UPDATE
我已經放在更新的代碼在GitHub上,有修復的另一個類似的木馬也 現在可以automaticaly固定336988,68c8c7,鏈接是: https://github.com/francodgstn/SimpleFixScanner/blob/master/SimpleFixScanner.php
我在使用wordpress安裝許多服務器時遇到同樣的問題,在搜索解決方案後,我已經實現了一個小型掃描程序類,它可以在服務器上查找並修復所有336988木馬的問題。 該腳本可以很容易地擴展到其他一些其他troyan掃描。我希望這可以幫助別人..
要使用它只是將腳本放在服務器上,並指向瀏覽器。 如果需要,可以使用adjus $ fileTypeToScan數組來匹配更多擴展名,如果您想從特定目錄開始掃描,則使用$ docRoot。
(感謝fatsouls32 - http://www.freestuff.gr/forums/viewtopic.php?t=64419爲336988的正則表達式修復)
下面的代碼:
SimpleFixScanner。php
<?php
/*
* Sample class usage
*/
$scanner = new SimpleFixScanner();
$scanner->scan();
/**
* Simple trojan scanner to fix some tedious trojan, that
* corrupt some files on the server.
*
* You can modify this code as you need, to add a new trojan fix
* simply add a method that give in input a filepath and return
* the appropriate exit status (see FixExitStatus class for details), and add the
* trojan name and the method name to the fixList[] array for the callback.
* See fix336988() for an example.
*
* Currently supported trojan:
* - 336988 (Thanks to fatsouls32 - http://www.freestuff.gr/forums/viewtopic.php?t=64419 for 336988 regex fix)
*
* @author Franco D'Agostino [email protected]
*
*/
class SimpleFixScanner {
var $fileTypeToScan = array('php','html','htm','tpl',);
var $fixList = array(
//'Scanner Regex Check'=>'devCheckRegex', //Use to check wich files are scannd
'Trojan 336988' => 'fix336988',
);
var $startTime;
var $memoryLimit = "200M";
var $docRoot;
var $filesToScan;
var $filesScannedCount = 0;
var $filesFixed = array();
/**
* Wrapper for the scan process
* @see $this->doScan()
*/
function scan(){
echo "<h3>Simple Fix Scanner</h3>";
echo "<hr />";
echo "<p>Prepare the scanner... ";
$this->prepareScanner();
echo "<i>done</i>";
echo "<br><small>(Directory: " . $this->docRoot . ")</small></p>";
// Do the scann process
echo "<p>Do scan... ";
$this->doScan();
echo "<i>done</i></p>";
// Echo scan results
$fileFixedCount = count($this->filesFixed);
if ($fileFixedCount > 0 ){
echo "<h4>Matches:</h4>";
echo "<p>Fixed " . $fileFixedCount . " of " . $this->filesScannedCount . " files scanned</p>";
echo "<ul>";
foreach($this->filesFixed as $item) {
$exitStatus = FixExitStatus::translateExitStatus($item['exitStatus']);
echo sprintf("<li>{$exitStatus} - <strong>{$item['fix']}</strong> was found in file {$item['file']}</li>"); ;
}
echo "</ul>";
} else {
echo "<h4>No match found.</h4>";
echo "<p>{$this->filesScannedCount} file scanned.</p>";
}
$endtime = microtime(true);
$totaltime = ($endtime - $this->startTime);
echo "<p><small>Time elpased: ".$totaltime." seconds</small></p>";
}
/**
* Prepare the scanner
*/
function prepareScanner(){
ini_set('memory_limit', $this->memoryLimit);
$this->startTime = microtime(true);
if (!$this->docRoot)
$this->docRoot = $_SERVER['DOCUMENT_ROOT'];
$this->filesToScan = $this->getFilesToScan($this->docRoot);
}
/**
* Execute the scan process
* @param unknown $param
*/
function doScan() {
foreach ($this->filesToScan as $search) {
$this->filesScannedCount++;
foreach ($this->fixList as $name => $method){
$chekFile = call_user_func(array($this, $method), $search[0]);
if ($chekFile != FixExitStatus::FILE_OK)
$this->filesFixed[] = array('fix' => $name, 'file' => $search[0], 'exitStatus' => $chekFile);
}
}
}
/**
* Helper to get the list of the files to scan
*/
function getFilesToScan($rootDir){
$directoryIterator = new RecursiveDirectoryIterator($rootDir);
$iterator = new RecursiveIteratorIterator($directoryIterator);
$regex ='/^.+\.(' .implode("|", $this->fileTypeToScan) . ')$/i';
$files = new RegexIterator($iterator, $regex, RecursiveRegexIterator::GET_MATCH);
return $files;
}
/**
* Return true, just for check if the regex works.
* @param unknown $path
*/
function devCheckRegex($path) {
if(is_file($path))
return true;
else
return false;
}
/**
* Check and fix file for:
* 336988 Trojan
* @param unknown $path
* @return true if trojan foud and fixed; otherwise false;
*/
function fix336988($path) {
$fileFixed = false;
$regexPaterns = array(
"/#336988#(.*?)#\/336988#/ism", // php
"/\<!--336988-->(.*?)\<!--\/336988-->/ism", // html
'#(/\*336988\*/).*?(/\*/336988\*/)#ism', //js
);
$data = file_get_contents($path);
foreach ($regexPaterns as $regex) {
if (preg_match($regex,$data)){
// If foud, replace malicious code with empty string
$data = preg_replace($regex,"",$data);
$fileFixed = FixExitStatus::FILE_FIXED;
}
}
if ($fileFixed != FixExitStatus::FILE_OK)
file_put_contents($path, $data);
return $fileFixed;
}
}
final class FixExitStatus {
private function __constructor() {}
// fix exit status
const FILE_OK = 0;
const FILE_FIXED = 1;
const CANT_FIX = 2;
public static function translateExitStatus($status) {
switch ($status) {
case FixExitStatus::FILE_OK:
return "File is safe";
break;
case FixExitStatus::FILE_FIXED:
return "File fixed";
break;
case FixExitStatus::CANT_FIX:
return "Can't fix file";
break;
}
}
}
?>
在文本編輯器中,'。+'通常不會跨越行邊界。 – Barmar
用'[\ s \ S]替換'.' – nhahtdh
立即開始使用版本控制,並從存儲庫進行部署。您不需要像這樣「撤消」更改。 –