲什麼正則表達式模式適用於html註釋,但不適用於php和js註釋?

爲什麼正則表達式模式適用於html註釋,但不適用於php和js註釋?

2013-01-13 66 views
0

我有這個問題:爲什麼正則表達式模式適用於html註釋,但不適用於php和js註釋?

我的網站的各種頁面(特別是:html,php和js)受特洛伊木馬(JS/Kryptik.ADZ基於NOD32掃描)的影響。

在每種類型的頁面的代碼是這樣的:

PHP:

#336988# 
echo "<script type=\"text/javascript\" language=\"javascript\" > CODE OF MALWARE </script>"; 
#/336988#

JS:

/*336988*/ 
CODE OF MALWARE 
/*/336988*/

HTML:

<!--336988--> 
<script type="text/javascript" language="javascript" >CODE OF MALWARE</script> 
<!--/336988-->

所以我用記事本+和正則表達式來替換bla的惡意軟件英國文本。 我的正則表達式是這樣的:(<!--|\#|/\*)336988.+/336988(-->|\#|\*/)

但是隻有HTML被這個表達式找到。爲什麼?

我不明白。

對不起,如果我的英語和我的正則表達式知識很差。

感謝

卡羅

來源

2013-01-13 Carlo

+4

在文本編輯器中,'。+'通常不會跨越行邊界。 – Barmar

+0

用'[\ s \ S]替換'.' – nhahtdh

+3

立即開始使用版本控制,並從存儲庫進行部署。您不需要像這樣「撤消」更改。 –

回答

0

試試這個:

'^.*336988.*[\s\S]*.*336988.*$'

來源

2013-01-13 14:33:03 ATOzTOA

+0

對不起,它不起作用 – Carlo

+0

你在得到什麼? – ATOzTOA

+0

未找到匹配項。 – Carlo

0

試試這個,我有同樣的問題,它的工作

/#336988#(.*) #/ 336988#/ ism

來源

2013-02-05 14:17:18 dpan

0

UPDATE

我已經放在更新的代碼在GitHub上,有修復的另一個類似的木馬也 現在可以automaticaly固定336988,68c8c7,鏈接是: https://github.com/francodgstn/SimpleFixScanner/blob/master/SimpleFixScanner.php

我在使用wordpress安裝許多服務器時遇到同樣的問題,在搜索解決方案後,我已經實現了一個小型掃描程序類,它可以在服務器上查找並修復所有336988木馬的問題。 該腳本可以很容易地擴展到其他一些其他troyan掃描。我希望這可以幫助別人..

要使用它只是將腳本放在服務器上,並指向瀏覽器。 如果需要,可以使用adjus $ fileTypeToScan數組來匹配更多擴展名,如果您想從特定目錄開始掃描,則使用$ docRoot。

(感謝fatsouls32 - http://www.freestuff.gr/forums/viewtopic.php?t=64419爲336988的正則表達式修復)

下面的代碼:

SimpleFixScanner。php

<?php 
/* 
* Sample class usage 
*/ 
$scanner = new SimpleFixScanner(); 
$scanner->scan(); 

/** 
* Simple trojan scanner to fix some tedious trojan, that 
* corrupt some files on the server. 
* 
* You can modify this code as you need, to add a new trojan fix 
* simply add a method that give in input a filepath and return 
* the appropriate exit status (see FixExitStatus class for details), and add the 
* trojan name and the method name to the fixList[] array for the callback. 
* See fix336988() for an example. 
* 
* Currently supported trojan: 
* - 336988 (Thanks to fatsouls32 - http://www.freestuff.gr/forums/viewtopic.php?t=64419 for 336988 regex fix) 
* 
* @author Franco D'Agostino [email protected] 
* 
*/ 
class SimpleFixScanner { 
    var $fileTypeToScan = array('php','html','htm','tpl',); 
    var $fixList = array(
      //'Scanner Regex Check'=>'devCheckRegex', //Use to check wich files are scannd 
      'Trojan 336988' => 'fix336988', 
    ); 
    var $startTime; 
    var $memoryLimit = "200M"; 
    var $docRoot; 
    var $filesToScan; 
    var $filesScannedCount = 0; 
    var $filesFixed = array(); 


