Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "sample analysis of the php Trojan horse", the content is simple and clear, hoping to help you solve your doubts, the following let the editor lead you to study and learn the "sample analysis of the php Trojan horse" this article.

Before in the emergency found a 5678.php backdoor program, and then posted to the forum, a friend reminded that the backdoor also has a backdoor, so quickly open it. After analyzing the Trojan, it is found that there is a css_font function. The specific code is as follows:

The output rawtargetu is as follows

The main components of fontcolor are as follows: the backdoor access path url+ backdoor password is first encoded by base64, and the obtained value is as follows: MTkyLjE2O**xNTMuMTMzL3hzcy5waHB8MTIz, then use the str_replace function to replace the an in the encoding parameters with @, continue to replace the = in the parameters with?, and then encode the base64. According to this rule, the final decoding function is as follows:

$jiema=base64_decode (str_replace ('?','=', str_replace ('@', 'TVRreUxqRTJPQzR4TlRNdU1UTXpMM2h7Y3k1d0BIQjhNVEl6')

The output decoding result is as follows:

Obviously, to http://s.qsmyy.com/logo.css? The main content of the transmission is the access address and access password of the backdoor. You only need to build a web service on the backdoor server and check the log regularly. As the saying goes, the snipe and clam compete with each other and benefit from the fisherman.

Change the backdoor address to a locally built web server for testing, and you can successfully receive the relevant logs.

By decoding the received information, the backdoor access address and password information can be obtained successfully.

Next, let's see if there is any network behavior in the backdoor, and if it can be found without source code analysis, first use burp to grab the browser package, observe the web log at this time, and have received the relevant data.

But nothing can be seen in the packets crawled by burp.

Try to use wireshark to grab packets and check them, and filter to find signs of backdoor links.

Click Follow to trace the backdoor link

By the way, check the relevant information about hacking, this is still very common, especially some free tools, Trojans, kitchen knife tools have appeared before a version with a back door, so it is necessary to analyze it before getting a shell or a new tool, so that we will not become the black hands of others.

The above is all the content of this article "sample Analysis of php Trojan Horse". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.