Shulou(Shulou.com)05/31 Report--

This article will explain in detail how Perl oneline kills Webshell in WEB security. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Search according to some characteristic fields in Webshell, you can find the files that may contain Trojans, and the feature fields can be added as needed.

Perl-lne 'print "$ARGV $_" if/ (phpspy | c99sh | milw0rm | eval\ (gunerpress | eval\ (base64_decoolcode | spider_bc) / ``find-type f-name "* .php" `

This line of script explains: this code combines find and Perl to achieve Webshell killing. First, use `find-type f-name "* .php" `to list all php files in this directory and subdirectories, and pay attention to `backslash (built above tab). The find command parameter-type f indicates that the type is a file, and-name "* .php"` means that the file name ends with php (of course, it can be other types, can be other features). The specific usage of find can be read with find-h, or search engines can search for its usage.

Then all the php files searched are passed a Perl single line, and perl regularly searches each file by line, searching for phpspy,c99sh,milw0rm,eval (keywords such as gunerpress,eval (base64_decoolcode,spider_bc), etc.). Note that regular matching requires a backslash\ to escape. Finally, output the matching file name and the contents of the line.

Note that the output $ARGV represents each file name in the file list, and $_ represents the current item in the current list, where it represents the matching line content.

The above script outputs each matching line and can be used as one to check each item in detail. In practice, you will need to output only the file name of the problem, which is also simple, just make some changes to the above script.

Perl-lne'{$files {$ARGV} + + if/ (phpspy | c99sh | milw0rm | eval\ (gunerpress | eval\ (base64_decoolcode | spider_bc) /} END {printfor keys% files} '`find-type f-name "* .php" `

The above script uses a hash variable% files to match the file name of each line on the basis of script 1, and + 1 if there is a match. Finally, the END module outputs the key of% files, that is, there is a matching file name. Of course, you can also output all the file names and then redirect to do a uniq.

Perl-lne 'print "$ARGV" if/ (phpspy | c99sh | milw0rm | eval\ (gunerpress | eval\ (base64_decoolcode | spider_bc) / ``find-type f-name "* .php" `| uniq

It should be noted that the files found above may be normal php files, which need to be processed according to the actual screening (batch replacement) and not mistakenly killed (pay attention to backup Russia before processing).

Other concerns are the modification time and permissions of the file.

Find the PHP files that were modified on the last day, and you can also find the available files according to these characteristics, which can be used as the premise of keyword query.

Find-type f-mtime-1-name\ * .php

Modify the permissions of a website

Find-type f-name\. Php-exec chmod 444 {}\

Find. /-type d-exec chmod 555

More knowledge extension:

1. Batch search and replacement under linux.

Find. -type f-name "* .html" | xargs grep yourstring

2. Find and replace with perl One-liners

Perl-I-lpe's # replaced string # g``find yourdir-type f-name "* .shtml" `

The following example is to replace "(empty)" with "" in all * .shtml files in the current directory and all subdirectories.

Perl-I-lpe's | | g``find. -type f-name "* .shtml" `

Perl-I-pe

Add the-e option to the Perl command, followed by a line of code, and it will run the code like a normal Perl script.

This is the end of the article on "how Perl oneline kills Webshell in WEB Security". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.