Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to kill the webshell Trojan horse on the linux server". The explanation in the article is simple and clear and easy to learn and understand. Please follow the editor's train of thought to study and learn how to kill the webshell Trojan horse on the linux server.

Our server environment is linux, so it must be necessary to use the find command, and we need to use it with the ls command.

1. You can find files that have been modified in the past 3 days, and display the details of the file list:

Find-name "* .php"-type f-mtime-3-exec ls-l {}\

Of course, the results may contain a lot of cache class files, which are not what we are looking for, so we need to exclude such files from the query results, and often cache files are stored in cache-specific directories.

Use the-prune parameter to filter and add query commands that exclude certain directory conditions:

Find. -path "/ xxxxx/caches"-prune-o-name "* .php"-type f-mtime-3-exec ls-l {}\

Note:

(1) the path parameter to be ignored must immediately follow the search path, otherwise it will not work.

(2) do not have a "/" symbol at the end of the path.

2. After finding suspicious files, analyzing and determining that they are Trojans, look for more storage locations according to the file information of Trojans. For example, the file name of Trojan horse is "muma.php".

Find. -name "muma.php"-type f-mtime-5-exec ls-l {}\

The above command, is to relax the length of query time, query the last 5 days of the name of the file information list, you can check the file size to determine whether it is the same Trojan file.

Look at the command results in the picture, the file size is "233", there is a great possibility that it is the same Trojan file, comprehensive modification time judgment, it is best to also cat check, so as to avoid manslaughter.

You can use some of the richer parameter information of the find and ls commands to determine the analysis.

A list of parameter functions for the find command may be used:

Find / home-size + 512k # check files greater than 512k find / home-size-512k # check files less than 512k find / home-mtime-2 # check files changed in the last two days find / home-atime-1 # check files accessed within 1 day find / home -mmin + 60 # check files changed 60 minutes ago under / home find / home-amin + 30 # check files accessed last 30 minutes find / home-newer tmp.txt # look up files or directories whose update time is nearer than tmp.txt under / home find / home-anewer tmp.txt # look up under / home A file or directory whose access time is closer than that of tmp.txt

Combine two kinds of time information of ls:

Ls-lc filename lists the time that the ctime of a file changes with the content of the Inode when the file is written, the owner is changed, the permissions are set, or the link settings are changed. Ls-l filename lists when the mtime of a file changes as the file content changes when it is written.

When ctime and mtime are inconsistent, it may be a Trojan file, and the hacker may modify the mtime time.

3. Delete Trojan files

This step should be a further analysis of the Trojan invasion path, etc., but this process is another very complex system engineering, which will be explained in detail later and skipped temporarily.

Find. -name "muma.php"-type f-mtime-5-size-5k-exec rm-rf {}\

Add a filter condition,-size-5k, that is, the file size is less than 5k.

4. Find the list of files in the directory that contain specific Trojan strings, and delete the processing.

# find the file and display the ctime time of the file, compare the file information find. -name "* .php"-exec grep-rl "YLbgPfj524" {}\;-exec ls-lc {}\; # delete find after confirming that there is no problem. -name "* .php"-exec grep-rl "YLbgPfj524" {}\;-exec rm-rfv {}\; Thank you for reading. The above is the content of "how to kill webshell Trojans on linux servers". After the study of this article, I believe you have a deeper understanding of how to kill webshell Trojans on linux servers, and the specific usage needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.