    /** 
    * Wrapper for the scan process 
    * @see $this->doScan() 
    */ 
    function scan(){ 
     echo "<h3>Simple Fix Scanner</h3>"; 
     echo "<hr />"; 
     echo "<p>Prepare the scanner... "; 
     $this->prepareScanner(); 
     echo "<i>done</i>"; 
     echo "<br><small>(Directory: " . $this->docRoot . ")</small></p>"; 

     // Do the scann process 
     echo "<p>Do scan... "; 
     $this->doScan(); 
     echo "<i>done</i></p>"; 

     // Echo scan results 
     $fileFixedCount = count($this->filesFixed); 
     if ($fileFixedCount > 0 ){ 
      echo "<h4>Matches:</h4>"; 
      echo "<p>Fixed " . $fileFixedCount . " of " . $this->filesScannedCount . " files scanned</p>"; 
      echo "<ul>"; 
      foreach($this->filesFixed as $item) { 
       $exitStatus = FixExitStatus::translateExitStatus($item['exitStatus']); 
       echo sprintf("<li>{$exitStatus} - <strong>{$item['fix']}</strong> was found in file {$item['file']}</li>"); ; 
      } 
      echo "</ul>"; 
     } else { 
      echo "<h4>No match found.</h4>"; 
      echo "<p>{$this->filesScannedCount} file scanned.</p>"; 
     } 



     $endtime = microtime(true); 
     $totaltime = ($endtime - $this->startTime); 
     echo "<p><small>Time elpased: ".$totaltime." seconds</small></p>"; 
    } 


    /** 
    * Prepare the scanner 
    */ 
    function prepareScanner(){ 
     ini_set('memory_limit', $this->memoryLimit); 
     $this->startTime = microtime(true); 
     if (!$this->docRoot) 
      $this->docRoot = $_SERVER['DOCUMENT_ROOT']; 
     $this->filesToScan = $this->getFilesToScan($this->docRoot); 
    } 

    /** 
    * Execute the scan process 
    * @param unknown $param 
    */ 
    function doScan() { 
     foreach ($this->filesToScan as $search) { 
      $this->filesScannedCount++; 
      foreach ($this->fixList as $name => $method){ 
       $chekFile = call_user_func(array($this, $method), $search[0]); 
       if ($chekFile != FixExitStatus::FILE_OK) 
        $this->filesFixed[] = array('fix' => $name, 'file' => $search[0], 'exitStatus' => $chekFile); 
      } 
     } 
    } 

    /** 
    * Helper to get the list of the files to scan 
    */ 
    function getFilesToScan($rootDir){ 
     $directoryIterator = new RecursiveDirectoryIterator($rootDir); 
     $iterator = new RecursiveIteratorIterator($directoryIterator); 
     $regex ='/^.+\.(' .implode("|", $this->fileTypeToScan) . ')$/i'; 
     $files = new RegexIterator($iterator, $regex, RecursiveRegexIterator::GET_MATCH); 
     return $files; 
    } 

    /** 
    * Return true, just for check if the regex works. 
    * @param unknown $path 
    */ 
    function devCheckRegex($path) { 
     if(is_file($path)) 
      return true; 
     else 
      return false; 
    } 


    /** 
    * Check and fix file for: 
    * 336988 Trojan 
    * @param unknown $path 
    * @return true if trojan foud and fixed; otherwise false; 
    */ 
    function fix336988($path) { 
     $fileFixed = false; 
     $regexPaterns = array(
      "/#336988#(.*?)#\/336988#/ism",    // php 
      "/\<!--336988-->(.*?)\<!--\/336988-->/ism", // html 
      '#(/\*336988\*/).*?(/\*/336988\*/)#ism', //js 
     ); 
     $data = file_get_contents($path); 

     foreach ($regexPaterns as $regex) { 
      if (preg_match($regex,$data)){ 
       // If foud, replace malicious code with empty string 
       $data = preg_replace($regex,"",$data); 
       $fileFixed = FixExitStatus::FILE_FIXED; 
      }   
     } 
     if ($fileFixed != FixExitStatus::FILE_OK) 
      file_put_contents($path, $data); 

     return $fileFixed; 
    } 
} 


final class FixExitStatus { 
    private function __constructor() {} 
    // fix exit status 
    const FILE_OK = 0; 
    const FILE_FIXED = 1; 
    const CANT_FIX = 2; 

    public static function translateExitStatus($status) { 
     switch ($status) { 
      case FixExitStatus::FILE_OK: 
       return "File is safe"; 
      break; 
      case FixExitStatus::FILE_FIXED: 
       return "File fixed"; 
      break; 
      case FixExitStatus::CANT_FIX: 
       return "Can't fix file"; 
      break;   
     } 



    } 
} 

?>

來源

2013-02-22 11:31:14

0

今天我有同樣的問題,但代碼不同。此代碼影響aspx,asp,htdocs,html,htm和js文件。在我的Powershell代碼下面修復這些文件。對於JS文件,您需要更改行:

$regex = New-Object System.Text.RegularExpressions.Regex "<!--68c8c7-->((.|\n)*)<!--/68c8c7-->"

到:

$regex = New-Object System.Text.RegularExpressions.Regex "/\*68c8c7\*((.|\n)*)68c8c7\*/"

和線

Get-ChildItem . -Recurse -Include *.aspx,*asp,*.html,*.htm | where-object {$_.lastwritetime –gt $DateToCompare} | %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}

到:

Get-ChildItem . -Recurse -Include *.js | where-object {$_.lastwritetime –gt $DateToCompare} | %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName}

下面的代碼(此腳本將創建Backup_ *文件,畢竟你可以刪除這些文件):

function tryFixFile($filepath, $filepathBackup) 
{ 
    $infile = [string]::join([environment]::newline, (get-content -path $filepath)) 
    $regex = New-Object System.Text.RegularExpressions.Regex "<!--68c8c7-->((.|\n)*)<!--/68c8c7-->" 

    if($regex.IsMatch($infile)) 
    { 
     $intAnswer = $WScriptObject.popup("File needs to be change: " + $filepath + " do you want to continue?", 0,"Change File",4) 
     If ($intAnswer -eq 6) 
     { 
      Write-Host " Creating backup for file: " $filepath 
      Copy-Item $filepath $filepathBackup 
      $replace = $regex.Replace($infile,"") 
      $replace | out-file $filepath 
     } else 
     { 
      $a.popup("File " + $filepath + " won't be changed.") 
     } 
    } 
} 

function DoWork($filename, $directory) 
{ 
    $filepath = $directory + '\' + $filename 
    $filepathBackup = $directory + '\' + "Backup_" + $filename 

    $WScriptObject = new-object -comobject wscript.shell 

    tryFixFile $filepath $filepathBackup 
} 



$pathToCheck = Read-Host 'WARNING!! Path to check/change?' 
if (Test-Path $pathToCheck) 
{ 
    Set-Location $pathToCheck 

    #files were affected no longer that 2 days ago, you can change this 
    $DateToCompare = (Get-date).AddDays(-2) 

    Get-ChildItem . -Recurse -Include *.aspx,*asp,*.html,*.htm | where-object {$_.lastwritetime –gt $DateToCompare} | %{Write-Host Examining file: $_.fullname; $_} | ForEach-Object { DoWork $_.Name $_.DirectoryName} 
}else 
{ 
    write-host "Path doesn't exist" 
}

來源

2013-02-22 17:13:38

相關問題

 相關問題